The United States Supreme Court recently issued its decision in Dobbs v. Jackson Women's Health Org., ––– U.S. –––, 2022 WL 2276808 (2022), overturning Roe v. Wade, 410 U.S. 113 (1973), and Planned Parenthood of Southeastern Pennsylvania v. Casey, 505 U.S. 833 (1992). In holding that the U.S. Constitution does not protect a right to abortion, the court “returned” regulating abortion to the individual states. Aside from the obvious systematic implications of the decision, Dobbs has now created various challenges for pharmaceutical retailers and their ability to comply with Health Insurance Portability and Accountability Act (“HIPAA”) privacy requirements.

Key Considerations for Pharmaceutical Retailers and Beyond

HIPAA is a comprehensive federal law that created national standards to prevent certain health information from being disclosed without a patient’s knowledge or consent.1 The US Department of Health and Human Services (“HHS”) issued regulations to implement HIPAA requirements, which are collectively known as the Privacy Rule, Security Rule, and the Breach Notification rule.2 Although the Privacy Rule poses the most risk post-Dobbs, pharmaceutical retailers should still be mindful of the Breach Notification Rule, which may come into play if a covered entity discloses personal health information (“PHI”) without an adequate basis. The Privacy Rule sets forth standards on the use and disclosure of PHI by “covered entities.”3 PHI includes information that may be used to identify an individual (e.g., name, address, birth date, and Social Security Number) and relates to an individual’s physical or mental health or condition, the provision of health care to the individual, or payment for health care.4 Pursuant to the Privacy Rule, a covered entity may not use or disclose PHI except as permitted by the regulations.5

Such permitted disclosures, outlined in the regulations, include disclosures required by law, for law enforcement purposes, to avert a serious threat to health or safety, and for judicial and administrative proceedings.6 Many of these instances involve reporting crimes, threats to the health or safety of an individual, child abuse, and domestic violence and providing PHI to law enforcement to identify a fugitive. Id. In the wake of Dobbs, however, pharmaceutical retailers that fill prescriptions used to end a pregnancy might now be served with subpoenas, search warrants, or discovery requests from state or local prosecutors in states that ban abortion.7 Left at a crossroad, businesses may soon have to choose between complying with HIPAA or a subpoena. And importantly, businesses may also have to consider the additional risk of whether filling prescriptions such as misoprostol—which can also be used to treat stomach ulcers—would create exposure to civil or criminal liability.

Fortunately however, on June 29, 2022, HHS’s Office of Civil Rights (“OCR”) released guidance that “[a]ddresses the circumstances under which the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits disclosure of [protected health information] without an individual's authorization[.]”8 OCR stated that, in the event a covered entity can disclose PHI, the privacy rule permits, but does not require, disclosure.9 Further, OCR emphasized that “required by law” is limited to “a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.”10 Such disclosures must be limited to the relevant requirements of that law.11 OCR’s guidance also provided examples of situations in which providers may question their responsibility regarding protected health information, including if a provider suspects a patient has induced an abortion, if law enforcement requests patient information, and if a patient tells a provider they plan to seek an abortion elsewhere.

OCR Scenarios

Although OCR’s new guidance could help protect privacy rights in the short term, further clarification is needed. For instance, although OCR’s guidance limits the disclosures to a mandate “contained in law,” “enforceable in law,” and permits disclosure only “where the disclosure of PHI is limited to the relevant requirements of such law,” this still puts businesses in a position of having to conduct a case-by-case analysis of any incoming subpoenas, court orders, or warrants. And in cases where a subpoena isn’t signed by a judge of the court, although covered entities have the right to request assurances before turning over PHI, law enforcement agencies could forcefully compel businesses to comply. Without a formal rule codifying OCR’s June 29 guidance, or an objective standard created for responding to subpoenas or court orders, businesses are at risk of violating HIPAA.

Looking Ahead – Strategies During an Uncertain Time

While there is still uncertainty, pharmaceutical retailers can still plan ahead for responding to subpoenas requesting PHI. Notably, in cases where the subpoena or administrative request was signed by anyone other than a judge, HIPAA requires businesses to request “satisfactory assurance” from the party seeking the information.12 Thus, it is critical that businesses check the order first before turning over any PHI.

Data privacy laws will continue evolving in the aftermath of the Dobbs decision. Pharmaceutical retailers, and businesses generally, should start to consult with legal counsel to stay updated on the legal landscape and guidance before making decisions on the disclosure of PHI.