Maryland Senators Urge Biden Administration to Strengthen Privacy Protections for Women Seeking Reproductive Health Care

September 19, 2022

As Republicans pass abortion bans and states investigate and punish women for seeking reproductive care, Senators call for HHS to take immediate action to protect women’s privacy under HIPAA

U.S. Senator Chris Van Hollen (D-Md.) joined Senator Patty Murray (D-Wash.), and 28 of their colleagues in calling on the Department of Health and Human Services (HHS) to take immediate action to safeguard women’s privacy and their ability to safely and confidentially get the health care they need.

Specifically, the Senators urged the Biden Administration to strengthen federal privacy protections under the Health Information Portability and Accountability Act (HIPAA) to broadly restrict providers from sharing patients’ reproductive health information without their explicit consent—particularly with law enforcement or in legal proceedings over accessing abortion care. The push from the Senators comes as legislators and prosecutors across the country have sought to enforce Republicans’ abortion bans by investigating women and doctors for seeking and providing abortion care.

“Our nation faces a crisis in access to reproductive health services, and some states have already begun to investigate and punish women seeking abortion care. It is critical that HHS take all available action to fully protect women’s privacy and their ability to safely and confidentially seek medical care,” wrote the Senators.

In their letter to Secretary Xavier Becerra, the Senators urge HHS to take immediate action to strengthen federal privacy protections under HIPAA, bolster enforcement of the protections, educate providers about their obligations, and ensure patients understand their rights. In June, in the wake of the Dobbs decision, Becerra pledged to work to protect patient and provider privacy.

“To safeguard the privacy of women’s personal health care decisions and ensure patients feel safe seeking medical care, including reproductive health care, we urge you to quickly initiate the rulemaking process to strengthen privacy protections for reproductive health information,” urged the Senators. “In particular, HHS should update the HIPAA Privacy Rule to broadly restrict regulated entities from sharing individuals’ reproductive health information without explicit consent, particularly for law enforcement, civil, or criminal proceedings premised on the provision of abortion care.”

Since the Dobbs decision, the new patchwork of state abortion bans has caused widespread confusion among health care providers over whether they are required to turn over patients’ health information to state and local law enforcement. This confusion fundamentally threatens women’s health, as patients may delay or avoid seeking the care they need out of fear their sensitive health information could be weaponized against them. In recent weeks, states have investigated and sought to punish patients and providers for seeking and providing abortion care.

Joining Senators Van Hollen and Murray in sending the letter were Senators Baldwin (D-Wis.), Blumenthal (D-Conn.), Booker (D-N.J.), Brown (D-Ohio), Cantwell (D-Wash.), Casey (D-Pa.), Duckworth (D-Ill.), Durbin (D-Ill.), Gillibrand (D-N.Y.), Heinrich (D-N.M.), Hickenlooper (D-Colo.), Hirono (D-Hawaii), Kaine (D-Va.), Klobuchar (D-Minn.), Luján (D-N.M.), Markey (D-Mass.), Menendez (D-N.J.), Merkley (D-Ore.), Padilla (D-Calif.), Reed (D-R.I.), Rosen (D-Nev.), Sanders (I-Vt.), Shaheen (D-N.H.), Smith (D-Minn.), Stabenow (D-Mich.), Warner (D-Va.), Warren (D-Mass.), and Wyden (D-Ore.).

Full text of the letter can be found here and below.



Dear Secretary Becerra:

Since the Supreme Court’s decision to strip away the constitutional right to abortion, patients across the country have lost access to reproductive health care, and providers have scrambled to adapt to the immense confusion, fear, and upheaval this ruling has caused. In some states, legislators and prosecutors have already sought to investigate and punish women seeking abortion care. To protect patients, and their providers, from having their health information weaponized against them, we urge you to take immediate action to strengthen education on and enforcement of federal health privacy protections, and to initiate the rulemaking process to augment privacy protections under Health Insurance Portability and Accountability Act (HIPAA) regulations.

Every day, health care personnel across this nation care for patients who are pregnant or may become pregnant. This care may include anything from an annual check-up to obstetrical visits to emergency care. In order for patients to feel comfortable seeking care, and for health care personnel to provide this care, patients and providers must know that their personal health information, including information about their medical decisions, will be protected. Recognizing this critical need, in 1996, Congress passed HIPAA, which directed the Department of Health and Human Services (HHS) to issue privacy regulations for personal health information. HHS issued corresponding privacy regulations (the “HIPAA Privacy Rule”) in 2000, with several subsequent updates over the years.

