Confidentiality over Privacy

Introduction

Consider an individual who is approximately fifteen weeks pregnant and who wishes to obtain an abortion. Assume the individual’s primary care physician refers the individual to an obstetrician-gynecologist who performs a surgical abortion in a public teaching hospital.1 Further assume the state in which the abortion is performed makes the intentional or knowing performance of an abortion after fifteen weeks a felony, punishable by up to ten years in prison and fines not to exceed $100,000.2 Finally, assume that a conservative medical resident who trains in the hospital reports the abortion to the local sheriff’s office, disclosing the patient’s medical record as evidence of the perceived crime.3

Legal scholars who analyze fact patterns like this one tend to focus on whether the state law criminalizing the performance of the abortion violates a constitutional right.4 On June 24, 2022, however, the Supreme Court of the United States held in Dobbs v. Jackson Women’s Health Organization that the U.S. Constitution does not explicitly or implicitly establish a right to an abortion5 and that the issue should remain in the hands of state lawmakers.6 Given the Supreme Court’s holding in Dobbs, this Article argues that continued scholarly focus on constitutional rights to privacy in the context of abortion might be misplaced in the short term. Principles of confidentiality, on the other hand, may offer immediate and much-needed relief.

In the context of abortion, privacy may be defined as an individual’s interest in avoiding an unwanted governmental intrusion, including a state’s interference with an individual’s decision to terminate a pregnancy.7 In Dobbs, the Supreme Court focused on this general concept; that is, whether an abortion restriction (the Mississippi Gestational Age Act) impermissibly interfered with abortion decision making.8 Confidentiality, on the other hand, may be defined as the obligation of a healthcare provider or other data custodian to prevent the unauthorized use or disclosure of an individual’s identifiable health information, such as a medical record documenting the performance of an abortion.9 A related concept, the physician-patient privilege, prevents a physician from producing an individual’s abortion record during a judicial proceeding or giving testimony about an individual’s abortion unless the individual waives the privilege.10 This Article is the first to untangle the complex web of confidentiality and privilege laws that are implicated by the collection, use, disclosure, and sale of reproductive health information post-Dobbs. This Article also demonstrates how strong enforcement of certain confidentiality and privilege laws combined with straightforward amendments to others can create an effective constitutional stopgap.

This Article proceeds as follows: Part I describes common and anticipated fact patterns involving the collection, use, disclosure, and sale of reproductive health information. These fact patterns include voluntary and self-initiated disclosures of reproductive health information by healthcare providers to law enforcement;11 responsive disclosures of reproductive health information by healthcare providers in the context of court orders, party subpoenas, and discovery requests issued during judicial proceedings;12 required disclosures of reproductive health information by healthcare providers to state agencies pursuant to mandatory reporting laws;13 and the collection, use, disclosure, and sale of reproductive health information by individuals and institutions not regulated by traditional confidentiality laws.14 Part I applies existing health information confidentiality laws, including the federal Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, state hospital licensing laws, state medical practice acts, state medical record privacy acts, state consumer data protection laws, recently introduced data protection legislation, and evidentiary privilege laws, to these fact patterns.15 Part I shows that, in some fact patterns, existing confidentiality laws already explicitly prohibit the unauthorized disclosure of reproductive health information.16 In other fact patterns, reproductive health records may be released, but the proper application of an evidentiary privilege or other rule of evidence should prohibit the records’ admission into evidence.17 In still other fact patterns, straightforward amendments to confidentiality and privilege laws can protect against the use or disclosure of reproductive health information in pregnancy outcome investigations and abortion prosecutions.18

Part II of this Article offers eleven concrete proposals that will create a post-Dobbs constitutional stopgap. These proposals involve: (1) vigorously enforcing existing health information confidentiality laws at the federal and state levels;19 (2) launching a “HIPAA Reproductive Health Information Initiative” that will commit the federal Department of Health and Human Services (HHS) and the Department of Justice (DOJ) to the prompt identification, investigation, and enforcement of HIPAA Privacy Rule violations in the context of reproductive health information;20 (3) publicizing HIPAA Privacy Rule provisions that allow any person, not just the patient who is the subject of the reproductive health information wrongly disclosed, to complain to the government;21 (4) promulgating regulations allowing private parties who assist HHS in identifying violations of the HIPAA Privacy Rule to receive a percentage of any settlement amount or civil money penalty imposed by HHS;22 (5) establishing a private right of action allowing patients harmed by violations of the HIPAA Privacy Rule to recover damages for breaches of confidentiality;23 (6) adopting regulations allowing HHS to exclude HIPAA-covered entities from the Medicare and Medicaid programs for violations of the HIPAA Privacy Rule;24 (7) extending regulations that provide heightened confidentiality protections to psychotherapy notes to reproductive health information as well;25 (8) imposing restrictions on court-ordered disclosures of reproductive health information;26 (9) clarifying some mandatory reporting laws and amending others;27 (10) encouraging judicial adherence to state evidentiary privileges in some states and amending evidentiary privileges in other states;28 and (11) enacting strong federal legislation that will regulate noncovered entities that collect, use, disclose, and/or sell reproductive health information.29 Part II of this Article explains each proposal and, when appropriate, offers draft text implementing each proposal. If followed by lawmakers, regulators, and judges, these proposals will discourage healthcare providers and other reproductive health data custodians from violating health information confidentiality. These proposals also will strengthen confidentiality and privilege protections available for reproductive health information, helping to level the reproductive rights playing field post-Dobbs.

Part III of this Article offers justification and context for the administrative, legislative, and judicial proposals identified in Part II.30 Part III shows how the proposals set forth in Part II are consistent with, and responsive to, requests and statements made by federal lawmakers, President Biden’s White House, the American College of Obstetricians and Gynecologists, and the Association of Prosecuting Attorneys.31 Part III concludes by arguing that reproductive health care, including abortion care, must remain a private medical matter.32 Prosecutors and other law enforcement officials must not be allowed into this domain.33

I. Fact Patterns and Legal Analysis

A. Voluntary, Self-Initiated Disclosures by Providers to Law Enforcement

The disclosure of reproductive health information without the prior authorization of the individual who is the subject of the information, including abortion information, occurs in a variety of ways. One fact pattern (e.g., State v. Herrera) involves a healthcare provider who voluntarily initiates a disclosure of reproductive health information to law enforcement without a prior request for such information from law enforcement. In Herrera, a worker at a Texas hospital voluntarily initiated a disclosure of a named patient (Lizelle Herrera)’s abortion information to the Starr County, Texas, Sheriff’s Department.34 Herrera had presented to the hospital requesting medical assistance following a self-induced abortion that occurred on or about January 7, 2022.35 Case documents and news reports do not clarify exactly why the hospital worker reported Herrera’s abortion to law enforcement, although it appears the worker incorrectly believed that Texas criminalized self-induced abortions and, therefore, that the worker had a legal obligation to report the abortion.36

Law enforcement took the report seriously, quickly launching an investigation. On March 30, 2022, a grand jury of Starr County indicted Herrera, alleging that she “intentionally and knowingly cause[d] the death of an individual . . . by a self-induced abortion.”37 On April 7, 2022, Texas police arrested and detained Herrera in a jail near the Texas-Mexico border on a $500,000 bail bond.38 Three days later, however, the District Attorney (DA) changed course, announcing that the case against Herrera would be dismissed.39 In his announcement, the DA explained that the Starr County Sheriff’s Department acted appropriately by investigating the incident brought to its attention by the hospital worker but that “Herrera did not commit a criminal act under the laws of the State of Texas.”40 Herrera did not commit a crime because then-current Texas law only prohibited a physician from performing an abortion on a pregnant woman,41 but did not prohibit a pregnant woman from self-inducing her own abortion.42

Although the abortion restriction at issue in Herrera has received significant scholarly and media attention in terms of its constitutionality,43 less consideration has been paid to the question of whether the hospital worker who reported Herrera to law enforcement violated federal and state health information confidentiality laws. As discussed in more detail below, the hospital worker clearly violated both federal and state law by voluntarily initiating the disclosure of Herrera’s information to law enforcement without Herrera’s prior written authorization.

In the United States, health information confidentiality is governed by a confusing patchwork of federal and state laws that have been carefully articulated by this Author in a variety of works.44 The federal HIPAA Privacy Rule,45 which strives to balance the interest of individuals in maintaining the confidentiality of their health information with the interest of society in obtaining, using, and disclosing health information,46 is an important starting point within this patchwork. The HIPAA Privacy Rule regulates a covered entity’s use and disclosure of a class of information called protected health information (PHI).47 A covered entity is defined to include a healthcare provider48 that transmits health information in electronic form in connection with certain standard transactions, including the health insurance claim transaction.49 Hospitals are expressly included within the HIPAA Privacy Rule’s definition of a healthcare provider.50 Because most hospitals (including Starr County Memorial Hospital, the hospital to which Herrera is believed to have presented) transmit health information in electronic form in connection with health claims sent to health insurers,51 most hospitals must comply with the HIPAA Privacy Rule when using or disclosing PHI.

With four exceptions that are largely inapplicable in the abortion context, PHI is defined as individually identifiable health information (IIHI) that is transmitted or maintained in any form or medium.52 In relevant part, IIHI is defined as information created by a healthcare provider that relates to the past or present health of an individual and that identifies the individual.53 Electronic or paper medical records that reference a named patient’s past abortion or present complications would meet this definition and would need to be protected in accordance with the HIPAA Privacy Rule. An oral communication by a hospital worker about a named patient’s past abortion or present complications also would meet this definition and would need to be protected in accordance with the HIPAA Privacy Rule.

