January 25, 2024
By Michaela Kretzner

Michaela Kretzner (she/her) is a third year law student at American University Washington College of Law, where she is concentrating on reproductive justice, health law, and healthcare compliance. She serves as Co-President of the AUWCL chapter of If/When/How and Publications Editor on the Journal of Gender, Social Policy & the Law.

You may believe that your medical information is protected by HIPAA, and to some extent, that is true. However, HIPAA is widely misunderstood. And, horrifyingly, that misunderstanding can put people at risk for criminalization. 

There are many common misconceptions about HIPAA, including that it exists to keep your medical information confidential, applies broadly to anyone or anything with the capacity to share that information, and that the rules of HIPAA supersede other laws and regulations. Instead, HIPAA is meant to balance privacy considerations with effective and efficient health care operations. While the HIPAA Privacy Rule does have provisions for protecting information, it primarily applies to information kept by doctors and insurers, as well as vendors that work with them and have access to medical information. Even for those groups, the privacy protections are not absolute—there are exceptions to HIPAA’s protections, which often rely heavily on what is allowed or required under other federal and state laws and regulations. For example, HIPAA permits disclosure of certain information, in certain situations, to law enforcement, such as in cases of suspected child abuse. But providers may only alert law enforcement of a suspected crime in very narrow circumstances.

It’s important that providers understand how HIPAA’s Privacy Rule applies in the context of reproductive decision-making, as there has long been a risk of criminalization for self-managed abortion and other pregnancy outcomes. Pregnancy can be criminalized when a state seeks to penalize someone for taking certain types of actions during pregnancy, whether or not these actions lead to actual harm to the pregnancy or fetus, and whether or not the pregnant person committed an actual crime. People have been criminalized for self-managing an abortion, taking drugs while pregnant, experiencing accidental harm during pregnancy, and for considering an abortion during their pregnancy. We know from If/When/How’s litigation experience and research that states criminalized self-managed abortion by misusing an assortment of laws, including laws related to mishandling human remains, practicing medicine without a license, and child abuse, outside their original purpose. Unsurprisingly, women of color and low-income women are disproportionately criminalized for managing their own abortion. 

Although many medical groups oppose criminalizing self-managed abortion and advise against involving law enforcement, people who are criminalized for managing their own abortion are often reported to police by care providers. In If/When/How’s study of self-managed abortion criminalization cases, at least 45% were reported to law enforcement by healthcare providers and social workers. It is likely that such reports to law enforcement violated HIPAA’s privacy protections, as no state law currently requires a care provider to report an alleged case of self-managed abortion to the police.

The Department of Health and Human Services (HHS), which is responsible for enforcing HIPAA, makes only limited enforcement data available, so it is unclear if any prior unlawful disclosures have resulted in enforcement actions. However, the unlawful nature of some reporting doesn’t shield their patients from harm, because whether or not the disclosure was permitted under HIPAA has no bearing on a criminal investigation once it is initiated. Instead, we know from research that 87% of people who were reported to police for a self-managed abortion faced arrest. 

But there is good news. In response to demands by reproductive health advocates, HHS released guidance on the application of HIPAA’s privacy protections to reproductive health care decisions to help healthcare providers navigate the changing landscape of abortion laws. This guidance gives clear descriptions and examples as to what HIPAA does and does not require. HHS is also in the process of updating the regulations of the HIPAA Privacy Rule to prohibit healthcare providers from disclosing information related to “lawfully provided” reproductive health care. For example, the proposed rule would confirm existing guidance to prohibit disclosure of suspected self-managed abortion unless explicitly required by state law. 

These efforts from the administration are an important first step–but the fight against pregnancy criminalization requires more. HHS should listen to advocates, like If/When/How, that are calling on the administration to further expand protections against pregnancy criminalization. Though the proposed rule will only protect “lawfully provided healthcare,” we hope the final rule will expand upon those protections. Until then, we should ensure that healthcare providers understand how HIPAA protects reproductive health choices to ensure that no one’s privacy is violated by being wrongly reported to police.  

Whatever reproductive choices people make, they deserve to seek medical care without fear of criminalization.