By: HUB’s EB Compliance Team
In response to the Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization overturning Roe v. Wade, the Department of Health and Human Services has issued a reminder on the “required by law” and “law enforcement” exceptions to the Privacy Rule under the Health Insurance Portability and Accountability Act (“HIPAA”), including several scenarios that could occur in states with abortion restrictions or bans. While the reminder is directed to health care providers, employers with health plans may find it instructive for their own understanding of HIPAA’s requirements.
Background
Under HIPAA, protected health information (“PHI”) generally must be kept private and not used or disclosed unless permitted by the HIPAA Privacy Rule. HIPAA applies to group health plans in addition to providers and health care clearinghouses (collectively referred to as “covered entities”). HIPAA also applies to their service providers who handle PHI referring to those providers as “business associates.”
Recognizing that there are legitimate instances where PHI may need to be disclosed, HIPAA allows disclosures if required by law or for law enforcement purposes, among other limited exceptions. Unless an exception applies, an individual’s PHI cannot be disclosed by a covered entity or business associate without that individual’s authorization.
Required By Law
The guidance reminds covered entities that HIPAA permits, but does not require, disclosure of PHI if required by law. The key word here is “required” because HIPAA only allows the disclosure if the law mandates or compels a covered entity to disclose PHI that is enforceable in court. In other words, a mere request from a government agency is not enough to allow a disclosure that’s “required by law.” Nor where reporting is merely optional would a disclosure be considered “required by law.” Instead, the law must actually force the covered entity to disclose. Even then, the disclosure must be limited to what the law requires and nothing more.
Law Enforcement Purposes
Similarly, the law permits, but does not require, the disclosure of PHI for law enforcement purposes. Such a disclosure could occur in response to a subpoena or warrant, for example. Again, only the requested PHI, and nothing more, may be disclosed.
Therefore, a mere request by a law enforcement official is not enough to allow disclosure under HIPAA, if unaccompanied by a court order or other similar mandate. Even if the law enforcement official has a court order, the covered entity would be permitted, but not required to disclose.
Conclusion
While this bulletin was issued specifically in response to Dobbs, the above reminders are generally helpful for employers with self-funded health plans subject to HIPAA. Of course, in deciding whether to respond to requests for disclosures outlined above, sponsors of self-funded health plans should consider the ramifications of not complying with the applicable law in question, especially as state abortion laws change in response to Dobbs, and consult with experienced counsel. While HIPAA may not require the disclosure, other applicable state laws may impose fines, penalties, or even incarceration for failing to comply.
If you have any questions, please contact your HUB Advisor. View more compliance articles in our Compliance Directory.
NOTICE OF DISCLAIMER
Neither Hub International Limited nor any of its affiliated companies is a law or accounting firm, and therefore they cannot provide legal or tax advice. The information herein is provided for general information only and is not intended to constitute legal or tax advice as to an organization’s or individual's specific circumstances. It is based on Hub International's understanding of the law as it exists on the date of this publication. Subsequent developments may result in this information becoming outdated or incorrect and Hub International does not have an obligation to update this information. You should consult an attorney, accountant, or other legal or tax professional regarding the application of the general information provided here to your organization’s specific situation in light of your or your organization’s particular needs.