Before using or disclosing an individual’s PHI, the HIPAA Privacy Rule requires a covered hospital to obtain the prior written authorization of the individual who is the subject of the PHI on a HIPAA-compliant form unless an exception applies.54 There is no indication that Herrera signed a HIPAA-compliant authorization form that would permit the hospital where she presented to disclose her abortion information to law enforcement. The HIPAA Privacy Rule does contain four exceptions that permit a covered entity to voluntarily initiate a disclosure of PHI to law enforcement without the prior authorization of the individual who is the subject of the PHI.55 However, not one of these exceptions applied to Herrera, rendering the hospital’s disclosure of Herrera’s PHI a violation of the HIPAA Privacy Rule.

The first potentially relevant exception—known as the crime-on-premises exception—permits a covered entity to disclose to law enforcement PHI “that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity.”56 In Herrera’s case, however, her self-induced abortion that was (incorrectly) believed to be a crime occurred outside the hospital, not on the premises of the hospital. Herrera later presented to the hospital, likely due to complications associated with the self-induced abortion.57 Because the alleged criminal activity—the abortion—did not occur at the hospital, the crime-on-premises exception is inapplicable.

A second potentially relevant exception—the decedent exception—permits a covered entity to disclose PHI “about an individual who has died to a law enforcement official for the purpose of alerting law enforcement of the death of the individual if the covered entity has a suspicion that such death may have resulted from criminal conduct.”58 However, Herrera did not die from her January 2022 abortion. Indeed, Herrera was indicted in late March 2022 and then was jailed and subsequently released on bail in early April 2022.59 Because Herrera did not die, the decedent exception is inapplicable.

A third potentially relevant exception—the emergency care exception—permits a covered entity “providing emergency health care in response to a medical emergency, other than such emergency on the premises of the covered health care provider, [to] disclose [PHI] to a law enforcement official if such disclosure appears necessary to alert law enforcement to . . . [t]he commission and nature of a crime,” the location or victims of a crime, or other similar information.60 Importantly, this exception only applies when the emergency health care being provided is provided off the premises of the covered entity.61 For example, a covered ambulance that is dispatched to a railroad track, a public park, or an elementary school and provides emergency care to an individual at one of those locations could meet this exception. In Herrera’s case, however, she was provided emergency care on the premises of the same covered hospital that disclosed her PHI to law enforcement.62 As a result, the emergency care exception is inapplicable.

A fourth potentially relevant exception—the required-by-law exception—permits a covered entity to disclose PHI in two different situations: (1) as required by a state or other law that requires the reporting of certain types of wounds or injuries; or (2) in compliance with a court order, grand jury subpoena, or administrative request.63 The first portion of this exception is inapplicable because the relevant Texas injury reporting law only applies to bullet and gunshot injuries, not abortion injuries.64 The second portion of the required-by-law exception is also inapplicable because the hospital worker voluntarily initiated the disclosure of Herrera’s PHI to law enforcement. The worker was not responding to any type of court order, grand jury subpoena, or administrative request. Indeed, it was the voluntary disclosure of Herrera’s PHI that led to the grand jury’s indictment, not the other way around.65

The four exceptions described above are the only exceptions in the HIPAA Privacy Rule that permit a covered entity to voluntarily initiate a disclosure of PHI to law enforcement without the prior written authorization of the individual who is the subject of the PHI.66 Two additional law enforcement exceptions do exist. However, both require a law enforcement officer to first request PHI from the covered entity,67 which is not the situation presented in Herrera. Even assuming, however, that a law enforcement officer first requested Herrera’s PHI from the Texas hospital where Herrera presented for care, one of the two additional exceptions requires the patient to have agreed to the disclosure.68 If the patient cannot agree due to incapacity or emergency circumstance, then the information could not be intended to be used against the patient, and the information disclosure would need to be in the patient’s interests.69 In Herrera’s case, there is no evidence that she agreed to the disclosure of her abortion information or that she could not agree due to incapacity or emergency circumstance. Assuming arguendo that Herrera could not agree, however, the information disclosed was still intended to be used (and was actually used) against Herrera. Finally, the information disclosure was certainly not in Herrera’s best interests. Indeed, the DA who eventually dismissed the charges against Herrera recognized in his dismissal announcement the “toll [taken] on Ms. Herrera and her family. To ignore this fact would be shortsighted.”70

In summary, the Texas hospital worker who voluntarily initiated the disclosure of Herrera’s PHI to law enforcement without Herrera’s prior written authorization did not meet any applicable exceptions to the authorization requirement set forth in the HIPAA Privacy Rule. As such, the worker violated the HIPAA Privacy Rule. To date, this fact seems to have escaped the attention of reporters, scholars, and enforcement agencies.71 As discussed in more detail in Section II.A of this Article, HHS and the DOJ, which are responsible for civilly and criminally enforcing the HIPAA Privacy Rule, respectively, should immediately investigate the unauthorized information disclosure and impose civil penalties on the hospital and criminal penalties on the worker.72

The HIPAA Privacy Rule establishes a federal floor of health information confidentiality protections that states are permitted to build on with more stringent state laws, that is, state laws that better protect health information confidentiality.73 Given that a worker at a Texas hospital disclosed Herrera’s information, the confidentiality provisions within the Texas Hospital Licensing Law also need to be analyzed.74 As background, the Texas Hospital Licensing Law generally prohibits the health information of a hospital patient from being disclosed without the patient’s prior authorization.75 There are twenty exceptions in which a hospital patient’s health information may be disclosed without patient authorization;76 however, only three are potentially applicable in the Herrera case. A careful reading of these three exceptions shows that not one applies, and that the hospital worker also violated the Texas Hospital Licensing Law.

The first potentially applicable exception set forth in the Texas Hospital Licensing Law provides that a hospital may disclose a patient’s health information “to a federal, state, or local government agency or authority to the extent authorized or required by law.”77 The Starr County Sheriff’s Department would constitute a local government authority for purposes of this exception but, as discussed above, the disclosure is prohibited (and therefore not authorized) by a law, that is, the HIPAA Privacy Rule.78 And, although Texas law does contain an injury reporting provision that requires certain healthcare providers to disclose certain injuries to law enforcement, this injury reporting law only applies to bullet and gunshot injuries, not abortion injuries.79 Moreover, Herrera likely was experiencing normal abortion complications, not an “injury.” As a result, the first exception is inapplicable to Herrera.

The Texas Hospital Licensing Law’s second potentially applicable exception provides that a hospital may disclose a patient’s healthcare information in compliance with a court order.80 In Herrera, however, the hospital worker voluntarily initiated the disclosure and was not responding to a court order. The third potentially applicable exception provides that a hospital may disclose a patient’s health information if the disclosure is “related to a judicial proceeding in which the patient is a party and the disclosure is requested under a subpoena issued under . . . the Texas Rules of Civil or Criminal Procedure.”81 In Herrera, however, the information disclosure occurred before the commencement of any criminal or other judicial proceeding and thus was not related to a judicial proceeding in which Herrera was presently a party. As a result, neither the second nor the third exception is applicable.

In summary, the hospital worker who voluntarily initiated the disclosure of Herrera’s health information to law enforcement without Herrera’s prior authorization did not meet any applicable exceptions set forth in the Texas Hospital Licensing Law. As such, the confidentiality provisions within the Texas Hospital Licensing Law were also violated. As discussed in more detail in Section II.A of this Article, the Texas Department of State Health Services, which oversees Texas hospitals’ compliance with the Texas Hospital Licensing Law, should immediately: (1) pursue injunctive relief that would prohibit hospital workers from further disclosing reproductive health records without prior patient authorization;82 (2) impose civil monetary penalties on the hospital;83 and (3) suspend or revoke the hospital’s operating license.84 All three remedies are expressly authorized by the Texas Hospital Licensing Law.85 In addition, patients like Herrera should be made aware that they may sue hospitals for confidentiality violations. Indeed, injunctive relief and civil damages are expressly authorized by the Texas Hospital Licensing Law for patients who are injured by licensing violations.86

B. Responsive Disclosures by Providers Pursuant to Court Orders and Party Subpoenas During Judicial Proceedings

Herrera involved a voluntary disclosure of a patient’s abortion information by a hospital worker to law enforcement without a prior request from law enforcement, leading to a criminal investigation of the patient.87 In a second recurring fact pattern, a party that is involved in an ongoing judicial proceeding will subpoena abortion records from a healthcare provider. Northwestern Memorial Hospital v. Ashcroft nicely illustrates this fact pattern.88 In Northwestern, the U.S. Attorney General (AG) subpoenaed the medical records of approximately forty-five patients on whom a physician named Dr. Casing Hammond had performed late-term abortions at Northwestern Memorial Hospital (Northwestern) in Chicago, Illinois, using the dilation and extraction (D&X) and dilation and evacuation (D&E) abortion procedures.89 The subpoenaed records were sought as part of a lawsuit by the plaintiffs (including Dr. Hammond) who challenged the constitutionality of the federal Partial-Birth Abortion Ban Act of 2003.90 At issue in the case was an exception to the prior authorization requirement in the HIPAA Privacy Rule that permits covered entities to disclose PHI as part of a judicial or administrative proceeding in certain limited situations (hereinafter judicial proceeding exception).91 Writing for the U.S. Court of Appeals for the Seventh Circuit, Judge Posner ruled that the judicial proceeding exception, if satisfied, simply permits a covered hospital to release abortion records without violating the HIPAA Privacy Rule.92 Satisfaction of the judicial proceeding exception does not guarantee, however, that the released records will be admitted into evidence in a particular judicial proceeding.93 Federal or state rules of evidence, as appropriate, govern the records’ admissibility.94

Although neither the Federal Rules of Evidence nor the federal common law contained an abortion record privilege that would apply in the federal question case before him, Judge Posner ruled against the admissibility of the subpoenaed abortion records because they had limited probative value when weighed against the abortion patients’ fear of identification and consequent harm to the hospital.95 Judge Posner reasoned that the “natural sensitivity” that most people feel about their medical records “is amplified when the records are of a procedure that Congress has now declared to be a crime.”96 Judge Posner also reasoned that if the defendant hospital could not shield its patients’ abortion records from disclosure in judicial proceedings, the hospital would lose the confidence of its patients, and patients with sensitive medical conditions would turn elsewhere for treatment.97 Finally, Judge Posner reasoned that, although state privileges cannot be counted on to apply in federal court in federal question cases, quashing the subpoena did comport with Illinois’s strong medical-records privilege.98 As a result, Judge Posner affirmed the district court’s decision to quash the subpoena.99

The Northwestern case offers a nice platform from which to explore the HIPAA Privacy Rule’s judicial proceeding exception in tandem with federal and state rules of evidence. As background, the judicial proceeding exception permits a covered entity like Northwestern to disclose PHI in the course of a judicial proceeding in three situations. In the first situation, Northwestern would be permitted to disclose PHI in response to a court order if Northwestern only disclosed the PHI specifically demanded in the order.100 Once disclosed to the court, the HIPAA Privacy Rule does not currently impose any additional confidentiality restrictions on the records. As discussed in more detail in Section II.C of this Article, the HIPAA Privacy Rule should be amended to add limitations that are currently set forth in federal substance use disorder treatment record regulations, including a limitation prohibiting records obtained by court orders from being used to investigate or prosecute the patient who is the subject of the records.

