OCR Proposes HIPAA Changes to Prohibit PHI Disclosures to Law Enforcement for Abortion Prosecutions

by | Apr 13, 2023

The Department of Health and Human Services’ Office for Civil Rights (OCR) has proposed an update to the HIPAA Privacy Rule to strengthen protections for reproductive health care data and bolster patient-provider confidentiality.

The proposed update is in response to the decision of the Supreme Court that overturned Roe v. Wade, which provided a constitutional right to abortion for almost 5 decades. Since that decision, a dozen states have introduced bans on abortions and a dozen more have introduced restrictions. Since abortion remains legal in many states, individuals in restrictive states could travel to a more permissive state to receive abortion care. There are fears that law enforcement in states with restrictions on abortions could seek to prosecute state residents that travel to another state to receive abortion care, and that attempts would be made to obtain the protected health information (PHI) of those individuals from healthcare providers.

Disclosures of protected health information to law enforcement are permitted by the HIPAA Privacy Rule in certain circumstances, as  OCR confirmed in guidance released last year. OCR confirmed that while HIPAA permits these disclosures, they are not required by the HIPAA Privacy Rule, which means healthcare providers do not have to provide the requested PHI. OCR has now proposed an update to the HIPAA Privacy Rule that would prohibit healthcare providers from disclosing protected health information to law enforcement primarily to allow individuals seeking or receiving reproductive health care or providers of that care to be prosecuted.

The decision to update the HIPAA Privacy Rule was primarily taken to safeguard trust in the patient-provider relationship and ensure that when visiting a doctor and disclosing sensitive health information, patients will be assured that their private medical records will not be disclosed to law enforcement and used against them for seeking legal care. If a patient is not permitted by law to receive abortion care in one state, but seeks that care in a state where abortion care is illegal, that patient should not be prosecuted for receiving that care, nor should the provider of that care.

The proposed changes are narrow in scope and apply specifically to disclosures of PHI to law enforcement related to reproductive health care, which includes, but is not limited to, “prenatal care, abortion, miscarriage management, infertility treatment, contraception use, and treatment for reproductive-related conditions such as ovarian cancer.”

Disclosures of PHI will be prohibited if they are primarily required for:

  • A criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
  • The identification of any person for the purpose of initiating such investigations or proceedings.

“I have met with doctors across the country who have shared their stories. These providers have expressed fear, anger, and sadness that they or their patients may end up in jail for providing or obtaining evidence-based and medically appropriate care,” said OCR Director Melanie Fontes Rainer. “Trust is critical in the patient-doctor relationship and medical mistrust can damage and chill patients’ relationship with their providers, imperiling patient health. Today’s proposed rule is about safeguarding this trust in the patient-provider relationship, and ensuring that when you go to the doctor, your private medical records will not be disclosed and used against you for seeking lawful care.  This is a real problem we are hearing and seeing, and we developed today’s proposed rule to help address this gap and provide clarity to our healthcare providers and patients.”

OCR will be accepting comments on the proposed rule for 60 days from the date of publication in the Federal Register.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.


    Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

    Comprehensive HIPAA Training

    Used in 1000+ Healthcare Organizations and 100+ Universities

      Full Course - Immediate Access

      Privacy Policy