Denver – Today, U.S. Senators Michael Bennet (D-Colo.) and Catherine Cortez Masto (D-Nev.) called on the Biden Administration to update the Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA) to protect the privacy of patients who receive abortions from law enforcement agencies. Following the U.S. Supreme Court ruling in Dobbs v. Jackson Women's Health Organization to overturn Roe v. Wade, the U.S. Department of Health and Human Services (HHS) must take further action to protect the privacy of Americans and their medical information.

“When HIPAA was signed into law in 1996, Roe v. Wade had upheld the right to an abortion for over two decades. When the HIPAA Privacy Rule was issued in 2000, it would have been unimaginable that the Supreme Court would strip away this fundamental right more than 20 years later,” wrote Bennet and Cortez Masto in their letter to HHS Secretary Xavier Becerra. 

The Privacy Rule defines and limits when an individual’s protected health information may be used or disclosed by covered entities, like health care providers and insurers. Currently, HIPAA does not prevent the disclosure of protected health information, including information related to abortion and other reproductive health care, to law enforcement agencies. HIPAA permits covered entities to disclose this information if issued in a court-order, a court-ordered warrant, a subpoena, or summons. For patients living in states criminalizing reproductive health services, the Privacy Rule does not offer enough protection and jeopardizes the patient-provider relationship. 

Some entities, like Crisis Pregnancy Centers, which offer limited medical services, are not required to follow the HIPAA Privacy Rule at all. These entities often do not include abortion as a viable medical option, even in the case in which the mother’s life is at risk, and should be required to follow the same patient protection measures as all other providers. 

Bennet and Cortez Masto are urging HHS to immediately begin the process to update the Privacy Rule to clarify who is a covered entity, limit when that entity can share information on abortion or other reproductive health services, and make clear that reproductive health information cannot be shared with law enforcement agencies who target individuals who have an abortion. The senators also urge HHS to determine that Crisis Pregnancy Centers are required to follow requirements of the Privacy Rule.

The senators concluded: “The decision to start or expand a family is intensely personal and private. When patients speak with their providers about options for contraceptives, the progression of their pregnancy, or their choices to terminate a pregnancy, they expect those conversations to remain confidential. The individual liberty to make those decisions, and the conversations surrounding them, must be protected.”

The full text of the letter is available HERE and below. 

Dear Secretary Becerra:

Last week, the Supreme Court upended almost 50 years of legal precedent in its decision to overturn Roe v. Wade. The decision has created profound uncertainty for patients concerning their right to privacy when making the deeply personal decision to have an abortion. We write to urge the Department of Health and Human Services (HHS) to take immediate steps to protect the privacy of Americans receiving reproductive health care services by updating the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization (Dobbs). 

When HIPAA was signed into law in 1996, Roe v. Wade had upheld the right to an abortion for over two decades. When the HIPAA Privacy Rule was issued in 2000, it would have been unimaginable that the Supreme Court would strip away this fundamental right more than 20 years later. 

Over the years, HHS has issued new rules or guidance on security, enforcement, and other needs relating to HIPAA. We appreciate the steps HHS recently took to protect access to reproductive health care services, including the new Office for Civil Rights guidance clarifying how federal law and regulations protect individuals’ private medical information relating to abortion and other sexual and reproductive health care and addressing the extent to which this information is protected on personal cell phones and tablets.  However, HHS has the authority to do more.  

The Privacy Rule is meant to “define and limit the circumstances in which an individual’s protected health information may be used or disclosed by covered entities.”  We urge HHS to immediately begin the process to update the Privacy Rule, following all requirements under the Administrative Procedure Act, to clarify who is a covered entity and to limit when that entity can share information on abortion or other reproductive health services. Specifically, HHS should clarify that this information cannot be shared with law enforcement agencies who target individuals who have an abortion. HHS should also determine that Pregnancy Care Centers (also known as “Crisis Pregnancy Centers”) are required to follow requirements of the Privacy Rule.

The decision to start or expand a family is intensely personal and private. When patients speak with their providers about options for contraceptives, the progression of their pregnancy, or their choices to terminate a pregnancy, they expect those conversations to remain confidential. The individual liberty to make those decisions, and the conversations surrounding them, must be protected. 

Following the Supreme Court’s decision in Dobbs, millions of Americans have lost a fundamental constitutional right to make their own health and reproductive decisions. We must do all that we can to protect their fundamental right to privacy. 

Thank you for your attention to this important issue.

Sincerely,