In the second situation, Northwestern would be permitted to disclose PHI in response to a subpoena, discovery request, or other lawful process that is not accompanied by a court order, but only if Northwestern receives satisfactory assurance (through a written statement and accompanying documentation) from the party seeking the information (in this case, the AG) that reasonable efforts have been made by the AG to ensure that the women who are the subjects of the abortion records have been given written notice of the AG’s request and have sufficient information about the litigation for which their PHI is being requested to raise an evidentiary objection.101 This means that the women would have to be given sufficient time to object to the admission of their records as well as time for the court to rule on their objections.102 If their objections are sustained, their records will be disallowed into evidence.103 Only if the women do not object or, if the women do object, if a court has overruled their objections, can their records be admitted into evidence.104 As discussed in more detail in Section II.E of this Article, state evidentiary privileges that forbid the admission of abortion records in civil and criminal proceedings should be upheld, and state laws without strong privileges should be amended accordingly.

In the third situation, a covered entity like Northwestern may disclose PHI in the course of a judicial proceeding “in response to a subpoena, discovery request, or other lawful process” that is not accompanied by a court order, but only if the covered entity “receives satisfactory assurance . . . from the party seeking the information” (i.e., the AG in Northwestern) “that reasonable efforts have been made by such party to secure a qualified protective order [(QPO)].”105 As background, a QPO is an order of a court or a stipulation by the parties to litigation that prohibits the parties from disclosing the PHI for any purpose other than the litigation and that requires the return to the covered entity (or the destruction of all copies of the PHI) at the conclusion of the litigation.106 Satisfactory assurance has been received when the covered entity receives a written statement and accompanying documentation from the party seeking the PHI demonstrating that the parties to the dispute have agreed to a QPO and have presented it to the court, or that the party seeking the PHI has requested a QPO from the court.107 As discussed in more detail in Section II.C of this Article, the HIPAA Privacy Rule should be amended to clarify that a condition of the QPO be that PHI cannot be used to investigate or prosecute the individual who is the subject of the PHI or a provider who performed an abortion.

By no means, then, does the HIPAA Privacy Rule easily allow covered entities to disclose PHI just because a judicial proceeding happens to be ongoing. Moreover, even if the procedural release steps described in the three preceding paragraphs are properly followed, federal or state rules of evidence still must be satisfied before the records can be admitted into evidence. As shown by Judge Posner’s ruling in Northwestern, a judge certainly can disallow the admission of records due to their limited probative value relative to the abortion patients’ significant fear of identification and consequent harm.

C. Required Disclosures by Providers to State Agencies Pursuant to Mandatory Abortion Data Reporting Laws

So far, this Article has discussed a fact pattern involving a voluntary disclosure of abortion information by a hospital worker to law enforcement without a prior request from law enforcement (e.g., Herrera),108 as well as a fact pattern involving a responsive disclosure of abortion records by a provider pursuant to a party subpoena issued during a judicial proceeding (e.g., Northwestern).109 In a third fact pattern, a provider will disclose abortion data to a state agency pursuant to a state mandatory reporting law, such as a mandatory abortion data reporting law. Then, an anti-abortion activist or other person will request the data from the relevant state agency and the question becomes whether the agency can release the data pursuant to a public records or freedom of information law. The Louisiana case of Mahoney v. Kliebert nicely illustrates this fact pattern.110

As background for Mahoney, most states have an abortion data reporting law that requires physicians who perform abortions in the state to report certain data regarding each abortion performed to a state agency.111 Louisiana’s version of this law requires a physician who performs an abortion to complete a form called a “Report of Induced Termination of Pregnancy” (ITOP report) and to transmit the ITOP report to the Louisiana Vital Records Registry (LVRR) within fifteen days of performing the abortion.112 Although a properly completed ITOP report will not include the name of the individual who had the abortion, the form will include the individual’s age, marital status, state and parish of residence; the age, marital status, state and parish of residence of the father, if known; the place where the abortion was performed; the full name and address of the physician who performed the abortion; the medical reason for the abortion; the medical procedure used to perform the abortion; the weight and length of the aborted fetus; other significant conditions of the fetus and the individual who carried the fetus; and the results of the pathological examination of the aborted fetus.113 In Louisiana, a physician who fails to complete an ITOP report has committed “a misdemeanor punishable by imprisonment for ninety days in jail or by a five hundred dollar fine, or both.”114 The failure of a physician to complete an ITOP report also is considered evidence that an illegal abortion was performed.115 Under current law, a physician’s disclosure of PHI to the LVRR through an ITOP report does not violate the HIPAA Privacy Rule because the Privacy Rule permits disclosures required by law as well as disclosures of vital events to public health authorities.116

The stated purpose of most abortion data reporting laws is to compile abortion data that may be used to improve maternal health and life and to monitor abortions performed in the state to ensure that only legal abortions are performed.117 Through their websites, most state departments of health make public certain aggregated abortion data, including the number and types of abortions performed in the state each year; the reasons that abortions were obtained in the state each year; the race, chronological age, gestational age, and marital status of the individuals who had abortions each year; as well as certain data regarding minors who have received abortions each year.118

Mahoney now can be used to review the application of mandatory abortion data reporting laws and to show how anti-abortion activists attempt to obtain access to such data.119 In Mahoney, an anti-abortion activist attempted to use Louisiana’s public records law to gain access to abortion data transmitted by Louisiana physicians to LVRR through the ITOP reporting process.120 The Louisiana Department of Health and Human Services (Department) responded by opposing Mahoney’s access. In its motion of opposition, the Department argued that the information sought was specifically exempted under Louisiana’s then-current public records law.121 The Department also argued that Louisiana’s then-current abortion reporting law contained a provision stating that ITOP reports “shall be confidential.”122 In its motion of opposition, the Department also encouraged Mahoney to download the aggregated (but not individually identifiable) abortion data the Department had made available through its website.123 Research revealed no judicial opinion ruling on the parties’ motions as well as no evidence that the Department ultimately disclosed to Mahoney the information he requested. As discussed in more detail in Section II.D of this Article, existing public records exceptions applicable to reported abortion data should be followed by state agencies and, if challenged, upheld by the courts.124 In states without relevant exemptions, carefully worded exemptions applicable to mandatorily reported abortion data should be enacted.125

D. The Collection, Use, Disclosure, and Sale of Reproductive Health Data by Noncovered Entities

So far, this Article has examined federal and state laws governing: (1) voluntary disclosures of abortion information by healthcare providers to law enforcement without a prior request from law enforcement (e.g., Herrera);126 (2) responsive disclosures of abortion records by healthcare providers pursuant to court orders or party subpoenas during judicial proceedings (e.g., Northwestern);127 and (3) mandatory disclosures of abortion reports by healthcare providers to state agencies pursuant to mandatory reporting laws (e.g., Mahoney).128 A fourth fact pattern involves the collection, use, disclosure, and/or sale of reproductive health information by individuals and institutions that are not covered entities under federal and state health information confidentiality laws.

As background, Herrera, Northwestern, and Mahoney involved traditional hospitals and physicians that meet the definition of a “health care provider” under the HIPAA Privacy Rule and that likely transmit health information in electronic form in connection with standard transactions, including the health insurance claim transaction (standard transaction requirement).129 To the extent a hospital or physician meets the standard transaction requirement, the hospital or physician is regulated by the HIPAA Privacy Rule.130 Hospitals and physicians also are governed by confidentiality provisions set forth within state hospital licensing laws and state medical practice acts, respectively.131 In summary, hospitals, physicians, and other traditional healthcare providers are heavily regulated when it comes to the use and disclosure of identifiable patient information.

