In the wake of the recent U.S. Supreme Court decision to overturn Roe v. Wade—which held the Constitution does not protect abortion—hospitals are faced with critical departures from settled guidelines and practices when attempting to navigate their organization through the quagmire of competing rules and standards.[1]
Recently, the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) in an attempt to strengthen the HIPAA Privacy Rule protections by prohibiting the use or disclosure of protected health information (PHI) to investigate or prosecute patients, providers, and others involved in the provision of legal reproductive care, including abortion care.[2] The proposed rule would make any disclosure of PHI prohibited without the express permission of the patient. The new proposed rule attempts to prevent law enforcement from gathering any evidence of an abortion to hold a provider or patient criminally liable. Currently, HIPAA does permit a covered entity from disclosing PHI to law enforcement if there is a crime committed on the covered entity’s property.[3] In the case of an abortion, if a state prohibits it, the covered entity would have little persuasive standing to prevent the disclosure to law enforcement since a “crime” would be committed on the grounds of the covered entity.
Where are the landmines?
Impeding an investigation
Although the proposed rule is an attempt to insulate covered entities from the risks of performing medically necessary abortions, it still may not protect the providers from other unintended consequences and realities.
In many states, such as Missouri, any interference of an investigation or arrest can create a criminal charge for impeding an investigation even if the arrest or investigation is unlawful.[4] Although this does not prevent a civil suit for unlawful arrest, it is likely not to be successful because it is considered a crime in Missouri to perform an abortion without a “medical emergency,” which has no definition in the law.[5] A compliance professional is tested to determine the lesser of two evils. How does the compliance professional prevent an HHS Office for Civil Rights investigation and penalty for disclosure and at the same time watch their organization’s colleagues become criminally charged for following HIPAA guidance?
Medical malpractice exposure
Because some state laws are preventing the performance of an abortion without an actual emergency, it exposes providers to potential medical judgment that works outside the standard of care. For example, some physicians may interpret ectopic complications with pregnancy to be certain of an emergent need. Does your state require the emergency to occur or is the guarantee of a future emergency considered “emergent” under your state law? Since physicians are trained to treat conditions as they identify those conditions, it is counterintuitive to wait for treatment that a physician knows will become a problem later. Will the legal excuse of abortion limitations be enough to defend a medical malpractice case for failure to timely treat such a condition that the physician knew about but decided to defer until further harm may be incurred? How much of the medical record can you share without the fear of opening criminal liability to the physician and the patient to defend or the patient to prosecute their medical malpractice case even if disclosure is permitted by HIPAA?
