HIPAA Privacy Concerns Post-Dobbs

• Published date: 04 July 2022
• Subject Matter: Food, Drugs, Healthcare, Life Sciences, Privacy, Privacy Protection
• Law Firm: Mayer Brown
• Author: Mr Marcus Christian, Kelly Kramer, Jason Linder, Dominique Shelton Leipzig and Britteny L. Leyva

The United States Supreme Court recently issued its decision in Dobbs v. Jackson Women's Health Org., --- U.S. ---, 2022 WL 2276808 (2022), overturning Roe v. Wade, 410 U.S. 113 (1973), and Planned Parenthood of Southeastern Pennsylvania v. Casey, 505 U.S. 833 (1992). In holding that the U.S. Constitution does not protect a right to abortion, the court "returned" regulating abortion to the individual states. Aside from the obvious systematic implications of the decision, Dobbs has now created various challenges for pharmaceutical retailers and their ability to comply with Health Insurance Portability and Accountability Act ("HIPAA") privacy requirements.

Key Considerations for Pharmaceutical Retailers and Beyond

HIPAA is a comprehensive federal law that created national standards to prevent certain health information from being disclosed without a patient's knowledge or consent.¹ The US Department of Health and Human Services ("HHS") issued regulations to implement HIPAA requirements, which are collectively known as the Privacy Rule, Security Rule, and the Breach Notification rule.² Although the Privacy Rule poses the most risk post-Dobbs, pharmaceutical retailers should still be mindful of the Breach Notification Rule, which may come into play if a covered entity discloses personal health information ("PHI") without an adequate basis. The Privacy Rule sets forth standards on the use and disclosure of PHI by "covered entities."³ PHI includes information that may be used to identify an individual (e.g., name, address, birth date, and Social Security Number) and relates to an individual's physical or mental health or condition, the provision of health care to the individual, or payment for health care.⁴ Pursuant to the Privacy Rule, a covered entity may not use or disclose PHI except as permitted by the regulations.⁵

Such permitted disclosures, outlined in the regulations, include disclosures required by law, for law enforcement purposes, to avert a serious threat to health or safety, and for judicial and administrative proceedings.⁶ Many of these instances involve reporting crimes, threats to the health or safety of an individual, child abuse, and domestic violence and providing PHI to law enforcement to identify a fugitive. Id. In the wake of Dobbs, however, pharmaceutical retailers that fill prescriptions used to end a pregnancy might now be served with subpoenas, search warrants, or discovery requests from state or local prosecutors in states that ban...