That said, not all individuals and institutions who collect, use, disclose, and/or sell reproductive health information are strictly regulated by federal and state health information confidentiality laws. Consider, for example, crisis pregnancy centers (CPCs), also called pregnancy care centers.132 CPCs tend to be nonprofit, faith-based organizations that discourage individuals from having abortions and that promote parenting or adoption instead.133 CPCs, which outnumber abortion clinics by three to one in the United States, typically provide some combination of pregnancy testing services, nondiagnostic ultrasound services, fetal development information, maternal nutritional information, parenting and/or adoption information, and housing, as needed.134 CPCs collect significant personal information from individuals who inquire about or receive their services, including name, address, telephone number, driver’s license number, chronological age, gestational age, sexually transmitted infection information, and other medical history.135 Many CPCs provide post-abortion counseling, which also facilitates the collection of data regarding individuals who have had abortions.136 Despite claims by CPCs that they maintain health information confidentiality,137 a number of prominent media outlets suggest that CPCs will disclose their customers’ identifiable health information without authorization in the context of pregnancy outcome investigations and abortion prosecutions.138

As discussed in Section I.A, HIPAA-covered healthcare providers are prohibited in many situations from disclosing PHI to law enforcement without the prior written authorization of the individual who is the subject of the PHI.139 Although some CPCs may fall within a catch-all to the HIPAA Privacy Rule’s definition of a “health care provider,”140 recall that the HIPAA Privacy Rule only regulates those healthcare providers who meet the standard transaction requirement.141 To the extent a CPC does not electronically bill health insurance—and CPCs generally do not bill insurance because insurance does not cover the nonmedical services provided by CPCs—the CPC will not be a HIPAA-covered entity subject to the HIPAA Privacy Rule.142

Some states like Texas do have HIPAA-like laws that apply to anyone who comes into possession of identifiable health information,143 including CPCs, but not all states have these laws. And, although five states (as of this writing) have enacted new consumer data protection laws that apply to non-HIPAA–covered entities that collect, use, disclose, and/or sell personal data (including health data), these new consumer data protection laws require businesses to meet significant financial or data thresholds in order to be regulated. The California Consumer Privacy Act of 2018, for example, only applies to businesses that have “annual gross revenues in excess of twenty-five million dollars”; that annually buy, sell, or share the personal information of 100,000 or more consumers; or that derive fifty percent or more of their annual revenues from selling consumers’ personal information.144 The new consumer data protection laws of Virginia,145 Colorado,146 Utah,147 and Connecticut148 also require businesses to meet significant financial or data thresholds in order to be regulated. It is unlikely that many CPCs meet these thresholds, allowing them to evade significant state regulation.

Some CPCs make claims regarding patient privacy and health information confidentiality. For example, one Oklahoma-based CPC called Hope Pregnancy Center states in one place on its website that it offers “confidential unplanned pregnancy services” and in a second place that it provides “confidential pregnancy confirmation and information.”149 A second Oklahoma-based CPC called Compassion Pregnancy Center explains that all of its services are free and “confidential.”150 A spokesperson of a third CPC, based in Texas and called Prestonwood Pregnancy Center, recently told Time Magazine that it “respects client privacy.”151 A fourth CPC, based in Alabama and called River Region Pregnancy Center, states in one place on its website that it offers “confidential” professional services and in a second place that it provides no-cost “confidential” services.152

These confidentiality claims, if violated, could implicate federal and state consumer protection laws.153 Under federal consumer law, for example, when a company tells a consumer that the company will safeguard the consumer’s health data but fails to do so, the Federal Trade Commission (FTC) can take enforcement action, forcing the company to keep its promise.154 Indeed, President Biden recently issued an Executive Order directing the Chair of the FTC to consider actions that will better protect the confidentiality of consumers who research and/or pursue reproductive health care and rely on promises of confidentiality.155 As discussed in more detail in Section II.F of this Article, CPCs should be required by federal legislation to post online and print notices of privacy practices clearly indicating whether they disclose customer information to law enforcement or any other third party and the reasons for such disclosures.156 This notice should be prominently displayed both on the CPC’s website, in advertisements and other communications about the CPC, as well as on the physical premises of the CPC, including places where customers are likely to see the notice, such as a reception desk, waiting area, and examination room.157

A CPC is one example of an organization that collects significant reproductive health information and that is lightly regulated by traditional confidentiality laws. A second example includes the Author’s Garmin Vívoactive 4S GPS smartwatch (Garmin Smartwatch), which solicits information from the user regarding their menstrual cycle through a feature called Menstrual Cycle Tracking.158 As with CPCs, neither the Garmin Smartwatch nor its accompanying Garmin Connect™ mobile application are HIPAA-covered entities, nor are they regulated by other traditional health information confidentiality laws, such as state hospital licensing laws or state medical practice acts.159

In addition to CPCs and the Garmin Smartwatch, there are dozens of other menstrual cycle tracker applications,160 fertility tracker applications,161 pregnancy tracker applications,162 other mobile applications, other wearable technologies, and other noncovered entities that collect data that could be used to aid in a pregnancy outcome investigation or an abortion prosecution.163 For example, a team of investigative reporters discovered that Facebook is collecting data regarding users who visit CPCs and other pregnancy-related websites.164 According to the reporters, the Facebook-collected data is used for targeted advertising but also could be used to aid law enforcement in pregnancy outcome investigation and abortion prosecutions.165 By further example, Google logs the location history of individuals who use Google services approximately every two minutes and can estimate the location of a person within nine feet.166 An individual’s location (e.g., near a clinic known to provide abortions after the statutory gestational age prohibition), as well as the individual’s internet search history (e.g., Google search for “online abortion pill”); chat history (e.g., “Can I make an appointment for 10:00 a.m.?”); and text messages (e.g., “Will you drive me to my procedure?”) could be collected and analyzed as part of a pregnancy outcome investigation or abortion prosecution.167 Google’s possession of location, internet search, and other data is concerning given that, in the first half of 2021 alone, Google received from law enforcement “more than 50,000 subpoenas, search warrants and other . . . legal requests for data Google retains” in databases, including “Sensorvault.”168 Since then, Google announced that it would delete user location history by default on September 1, 2022,169 and will delete abortion clinic visit history immediately.170 That said, the collection of location history by Google with respect to individuals who, perhaps due to a lack of familiarity with technology, turn location history back on is concerning.171

In the context of reproductive health information, concerns regarding the collection, use, disclosure, and sale of data by noncovered entities are not theoretical. A particularly worrisome research study published in June 2022 found, for example, that twenty of the twenty-three most popular women’s health applications, including reproductive health applications, were sharing user data with third parties even though just 52% of those applications obtained consent from users.172 A location data firm called SafeGraph, by further example, sold a week’s worth of location data showing people visiting Planned Parenthood and other abortion-providing clinics, including data showing where they came from, how long they stayed at each clinic, and where they went after their clinic visits.173 SafeGraph sold the data for only $160.174 By still further example, Gizmodo (a media company that reports on technology) recently identified thirty-two data brokers that sell data on 2.9 billion profiles of U.S. residents “pegged as ‘actively pregnant’ or ‘shopping for maternity products.’”175 By final illustrative example, a Mississippi grand jury relied on the internet search history of Latice Fisher, a Black woman from Starkville, to indict her for second degree murder.176 Fisher’s search queries related to inducing a miscarriage and purchasing abortion medications online.177 As discussed in more detail in Section II.F of this Article, strong federal legislation is needed to prohibit location data companies, social media companies, technology companies, and other noncovered entities from collecting, using, disclosing, and selling reproductive health information.

II. Administrative, Legislative, and Judicial Proposals

A. Vigorous Enforcement of Existing Health Information Confidentiality Laws

Section I.A of this Article analyzed a fact pattern involving a Texas worker who voluntarily initiated a disclosure of Lizelle Herrera’s PHI to law enforcement without Herrera’s prior written authorization. This information disclosure violated the HIPAA Privacy Rule,178 the Texas Hospital Licensing Law179 and, if the disclosure was made electronically, the Texas Medical Records Privacy Act.180 As discussed in more detail below, enforcement agencies must vigorously enforce these and similar laws to help even the playing field in the current abortion battleground.

HHS’s Office for Civil Rights (OCR) is responsible for civilly enforcing the HIPAA Privacy Rule.181 The DOJ is responsible for criminally enforcing the HIPAA Privacy Rule.182 In terms of civil enforcement, the HIPAA Privacy Rule permits anyone, not just the patient who is the subject of PHI, to complain to the Secretary of HHS about a privacy violation.183 When a preliminary review of the facts in the complaint indicates a possible violation due to willful neglect, the Secretary must investigate the complaint and conduct a compliance review.184 OCR will then attempt to resolve the complaint through one of three means, including voluntary compliance, corrective action, and/or a resolution agreement.185 Although most HIPAA Privacy Rule investigations are resolved to the satisfaction of OCR through these means, OCR may impose civil money penalties (CMPs) on covered entities in situations in which resolution is not possible.186 As of this writing, individuals who complain to the Secretary of HHS do not receive a portion of any resolution agreement amount or CMP imposed on a covered entity; instead, these amounts are deposited with the Department of Treasury.187 Also as of this writing, individuals who are harmed by privacy violations do not have a private right of action under the HIPAA Privacy Rule.188 In addition to civil enforcement, HHS also may refer a case to the DOJ for criminal investigation.189 The first criminal penalty was imposed on a covered healthcare worker in 2004, and additional criminal penalties have been imposed since then.190

This begs the question of why the federal government appears to have done nothing about the confidentiality violation in Herrera. It is possible that HHS did not receive a complaint that would make the federal government aware of the violation. After all, twenty-six-year-old Lizelle Herrera may not be familiar with the nonapplication of the complex law enforcement exceptions within the HIPAA Privacy Rule. In addition, she may not have known that she had a legal right to complain. Although anyone can complain to the Secretary of HHS, not just the patient who is the subject of the PHI that was impermissibly disclosed,191 it is also possible that no one else who was familiar with the case spotted the violation and/or knew they had a legal right to complain. Without a complaint, HHS may be simply unaware of the case, despite the significant media attention surrounding the case.192

It is possible, too, that HHS is aware of the violation in Herrera and is in the process of investigating the case. As explained by the Author in prior scholarship, it can take more than seven years for HHS to investigate and resolve civil violations of the HIPAA Privacy Rule,193 and it can take more than eight years for a criminal defendant to be sentenced for violating the HIPAA Privacy Rule.194 These significant time delays do result in a lack of timely attention to the confidentiality rights of patients and insureds.195 These time delays do need to be remedied; otherwise, the HIPAA Privacy Rule is all bark and too little bite.196

