Publisher: Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter
In response to the U.S. Supreme Court decision in Dobbs, State Health Officer of the Mississippi Department of Health, et al. v. Jackson Women's Health Organization et al. (June 24, 2022), several states, including Connecticut, have enacted specific statutory protections related to reproductive health rights, including privacy protections. Healthcare providers need to know how such state privacy protections interplay with the federal protections under HIPAA.
For example, Section 2 of Connecticut's PA 22-19, An Act Concerning the Provision of Protections for Persons Receiving and Providing Reproductive Health Care Services in the State and Access to Reproductive Health Care Services in the State (effective July 1, 2022), prohibits disclosure by covered entities of certain communications and information related to reproductive healthcare services and requires written consent by the patient, the patient's guardian or other authorized legal representative prior to disclosure of such information. In particular, the act states:
"In any civil action or any proceeding preliminary thereto or in any probate, legislative or administrative proceeding, no covered entity, as defined in 45 CFR 160.103, shall disclose (1) any communication made to such covered entity, or any information obtained by such covered entity from, a patient or the conservator, guardian or other authorized legal representative of a patient relating to reproductive health care services, as defined in section 1 of this act, that are permitted under the laws of this state, or (2) any information obtained by personal examination of a patient relating to reproductive health care services, as defined in section 1 of this act, that are permitted under the laws of this state, unless the patient or that patient's conservator, guardian or other authorized legal representative explicitly consents in writing to such disclosure. A covered entity shall inform the patient or the patient's conservator, guardian or other authorized legal representative of the patient's right to withhold such written consent." PA 22-19, Section 2(a) (emphasis added).
Additionally, Section 2(c) states, "Nothing in this section shall be construed to impede the lawful sharing of medical records as permitted by state or federal law or the rules of the court prescribed by the Judicial Branch, except in the case of a subpoena commanding the production, copying or inspection of medical records relating to reproductive health care services, as defined in section 1 of this act."
Based on its plain language, PA 22-19 is more restrictive than HIPAA. Under HIPAA, "[a] covered entity may use or disclose protected health information without the written authorization of the individual, as described in § 164.508, or the opportunity for the individual to agree or object as described in § 164.510, in the situations covered by this section [such as a subpoena], subject to the applicable requirements of this section." 45 C.F.R. § 164.512 (emphasis added). In particular, "[c]overed entities may disclose protected health information in a judicial or administrative proceeding if the request for the information is through an order from a court or administrative tribunal. Such information may also be disclosed in response to a subpoena or other lawful process if certain assurances regarding notice to the individual or a protective order are provided." Additionally, "[c]overed entities may disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances, and subject to specified conditions: (1) as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests..." 45 C.F.R. § 164.512(f). On the other hand, PA 22-19 requires the individual's written consent to disclose reproductive health information "in any civil action or any proceeding preliminary thereto or in any probate, legislative or administrative proceeding." See Section 2. In contrast, PA 22-19 limits the information that may be disclosed in judicial proceedings or to law enforcement without the individual's consent.
The interaction between state privacy laws and HIPAA has become more complicated for healthcare providers with the enactment of state laws designed to protect reproductive health rights. For example, providers may consider revising their medical record disclosure policies to instruct staff to account for more restrictive state reproductive health privacy laws. Providers may also examine whether new or revised consent forms are necessary.
The Day Pitney healthcare and privacy teams stay abreast of such new state privacy laws and can help with any needed analysis in this evolving area.
Would you like to receive our Day Pitney C.H.A.T. Newsletter? Sign up here.