HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care

On June 18, 2025, the U.S. District Court for the Northern District of Texas issued an order declaring unlawful and vacating most of the HIPAA Privacy Rule to Support Reproductive Health Care Privacy at 89 Federal Register 32976 (April 26, 2024). With regard to the modifications to the HIPAA Privacy Rule Notice of Privacy Practices (NPP) requirements at 45 CFR 164.520, the court vacated only the provisions that were deemed unlawful, namely 164.520(b)(1)(ii)(F), (G), and (H). The remaining modifications to the NPP requirements are undisturbed and remain in effect, see Carmen Purl, et al. v. U.S. Department of Health and Human Services, et al., No. 2:24-cv-00228-Z (N.D. Tex. June 18, 2025). Compliance with the remaining NPP modifications is required by February 16, 2026. HHS will determine next steps after a thorough review of the court’s decision.

Access to comprehensive reproductive health care services, including abortion care, is essential to individual health and well-being.1The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule2 (Privacy Rule) supports such access by giving individuals confidence that their protected health information (PHI),3 including information relating to abortion and other sexual and reproductive health care, will be kept private.

The Office for Civil Rights (OCR) administers and enforces the Privacy Rule, which establishes requirements with respect to the use, disclosure, and protection of PHI by covered entities (health plans, health care clearinghouses, and most health care providers)4 and, to some extent, by their business associates.5 These regulated entities can use or disclose PHI, without an individual’s signed authorization,6 only as expressly permitted or required by the Privacy Rule.7,8

The Privacy Rule permissions for disclosing PHI without an individual’s authorization for purposes not related to health care, such as disclosures to law enforcement officials, are narrowly tailored to protect the individual’s privacy and support their access to health services. This guidance addresses these types of permitted disclosures and their limitations.

Disclosures Required by Law

The Privacy Rule permits but does not require covered entities to disclose PHI about an individual, without the individual’s authorization, when such disclosure is required by another law and the disclosure complies with the requirements of the other law.9 This permission to disclose PHI as “required by law” is limited to “a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.”10 Further, where a disclosure is required by law, the disclosure is limited to the relevant requirements of such law.11 Disclosures of PHI that do not meet the “required by law” definition in the HIPAA Rules,12 or that exceed what is required by such law, do not qualify as permissible disclosures.13

Example:

  • An individual goes to a hospital emergency department while experiencing complications related to a miscarriage during the tenth week of pregnancy. A hospital workforce member suspects the individual of having taken medication to end their pregnancy. State or other law prohibits abortion after six weeks of pregnancy but does not require the hospital to report individuals to law enforcement. Where state law does not expressly require such reporting, the Privacy Rule would not permit a disclosure to law enforcement under the “required by law” permission. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.

Disclosures for Law Enforcement Purposes

The Privacy Rule permits but does not require covered entities to disclose PHI about an individual for law enforcement purposes “pursuant to process and as otherwise required by law”, under certain conditions.14 For example, a covered entity may respond to a law enforcement request made through such legal processes as a court order or court-ordered warrant, or a subpoena or summons, by disclosing only the requested PHI, provided that all of the conditions specified in the Privacy Rule for permissible law enforcement disclosures are met.15

In the absence of a mandate enforceable in a court of law,16 the Privacy Rule’s permission to disclose PHI for law enforcement purposes does not permit a disclosure to law enforcement where a hospital or other health care provider’s workforce member chose to report an individual’s abortion or other reproductive health care. That is true whether the workforce member initiated the disclosure to law enforcement or others or the workforce member disclosed PHI at the request of law enforcement.17 This is because, generally, state laws do not require doctors or other health care providers to report an individual who self-managed the loss of a pregnancy to law enforcement.18 Also, state fetal homicide laws generally do not penalize the pregnant individual, and “appellate courts have overwhelmingly rejected efforts to use existing criminal and civil laws intended for other purposes (e.g., to protect children) as the basis for arresting, detaining, or forcing interventions on pregnant” individuals.19,20

Examples:

  • A law enforcement official goes to a reproductive health care clinic and requests records of abortions performed at the clinic. If the request is not accompanied by a court order or other mandate enforceable in a court of law, the Privacy Rule would not permit the clinic to disclose PHI in response to the request. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.
  • A law enforcement official presents a reproductive health care clinic with a court order requiring the clinic to produce PHI about an individual who has obtained an abortion. Because a court order is enforceable in a court of law, the Privacy Rule would permit but not require the clinic to disclose the requested PHI. The clinic may disclose only the PHI expressly authorized by the court order.

Disclosures to Avert a Serious Threat to Health or Safety

The Privacy Rule permits but does not require a covered entity, consistent with applicable law and standards of ethical conduct, to disclose PHI if the covered entity, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person or persons who are reasonably able to prevent or lessen the threat.21 According to major professional societies, including the American Medical Association and American College of Obstetricians and Gynecologists, it would be inconsistent with professional standards of ethical conduct to make such a disclosure of PHI to law enforcement or others regarding an individual’s interest, intent, or prior experience with reproductive health care.22

Example:

  • A pregnant individual in a state that bans abortion informs their health care provider that they intend to seek an abortion in another state where abortion is legal. The provider wants to report the statement to law enforcement to attempt to prevent the abortion from taking place. However, the Privacy Rule would not permit this disclosure of PHI to law enforcement under this permission for several reasons, including:
    • A statement indicating an individual’s intent to get a legal abortion, or any other care tied to pregnancy loss, ectopic pregnancy, or other complications related to or involving a pregnancy does not qualify as a “serious and imminent threat to the health or safety of a person or the public”.
    • It generally would be inconsistent with professional ethical standards as it compromises the integrity of the patient–physician relationship and may increase the risk of harm to the individual.

Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected. 

Other Laws

Providers who may be concerned about their obligations to disclose information concerning abortion or other reproductive health care should seek legal advice regarding their responsibilities under other federal and state laws.

Filing a Privacy Complaint

If you believe that your (or someone else’s) health privacy rights have been violated, visit the OCR complaint portal at https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf to file a complaint online.

DISCLAIMER: The contents of this document do not have the force and effect of law and are not meant to bind the public in any way. This document is intended only to provide clarity to the public regarding existing requirements under the law or the Departments’ policies.

To obtain this information in an alternate format, contact the HHS Office for Civil Rights at (800) 368-1019, TDD toll-free: (800) 537-7697, or by emailing OCRMail@hhs.gov.  Language assistance services for OCR matters are available and provided free of charge.

Content created by Office for Civil Rights (OCR)
Content last reviewed