The Dobbs v. Jackson Women’s Health Organization decision has caused widespread confusion among health care providers on health privacy protections, and whether they are required to turn over health information to state and local law enforcement. Stakeholders have told us about providers who have felt uncertain about whether they must turn over personal health information to state and law enforcement officials, including cases where providers believed they had to turn over information when doing so is only permitted—but not required—under the HIPAA Privacy Rule. In other cases, providers did not know that certain disclosures are actually impermissible. Stakeholders have even described clashes between providers and health care system administrators on whether certain information must be shared. Many of these issues seem to arise from misunderstandings of what the HIPAA Privacy Rule requires of regulated entities and their employees.

This confusion is likely to grow as state lawmakers continue to implement a patchwork of laws restricting access to abortion and other reproductive health care services. Already, some states have laws in effect criminalizing abortion providers, and some states have enacted laws that penalize anyone who “aids or abets” an abortion, potentially exposing everyone from a referring provider to a receptionist to legal liability. Some state legislators have even proposed to bar women from traveling to another state for abortion care. And even before Dobbs, states had already prosecuted women following their abortions or miscarriages. In many cases, these laws have been used to disproportionately criminalize or surveil women of color for their pregnancy loss.

Actions to prohibit abortion access and undermine health privacy are likely to have devastating consequences for women’s health. Out of concern that their reproductive health information may be used against them, women may delay or avoid disclosing a pregnancy or obtaining prenatal care. They may fear initiating treatments for conditions like cancer or arthritis, where treatment could impact a pregnancy, even as health care providers may hesitate to provide them. And women who experience complications from a pregnancy or abortion may avoid seeking desperately needed emergency care, risking devastating health consequences and even death. These concerns are not without justification – in recent years, numerous medical providers have reported women to law enforcement for seeking care following an abortion, a miscarriage, or other pregnancy-related medical issue.

HHS has the tools to protect patients and health care providers, even in the wake of this devastating decision. For over twenty years, the HIPAA Privacy Rule has protected the privacy of individuals’ health information, laying out when health information may or may not be shared without a patient’s explicit consent. In addition, the HIPAA Privacy Rule has long recognized that stronger protections may be needed for particularly sensitive health information, such as psychotherapy notes. We commend you for the actions the Department has already taken to clarify privacy protections in the wake of the Dobbs decision, including the issuance of additional guidance on the HIPAA Privacy Rule. However, given the growing likelihood that women’s personal health information may be used against them, HHS must also take proactive steps to strengthen patient privacy protections.

To safeguard the privacy of women’s personal health care decisions and ensure patients feel safe seeking medical care, including reproductive health care, we urge you to quickly initiate the rulemaking process to strengthen privacy protections for reproductive health information. In particular, HHS should update the HIPAA Privacy Rule to broadly restrict regulated entities from sharing individuals’ reproductive health information without explicit consent, particularly for law enforcement, civil, or criminal proceedings premised on the provision of abortion care.

In addition, while HHS moves forward with the rulemaking process, the Department should take the following steps to improve awareness and enforcement of current privacy protections in the HIPAA Privacy Rule:

HHS should increase its efforts to engage and educate the health care community about regulated entities’ obligations under the HIPAA Privacy Rule, including the difference between permissible and required disclosures, best practices for educating patients and health plan enrollees on their privacy rights, how HIPAA interacts with state laws (including those related to prescriptions), and potential legal consequences for violations of the HIPAA Privacy Rule, including civil and criminal penalties.

As part of this effort, HHS should engage the full range of health care personnel, including providers, senior executives, and smaller health care organizations, as well as pharmacists, health plan administrators and sponsors, legal and compliance personnel, and entities that provide HIPAA training. These efforts should include listening sessions, additional guidance and FAQs with specific examples, webinars, and additional avenues for individuals at regulated entities to seek confidential advice.

HHS should expand its efforts to educate patients about their rights under the HIPAA Privacy Rule, including when information may be shared without patient consent, the ability to request additional restrictions or corrections, and how to file a complaint with HHS.

HHS should ensure cases involving reproductive health information receive timely, appropriate attention for compliance and enforcement activities.

Our nation faces a crisis in access to reproductive health services, and some states have already begun to investigate and punish women seeking abortion care. It is critical that HHS take all available action to fully protect women’s privacy and their ability to safely and confidentially seek medical care. Thank you for your attention to this urgent matter.