It is also possible that the Secretary of HHS quickly investigated the case, did not refer the case to the DOJ, and decided only to proceed with voluntary compliance and not a CMP (or a settlement agreement in lieu of a CMP). This decision would make sense in light of the Author’s prior research, which shows that HHS and state attorneys general (SAGs)—who also have authority to civilly enforce HIPAA Privacy Rule violations as a result of the Health Information Technology for Economic and Clinical Health Act (HITECH) within the American Recovery and Reinvestment Act (ARRA)197—tend to focus their settlement and penalty efforts on cases involving large groups of patients and insureds, which can yield higher penalties for HHS and SAGs.198 However, these enforcement practices leave individuals like Lizelle Herrera out of the enforcement spotlight.199

On July 8, 2022, President Biden issued a fact sheet announcing that he would do everything in his power to defend reproductive rights and protect access to safe and legal abortions.200 On that same day, President Biden also issued an Executive Order designed to protect access to reproductive healthcare services.201 Both the fact sheet and the Executive Order demonstrate President Biden’s commitment to addressing threats to reproductive health care caused by, among other things, the unauthorized use, disclosure, and/or sale of reproductive health data.202 In his Executive Order, President Biden directed HHS to consider how best to use the HIPAA Privacy Rule to protect the confidentiality of reproductive health data.203 This Article responds to this request for consideration by arguing that not only HHS, but also the DOJ, should vigorously exercise the express statutory and regulatory authority they currently have to promptly investigate and enforce violations of the HIPAA Privacy Rule in the context of reproductive health information. If hospital workers and other healthcare providers were made aware of the significant civil penalties (up to $1,919,713 at present)204 and criminal fines (statutorily set at $250,000), as well as jail time (statutorily set at up to ten years),205 that apply to HIPAA Privacy Rule violations, it is likely they would think twice before making unauthorized uses and disclosures of patients’ reproductive health information. It is one thing for a healthcare worker to call the police and report a patient who had a medical procedure with which the worker personally or politically disagrees. It is quite another for a healthcare worker to risk millions of dollars in penalties on the civil side and up to ten years in jail on the criminal side to make the same report. If HHS civilly penalized the hospital in Herrera and the DOJ criminally punished the hospital worker in Herrera, and both agencies heavily publicized these penalties, other healthcare workers might be discouraged from making unauthorized uses and disclosures of patients’ reproductive health information going forward.

Moreover, both HHS and the DOJ should launch a “HIPAA Reproductive Health Information Initiative” as soon as possible. As background, HHS launched in 2019 a HIPAA Right of Access Initiative pursuant to which HHS promised to vigorously enforce patients’ right to access their medical records.206 To date, this initiative has resulted in thirty-eight enforcement actions against covered entities that failed to give patients timely access to their medical records as required by the HIPAA Privacy Rule.207 HHS and the DOJ should work together to launch a similar initiative that would commit them to the vigorous identification, investigation, and enforcement of HIPAA Privacy Rule violations in the context of reproductive health information. As part of this initiative, HHS and the DOJ should strongly communicate the fact that anyone, not just a patient who is the subject of PHI, can complain to the federal government about suspected confidentiality violations.208 After all, if states like Texas can pass new legislation allowing anyone to civilly enforce abortion restrictions,209 then the federal government certainly can promote existing regulations that allow anyone to complain about HIPAA Privacy Rule violations. Finally, and consistent with the Author’s prior scholarship, HHS should also adopt regulations: (1) allowing private parties who assist HHS in identifying violations of the HIPAA Privacy Rules to receive a percentage of any settlement amount or CMP imposed by HHS; (2) allowing private parties harmed by violations of the HIPAA Privacy Rules to enforce their privacy and security rights through litigation supported by a private right of action; and (3) excluding covered entities that violate the HIPAA Privacy Rule from participating in the Medicare and Medicaid programs, which can be a financial death sentence for many covered entities.210 If promulgated by HHS, the first two regulations will encourage individuals to report confidentiality violations, supporting enforcement of the HIPAA Privacy Rule. The third regulation would establish and hold a new penalty—one with significant financial repercussions—over the heads of covered entities that violate the HIPAA Privacy Rule.211

As discussed in Section I.A, the hospital worker who disclosed Herrera’s information also violated confidentiality provisions within the Texas Hospital Licensing Law. This Article further argues that the Texas Department of State Health Services (Department), which oversees Texas hospitals’ compliance with the Texas Hospital Licensing Law, should vigorously enforce confidentiality violations involving reproductive health records. To this end, the Department should immediately: (1) pursue injunctive relief that would prohibit workers at the Texas hospital from further disclosing reproductive health records without prior patient authorization;212 (2) impose CMPs on the hospital;213 and (3) threaten to suspend or revoke the hospital’s operating license.214 All three remedies are expressly authorized by the Texas Hospital Licensing Law.215 In addition, the Department should heavily publicize provisions within the Texas Hospital Licensing Law giving patients like Herrera authority to sue hospitals for confidentiality violations. The Department should also clarify in its communications that both injunctive relief and civil damages are expressly authorized by the Texas Hospital Licensing Law for patients who are injured by confidentiality violations.216

B. The Application of Psychotherapy Note Protections to Reproductive Health Information

In addition to vigorously enforcing existing health information confidentiality laws, federal and state lawmakers also need to strengthen these laws to better protect reproductive health information. As background, most federal and state confidentiality laws apply uniform confidentiality protections to all identifiable health information, regardless of whether that health information relates to orthopedic care, dermatological care, neurological care, or reproductive health care.217 One exception relates to psychotherapy notes, which are notes of a mental health professional taken during a counseling session that document or analyze what the patient said during the counseling session.218 Both the HIPAA Privacy Rule219 and many analogous state laws220 provide heightened confidentiality protections to psychotherapy notes due to the particularly sensitive information that is believed to be contained within the notes.221

These heightened confidentiality protections are best explained as follows: in the context of non-psychotherapy note PHI, federal and state laws contain dozens of treatment, payment, healthcare operations, and public benefit activity exceptions for which covered entities can use and disclose PHI without the prior written authorization of their patients.222 In the context of psychotherapy notes, however, there are just a few activities for which covered entities can use and disclose these notes without their patients’ prior written authorization.223 These activities include only: (1) use of the notes by the author of the notes (i.e., the psychotherapist) to treat the patient; (2) use of the notes by the covered entity to train mental health students and practitioners regarding conducting counseling sessions; (3) use or disclosure by the covered entity to defend itself in a legal action (e.g., in a medical malpractice case or a sexual assault case) brought by the patient; (4) a disclosure to the Secretary of HHS as necessary to investigate or determine a covered entity’s compliance with the HIPAA Privacy Rule; (5) a use or disclosure that is required by law; (6) a disclosure to a health oversight agency (e.g., the HHS Office of Inspector General (OIG)) for the purposes of overseeing the psychotherapist (e.g., in a healthcare fraud case); (7) a disclosure to a coroner or medical examiner to help identify a deceased patient or determine a patient’s cause of death; and (8) a disclosure to the police or to an intended victim as necessary to avert a serious threat to health or safety (e.g., when the patient threatens during a counseling session to kill a third party).224

Note that most of these activities are designed to help, not hurt, the patient who is the subject of the psychotherapy notes. For example, it helps the patient when the patient’s psychotherapist reviews the past week’s notes prior to the patient’s next session. It helps the patient to be able to bring a medical malpractice case against a psychotherapist who provides negligent care, including negligent care that results in a death that is ruled a suicide by a coroner or medical examiner. It helps a patient who is a victim of healthcare fraud, such as a psychotherapist over-billing, to have the OIG investigate that healthcare fraud and return money to the patient or the patient’s insurer. It helps the patient to be able to complain to HHS about a HIPAA Privacy Rule violation by the psychotherapist.

Also note that the activities for which a psychotherapist can use or disclose psychotherapy notes without prior patient authorization do not include the six law enforcement exceptions discussed in Section I.A of this Article in the context of Herrera.225 The judicial and administrative proceeding exceptions discussed in Section I.B of this Article in the context of Northwestern also do not apply to psychotherapy notes.226 The HIPAA Privacy Rule simply does not permit disclosures of psychotherapy notes to law enforcement or disclosures in response to party subpoenas or discovery requests during judicial and administrative proceedings, unless the patient provides prior written authorization, which most abortion patients would not.227

HHS needs to promptly amend the psychotherapy notes provision so that it applies to reproductive health information as well. If statements made during a counseling session regarding a patient’s bitter divorce, a patient’s dire financial situation, or a patient’s difficult relationship with a parent deserve special protections under the theory that the statements are “particularly sensitive,”228 certainly reproductive health information (including abortion information) also qualifies. A dense research literature shows that an individual’s abortion can result in the individual being judged and stereotyped sexually, socially, morally, ethically, politically, religiously, and spiritually.229 Surely this potential for judgment and stereotyping rivals the potential stigma that can result from publicity of divorce details, financial troubles, and strained family relationships.

This Article thus proposes: (1) the creation of a new definition of “reproductive health information” within the HIPAA Privacy Rule; and (2) the amendment of the HIPAA Privacy Rule’s psychotherapy note regulation to cover reproductive health information as well. In terms of a definition of “reproductive health information,” language may be adapted from President Biden’s recent Executive Order relating to access to reproductive health care, where he defined a similar term (“reproductive healthcare services”).230 Similar language (“reproductive health information”) can then be inserted alphabetically (after “public health authority” but before “research”) in a definition regulation applicable to the HIPAA Privacy Rule and codified at 45 C.F.R. § 164.501, as follows:

Reproductive health information means information relating to an individual’s medical, surgical, counseling, or referral for services relating to the human reproductive system, including services relating to the continuation of a pregnancy, the miscarriage of a pregnancy, a stillbirth, or the termination of a pregnancy.231

In terms of amending the psychotherapy note regulation to cover reproductive health information, the following italicized language can be added to the psychotherapy note regulation codified at 45 C.F.R. § 164.508(a)(2):

Authorization required: Psychotherapy notes and reproductive health information. Notwithstanding any provision of this subpart, other than the transition provisions in § 164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes or reproductive health information, except:

(i) To carry out the following treatment, payment, or health care operations:

(A) Use by the originator of the psychotherapy notes or reproductive health information for treatment;

(B) Use or disclosure by the covered entity for its own training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling; or in which students, trainees, or practitioners in reproductive health learn under supervision to practice or improve their medical, surgical, counseling, or referral skills relating to an individual’s reproductive health; or

(C) Use or disclosure by the covered entity to defend itself in a legal action or other proceeding brought by the individual; and

(ii) A use or disclosure that is required by § 164.502(a)(2)(ii) or permitted by § 164.512(a); § 164.512(d) with respect to the oversight of the originator of the psychotherapy notes; § 164.512(g)(1); or § 164.512(j)(1)(i).232

Note that the psychotherapy note regulation permits a covered entity to disclose information as “permitted by [45 C.F.R.] § 164.512(a).”233 Section 164.512(a) and an internally referenced regulation codified at 45 C.F.R. § 164.512(e) are the regulations within the HIPAA Privacy Rule that permit a covered entity to disclose PHI as required by law, including in accordance with a court order or any other law, such as a mandatory reporting law.234 Section II.C of this Article, immediately below, proposes amending 45 C.F.R. § 164.512(e) to better protect reproductive health records in the context of court-ordered disclosures and administrative and judicial proceedings. Section II.D of this Article, further below, proposes amending a preemption provision within the HIPAA Privacy Rule as well as clarifying or amending mandatory reporting laws to better protect reproductive health information.

C. Strengthened Protections in the Context of Court-Ordered Disclosures and Disclosures That Respond to Party Subpoenas, Discovery Requests, and Other Lawful Processes

As discussed in Section I.B, the HIPAA Privacy Rule and similar state laws permit covered entities to disclose PHI as ordered by a court, provided the covered entity discloses only the PHI expressly authorized by such order, as well as in response to party subpoenas, discovery requests, and other lawful processes, if additional requirements are met.235 In the relevant HIPAA Privacy Rule provisions, there are no contextual restrictions. For example, if a court orders information to be disclosed, the covered entity can disclose it.236 In addition, once the covered entity releases information pursuant to a court order, the HIPAA Privacy Rule does not impose any additional use or disclosure restrictions on the PHI.237

The same is not true in other regulatory schemes governing sensitive health information. For example, federal regulations codified at 42 C.F.R. Part 2, which provide special confidentiality protections to certain substance use disorder (SUD) patient records (records) of certain federally assisted SUD treatment programs (Part 2 Programs),238 heavily restrict the contexts in which Part 2 Programs are permitted to release information pursuant to a court order.239 Part 2 also heavily regulates the subsequent use and redisclosure of protected SUD records.240 In particular, Part 2 contains a subpart (Subpart E) titled “Court Orders Authorizing Disclosure and Use.”241 One provision in this subpart, referred to as the “confidential communications” provision, specifies that a court order may be used to authorize the “disclosure of confidential communications made by a patient to a [P]art 2 [P]rogram in the course of diagnosis, treatment, or referral for treatment,” but only in three situations, two of which are potentially relevant if reconsidered in the abortion context.242 One of these situations requires the disclosure to be necessary in terms of its connection with the “investigation or prosecution of an extremely serious crime, such as one which directly threatens loss of life or serious bodily injury, including homicide, rape, kidnapping, armed robbery, assault with a deadly weapon, or child abuse and neglect.”243 Notably, the Part 2 regulation does not list reproductive health care that a patient has requested (and consented to as part of the required informed consent to treatment process) as an extremely serious crime.244 The second situation requires the information disclosure to be “in connection with litigation or an administrative proceeding in which the patient offers testimony or other evidence pertaining to the content of the confidential communications.”245 However, abortion patients likely would not be offering testimony or evidence outside the context of a medical malpractice lawsuit, a failure to obtain informed consent to treatment lawsuit, or similar lawsuit; that is, outside a situation in which a patient is voluntarily suing a healthcare provider and is willing to disclose their reproductive health information as part of that lawsuit.

A second provision in this subpart, the criminal patient provision, sets forth many requirements relating to court orders that would authorize the use or disclosure of SUD records to investigate a patient in connection with a criminal proceeding.246 For example, the crime for which the patient is being investigated would have to be an “extremely serious” crime, such as “homicide, rape, kidnapping, armed robbery, assault with a deadly weapon, and child abuse and neglect.”247 Again, a reproductive healthcare procedure that the patient requested (and to which the patient consented as part of the required informed consent to treatment process) is very dissimilar from the un-consented-to crimes listed in the regulation. In addition, the presiding judge would have to determine that “[t]he potential injury to the patient, to the physician-patient relationship and to the ability of the [P]art 2 [P]rogram to provide services to other patients is outweighed by the public interest and the need for the disclosure.”248 As discussed in Section I.B, in Northwestern, Judge Posner found in an abortion records case that the potential injury to the patients whose abortion records were subpoenaed and to their physician-patient relationships did outweigh the public interest and need for disclosure.249

The HIPAA Privacy Rule needs to be amended to incorporate the approach taken by Part 2 in its confidential communications provision and in its criminal patient provision. This approach should be followed not only with respect to patients, but also with respect to providers who are under investigation for abortion-related crimes. The intended result would be that a confidential communication by, or the medical record of, a patient who had an abortion or who received other reproductive health care could not be used against the patient or the provider unless the patient or provider was alleged to have been involved in the performance of an “extremely serious” crime. HHS should clarify in its preamble to these proposed regulations that a requested (and consented to) healthcare procedure, including an abortion, is not an “extremely serious” crime. HHS should also clarify that a confidential communication by (or a medical record relating to) a patient who had an abortion could be used to help the patient bring a medical malpractice lawsuit, failure to obtain informed consent lawsuit, or other similar lawsuit if the patient so desires. There are two ways to achieve this result. The simplest way to achieve this result is to amend 45 C.F.R. § 164.512(e)(1) by adding the italicized language and removing the stricken language:

(e) Standard: Disclosures for judicial and administrative proceedings—

(1) Permitted disclosures. With the exception of reproductive health information, a A covered entity may disclose protected health information in the course of any judicial or administrative proceeding . . . .250

This method simply removes reproductive health information from the class of information that may be used or disclosed pursuant to a court order, party subpoena, discovery request, or other lawful process issued during a judicial or administrative proceeding. The Author prefers this straightforward approach, although this approach does treat reproductive health information differently than other PHI.251 To the extent others prefer to treat reproductive health information and other classes of PHI more similarly, a second approach is to amend 45 C.F.R. § 164.512(e)(1) to add two new subsections (vii and viii) that contain the following italicized language:

(e) Standard: Disclosures for judicial and administrative proceedings—

(1) Permitted disclosures. A covered entity may disclose protected health information in the course of any judicial or administrative proceeding: . . .

     (vii) except that a court order under paragraph (e)(1)(i) of this section or a party subpoena, discovery request, or other lawful process under paragraph (e)(1)(ii) of this section shall not authorize the disclosure of PHI unless: (1) the disclosure is necessary in connection with investigation or prosecution of an extremely serious crime, such as one which directly threatens loss of life of or serious bodily injury to a person who is a child or older, including homicide, rape, kidnapping, armed robbery, assault with a deadly weapon, or child abuse and neglect;252 or (2) the disclosure is in connection with litigation brought by the patient or an administrative proceeding commenced by the complaint of the patient during which the patient voluntarily offers testimony or other evidence pertaining to the content of PHI of which the patient is the subject.

     (viii) except that a court under paragraph (e)(1)(i) of this section or a party subpoena, discovery request, or other lawful process under paragraph (e)(1)(ii) of this section shall not authorize the disclosure of PHI that will be used to investigate or prosecute an individual for a crime, civil offense, or administrative violation related to consensual reproductive health care.253

D. The Clarification or Amendment of Mandatory Reporting Laws

As discussed in Section I.C of this Article, most states have laws that require physicians to disclose certain data regarding performed abortions to their state department of health or, more particularly, a vital statistics unit within their state department of health.254 These disclosures do not violate the HIPAA Privacy Rule and most other state health information confidentiality laws because these laws, as written, allow disclosures that are “required by law” as well as disclosures of vital events to public health authorities.255 Most states also have laws that require physicians and other healthcare providers to report certain wounds and injuries to law enforcement.256 These disclosures also do not violate the HIPAA Privacy Rule and most state health information confidentiality laws, which tend to allow some combination of disclosures that are “required by law,” disclosures of wounds and injuries to law enforcement, as well as disclosures of other injuries to public health authorities.257

In terms of state mandatory abortion data reporting laws, the Author recommends the strengthening of these laws to prohibit reported abortion data from being disclosed to law enforcement and members of the public through freedom of information laws, as well as in the context of judicial and administrative proceedings. For example, Texas’s abortion data reporting law could be amended to accomplish this result by deleting the following stricken language and adding the following italicized language:

(a) A physician who performs an abortion at an abortion facility must complete and submit a monthly report to the department on each abortion performed by the physician at the abortion facility. . . .

(d) Except as provided by Section 245.023, all information and records held by the department under this chapter are confidential and are not open records for the purposes of Chapter 552, Government Code. That information may not be released or made public on subpoena or otherwise, except that release may be made:

     (1) for statistical purposes, but only if a person, patient, physician performing an abortion, or abortion facility is not identified;

     (2) only with the consent of each person, patient, physician, and abortion facility identified in the information released;

     (3) to medical personnel, appropriate state agencies, or county and district courts to enforce this chapter; or

     (4) to appropriate state licensing boards to enforce state licensing laws.258

In terms of laws that require physicians and certain other persons to report certain wounds and injuries, some laws in this area only require the reporting of gunshot, bullet, and similar firearm injuries. Texas, for example, requires physicians who “attend[] or treat[] . . . a bullet or gunshot wound . . . [to] report the case at once to [local] law enforcement.”259 Vermont, by further example, requires physicians “attending or treating a case of bullet wound, gunshot wound, powder burn, or any other injury arising from or caused by the discharge of a gun, pistol, or other firearm” to “report such case at once to local law enforcement officials or the State police.”260 The Virgin Islands, by final illustrative example, requires physicians, physician aides, and nurses “treating a case of bullet wound, powder burn or any other wound arising from or caused by the discharge of a gun, revolver, pistol, or other firearm” to “report such case at once to the police authorities.”261 These types of injury laws—laws that require the reporting of very specific events that are unrelated to reproductive health—are preferred.

Other laws in this area require physicians and certain other persons to report additional injuries, including injuries caused by a knife or other sharp or pointed instrument. For example, Alaska requires “[a] health care professional who initially treats or attends to a person with . . . . an injury apparently caused by a knife, axe, or other sharp or pointed instrument, unless the injury was clearly accidental” to report the injury to law enforcement.262 By further example, Hawaii requires physicians and physician assistants “attending or treating a case of knife wound” to report the case to the chief of police of the county in which the person was attended or treated.263 By final illustrative example, Nevada requires healthcare providers “to whom any person comes or is brought for treatment of an injury which appears to have been inflicted by means of a . . . knife, not under accidental circumstances” to “promptly report the person’s name, if known, his or her location and the character and extent of the injury to an appropriate law enforcement agency.”264 Although not intended by these laws, a prosecutor or other law enforcement officer could argue that a curette, which is a sharp instrument used during the dilation and curettage (D&C) abortion procedure, is a knife or other sharp or pointed instrument.265 As a result, these laws should be amended to except consented-to reproductive healthcare procedures, including abortions. A definition of “knife” that excludes “surgical instruments used during consented-to reproductive healthcare procedures, including abortions” would accomplish this result.

Still other laws in this area require physicians and certain other persons to report any injury believed to have been caused by a criminal act. Arizona, for example, requires physicians, nurses, and hospital attendants “called upon to treat any person for . . . [a] material injury which may have resulted from . . . [an] illegal or unlawful act” to “immediately notify the chief of police or the city marshal, if in an incorporated city or town, or the sheriff, or the nearest police officer.”266 By further example, New Hampshire requires persons who “knowingly treated or assisted another” for any “injury he believes to have been caused by a criminal act” to immediately “notify a law enforcement official of all the information he possesses concerning the injury.”267 By final illustrative example, Wisconsin requires a licensed healthcare professional “who treats a patient suffering from . . . . [a]ny wound,” “if the person has reasonable cause to believe that the wound occurred as a result of a crime,” to “report the patient’s name and the type of wound . . . involved as soon as reasonably possible to the local police department or county sheriff’s office for the area where the treatment is rendered.”268 In states in which a patient’s abortion is a crime, these laws may be interpreted by a prosecutor or other law enforcement official to require the reporting of an abortion. These laws should be amended to except from the reporting requirement “consented-to reproductive healthcare procedures, including abortions.”

And, of course, all states contain laws requiring healthcare providers and certain other persons to report suspected cases of child abuse and, sometimes, other forms of person abuse.269 To the extent that a state passes a fetal personhood law—a law that makes an unborn fetus a child or other person270—then child and other person abuse reporting laws could be interpreted to require the reporting of persons suspected of having had abortions. For example, Iowa has a proposed bill stating that “life is valued and protected from the moment of conception, and each life, from that moment, is accorded the same rights and protections guaranteed to all persons.”271 Oklahoma has a similar proposed constitutional amendment stating that “the laws of this state shall be interpreted and construed to acknowledge on behalf of the unborn person in utero, all the rights, privileges, and immunities available to other persons, citizens, and residents of this state.”272 West Virginia also has a proposed bill that would define “human person” and “human being” to “include each member of the species homo sapiens at all stages of life, including the moment of fertilization or cloning.”273 The Author, who strongly disagrees with fetal personhood laws, recommends that states not enact them.

This Section has proposed ways in which states can amend their mandatory reporting laws to better protect the confidentiality of individuals with reproductive health histories. In states that maintain the legality of abortion, lawmakers may be successful in their efforts to enact such legislation. In states that criminalize abortion, lawmakers may be unsuccessful. For this reason, it is important that HHS amend the preemption survival regulation codified at 45 C.F.R. § 160.203 within the HIPAA Privacy Rule to add the following italicized language:

A standard, requirement, or implementation specification adopted under this subchapter that is contrary to a provision of State law preempts the provision of State law. This general rule applies, except if one or more of the following conditions is met:

. . . .

(c) The provision of State law, including State procedures established under such law, as applicable, provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention. This paragraph (c) shall not apply to State laws that require the reporting of reproductive health information or that could be interpreted to require the reporting of reproductive health information.274

The effect of this amendment would be to prohibit covered entities from disclosing reproductive health information in accordance with state mandatory reporting laws. This more stringent HIPAA Privacy Rule provision would preempt contrary state laws that require the reporting of reproductive health information.

E. Judicial Adherence to, and Amendment of, State Evidentiary Privileges

As discussed in the context of Northwestern, the HIPAA Privacy Rule and many state health information confidentiality laws currently allow covered entities to disclose PHI pursuant to a court order or in response to a party subpoena, discovery request, or other lawful process if certain requirements are satisfied.275 If HHS is unable to amend the HIPAA Privacy Rule to prevent or restrict reproductive health information disclosures in these contexts, as recommended by this Article in Section II.C, a second option is for: (1) judges to rigorously adhere to state evidentiary privilege laws in states that forbid the production of reproductive health records; and (2) lawmakers to amend these laws in states that allow such production.

As background, a physician-patient privilege is a rule of evidence that prevents a physician from producing an individual’s medical record during a judicial proceeding or giving testimony about an individual’s condition or confidential communications unless the individual waives the privilege.276 The scope of the physician-patient privilege varies significantly from state to state, as does its application to the civil and criminal contexts. In Texas, for example, there is no physician-patient privilege in criminal cases outside the context of treatment for alcohol and substance use.277 There is a civil privilege in Texas, although the civil privilege has several enumerated exceptions.278 In Oklahoma, a patient does have “a privilege to refuse to disclose and to prevent any other person from disclosing confidential communications made for the purpose of diagnosis or treatment of the patient’s physical, mental or emotional condition.”279 That said, there is an exception for situations in which the HIPAA Privacy Rule permits a disclosure. This exception would allow disclosures by covered entities to law enforcement officials and disclosures in the context of administrative and judicial proceedings.280 In Illinois, the physician-patient privilege prohibits physicians from disclosing any information acquired while attending to a patient in a professional capacity.281 The Illinois privilege used to have a specific exception for cases involving criminal abortions, attempted abortions, and murders by abortion, but the Illinois Legislature subsequently removed this exception, which the Author supports.282 As a final illustrative but not exhaustive example of state privilege variation, some states have privileges the interpretation of which is heavily dependent upon the common law. For example, judicial opinions in New York have held that the New York privilege does apply with respect to the type of abortion procedure and the course of reproductive health care but does not apply to the names and addresses of abortion patients.283

In situations in which health information confidentiality laws allow reproductive health information, including abortion information, to be released by a covered entity, judges must rigorously adhere to state evidentiary privilege laws if these laws will prohibit or could prohibit the admission of that information into evidence. The decision of Judge Posner in Northwestern to quash an abortion record subpoena due, in part, to the strong Illinois privilege is persuasive.284 In states in which rules of evidence currently allow, or could be interpreted to allow, the admission of reproductive health information, evidentiary privilege amendments should be enacted. For example, the privileges in Texas and Oklahoma currently (and specifically) protect communications relating to SUD care,285 that is, care that may be needed as a result of illicit drug use as well as licit prescription drug use that is criminal due to a lack of prescription or due to diversion. There is no reason these privileges cannot be amended to also protect communications and records relating to reproductive health care, including care that has been criminalized, as follows:

A patient has a privilege to refuse to disclose and to prevent any other person from disclosing confidential communications made for the purpose of diagnosis or treatment of the patient’s physical, mental or emotional condition, including alcohol or drug addiction [or reproductive health condition, including care relating to the maintenance or termination of a pregnancy], among the patient, the patient’s physician or psychotherapist, and persons who are participating in the diagnosis or treatment under the direction of the physician or psychotherapist, including members of the patient’s family.286

F. Strong Legislation Regulating the Collection, Use, Disclosure, and Sale of Reproductive Health Data by Noncovered Entities

As discussed in Section I.D, a wide range of individuals and institutions that are not regulated by traditional health information confidentiality laws (hereinafter noncovered entities) are collecting, using, disclosing, and selling reproductive health information.287 Some states like Texas do have HIPAA-like laws that will regulate some of these noncovered entities.288 Other states, including California, Colorado, Connecticut, Utah, and Virginia, have new consumer data protection laws that will regulate these noncovered entities.289 However, not all states have these laws. Even states with new consumer data protection laws will not regulate all noncovered entities due to the significant financial or data thresholds in these laws. Local CPCs may not meet these financial or data thresholds, for example.

Strong federal legislation is needed to cure the weak patchwork of state law applicable to noncovered entities. An example of strong federal legislation that should be enacted is the My Body, My Data Act of 2022 (Act).290 The Act, introduced to Congress in June 2022 by Congresswoman Sara Jacobs, would forbid regulated entities from collecting, retaining, using, or disclosing “personal reproductive or sexual health information” unless the individual who is the subject of the PHI gives “express consent.”291 The only exception that applies is when the information collection, retention, use, or disclosure “is strictly necessary [for the regulated entity] to provide a [requested] product or service” to the individual who is the subject of the PHI.292

The Act defines a “regulated entity” as any “person, partnership, or corporation” that is “subject to the jurisdiction of . . . the Federal Trade Commission” and that is not also a HIPAA-covered entity.293 This definition is perfect—it covers CPCs, mobile menstrual cycle applications, mobile ovulation applications, mobile fertility applications, mobile pregnancy tracker applications, Garmin Smartwatches, other wearable technologies, location trackers, data brokers, and other individuals and institutions that collect, use, disclose, or sell reproductive health information but are not regulated by the HIPAA Privacy Rule. The Act does define protected “personal information” as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual.”294 As argued by the Author in prior scholarship, this “capable of being associated with” or “reasonably linked” identification standard is insufficient to protect against patient reidentification.295 The Act should be amended in committee to require an expert to determine that the risk of patient reidentification is very small before the information can be considered deidentified.296

The Act requires regulated entities to maintain a privacy policy addressing the entity’s collection, retention, use, and disclosure of personal reproductive or sexual health information and to prominently publish that privacy policy on the website of the entity,297 as was suggested in Section I.D of this Article.298 The Act should be amended in committee, however, to also require regulated entities to prominently post the policy at any brick-and-mortar location of the entity, such as on the counter of any reception area at a CPC, on the walls of CPC waiting areas, and on the walls of CPC examination rooms.299 This is because not all individuals who present to a local CPC or other regulated entity will reach the entity through a website. Even those individuals who find a CPC or other regulated entity through the internet may not see or read an online privacy policy.

The Act is desirable because it also requires each regulated entity’s privacy policy to specifically identify third parties to which the entity discloses personal reproductive or sexual health information (e.g., law enforcement), as well as third parties from whom the regulated entity collects personal reproductive or sexual health information (e.g., data brokers).300 An individual who presents to a CPC might be deterred from providing sensitive data if informed that the data might be disclosed to law enforcement. The enforcement measures set forth in the Act are also attractive. The Act may be enforced not only by the FTC but also by private individuals through an express right of action contained in the bill.301 This private right of action has been recommended by the Author in prior scholarship.302 Subject to committee amendments relating to the definition of “personal information” and a physical-premises-posting requirement for the privacy policy, enactment of the Act is highly recommended.

III. Justification and Context

This final Part offers justification and context for the administrative, legislative, and judicial proposals identified in Part II. To begin, the proposals set forth in this Article are highly responsive to recent lawmaker requests to amend the HIPAA Privacy Rule. For example, Senators Michael F. Bennet (D-Co) and Catherine Cortez Masto (D-NV) wrote to the Secretary of HHS on July 1, 2022, asking him to amend the HIPAA Privacy Rule to better protect the confidentiality of reproductive health information.303 In their letter, Senators Bennet and Cortez Masto expressed their concern that CPCs and other noncovered entities are not required to comply with the HIPAA Privacy Rule and other traditional health information confidentiality laws.304 The Senators also expressed concern that the current HIPAA Privacy Rule does allow covered entities to disclose reproductive health information to law enforcement in certain situations.305 This Article responds to these lawmaker concerns by showing exactly how the HIPAA Privacy Rule would need to be amended to prevent covered entities from disclosing reproductive health information to law enforcement.306 This Article also shows exactly how recently introduced legislation, such as the My Body, My Data Act of 2022, would need to be amended to best regulate CPCs and other noncovered entities.307 In the conclusion of their letter, Senators Bennet and Cortez Masto stated, “When patients speak with their providers about options for contraceptives, the progression of their pregnancy, or their choices to terminate a pregnancy, they expect those conversations to remain confidential. The individual liberty to make those decisions, and the conversations surrounding them, must be protected.”308 This Article has provided a blueprint showing exactly how reproductive health conversations and records can be kept confidential.309

The proposals set forth in this Article are also consistent with, and responsive to, recent requests made by President Biden.310 In his July 8, 2022, Executive Order, President Biden specifically requested information regarding how best to address confidentiality concerns raised by the use, disclosure, and sale of reproductive health information, as well as digital surveillance related to reproductive healthcare services.311 President Biden also requested information on how best to use the HIPAA Privacy Rule, the FTC Act, and other laws to strengthen the protection of reproductive health information and to “bolster patient-provider confidentiality.”312 The proposals in this Article specifically address these presidential concerns and requests.

The proposals set forth in this Article are also consistent with recent statements made by relevant medical organizations, including the American College of Obstetricians and Gynecologists (ACOG). In May 2022, ACOG updated its policy on abortion.313 The updated ACOG policy provides:

ACOG strongly opposes any effort that impedes access to abortion care and interferes in the relationship between a person and their healthcare professional. Because the patient-clinician relationship is a critical component of the provision of the highest quality healthcare, any efforts interfering in this relationship harm the people seeking essential healthcare and those providing it.314

The updated policy further provides that “[i]ndividuals seeking abortion must be afforded privacy, dignity, respect, and support, and should be able to make their medical decisions without undue interference by outside parties.”315 This Article explains how some laws can be aggressively enforced and how other laws can be specifically amended to help patients make reproductive healthcare decisions without interference by law enforcement and other third parties.316

Perhaps most importantly, the proposals set forth in this Article are consistent with recent statements made by the Association of Prosecuting Attorneys (APA). In May 2022, the APA, through its Addressing Disparities to Reproductive Health Advisory Committee, released a press statement on the criminalization of abortion.317 The press release begins by restating the duty of prosecutors “to serve the public interest,” which includes refraining from prosecution when it would “negatively impact[] public welfare, undermine[] safety, or further[] inequities.”318 The press release continues:

Healthcare, including abortion, and its attendant decision-making processes are private medical matters. Law enforcement, including prosecutors, should not be thrust into this realm. Laws that criminalize healthcare . . . impede safe medical care and prevent individuals from seeking healthcare services for fear of prosecution, alienating communities, thereby causing dangerous outcomes.319

The press release concludes by opposing the criminalization of abortion, reasoning that “[f]orcing prosecutors into the public health space erodes the institutional integrity of the profession and destroys the trust of communities we took oaths to protect.”320 The proposals set forth in this Article will help the APA in keeping prosecutors and other law enforcement officials out of private medical matters.321

Conclusion

This Article has carefully untangled a complex web of confidentiality and privilege laws that are implicated by the collection, use, disclosure, and sale of reproductive health data post-Dobbs. After describing both common and anticipated fact patterns involving reproductive health information, this Article has applied health information confidentiality laws, including the federal HIPAA Privacy Rule, state hospital licensing laws, state medical practice acts, state medical record privacy acts, state consumer data protection laws, recently introduced data protection legislation, and evidentiary privilege laws, to these fact patterns. This Article has shown that, in some situations, existing confidentiality laws already—explicitly—prohibit the unauthorized disclosure of reproductive health information. In other situations, reproductive health records may be released, but the proper application of an evidentiary privilege or other rule of evidence should prohibit the records’ admission into evidence. In still other situations, straightforward amendments to confidentiality and privilege laws can protect against the use or disclosure of reproductive health information in pregnancy outcome investigations and abortion prosecutions.

This Article also has offered eleven concrete proposals that will create a post-Dobbs constitutional stopgap. These proposals include: (1) the vigorous enforcement of existing health information confidentiality laws at the federal and state levels; (2) the launching of a “HIPAA Reproductive Health Information Initiative” that will commit HHS and the DOJ to the prompt identification, investigation, and enforcement of HIPAA Privacy Rule violations in the context of reproductive health information; (3) publicity of HIPAA Privacy Rule provisions that allow any person, not just the patient who is the subject of the reproductive health information wrongly disclosed, to complain to the government; (4) the promulgation of regulations allowing private parties who assist HHS in identifying violations of the HIPAA Privacy Rule to receive a percentage of any settlement amount or CMP imposed by HHS; (5) the establishment of a private right of action allowing patients harmed by violations of the HIPAA Privacy Rule to recover damages for breaches of confidentiality; (6) the adoption of regulations allowing HHS to exclude HIPAA-covered entities from the Medicare and Medicaid programs for violations of the HIPAA Privacy Rule; (7) the extension of regulations that provide heightened confidentiality protections to psychotherapy notes to reproductive health information as well; (8) the imposition of restrictions on court-ordered disclosures of reproductive health information; (9) the clarification of some mandatory reporting laws and the amendment of others; (10) judicial adherence to state evidentiary privileges in some states and the amendment of evidentiary privileges in other states; and (11) the enactment of strong federal legislation that will regulate noncovered entities that collect, use, disclose, and sell reproductive health data.

This Article has carefully explained each proposal and, when appropriate, has offered draft text that will accomplish each proposal. If implemented by lawmakers, regulators, and judges, these proposals will discourage healthcare providers and other reproductive health data custodians from violating health information confidentiality rights. These proposals will also strengthen confidentiality and privilege protections available for reproductive health information, helping to level the reproductive rights playing field post-Dobbs.

 


* William J. Alley Professor of Law and Director, MLS and LLM in Healthcare Law Programs, University of Oklahoma College of Law, Norman, Oklahoma; Ph.D., University of Texas Medical Branch; J.D., University of Houston Law Center. The Author thanks Dean Katheleen Guzman for her generous financial support of this project, Professor D’Andra Millsap Shu and Ms. Elaine Bradshaw for their outstanding resource assistance, and Ms. Shawnda Henderson and Ms. Katrina Henderson for their thorough research assistance. The Author also thanks the organizers and participants of the following meetings, conferences, and webinars for their comments and suggestions on the ideas presented in this Article: Addressing Disparities to Reproductive Health Meeting, sponsored by the UCLA Law Center on Reproductive Health, Law, and Policy, the Williams Institute, and the Association of Prosecuting Attorneys (Apr. 21, 2022, Los Angeles, California); Southeastern Association of Law Schools Annual Meeting (Aug. 2, 2022, Sandestin, Florida); and Association of Prosecuting Attorneys, HIPAA and Law Enforcement Webinar (Aug. 22, 2022, Washington, D.C.).