Skip to main content
. 2022 Oct 4;30(1):155–160. doi: 10.1093/jamia/ocac155

Table 2.

Various ways in which information about an individual’s abortion could be subject to privacy intrusions and potential ways to resolve such threats

Scenario Threats Example Opportunities for resolution
Employee in a Healthcare Organization (HCO) Misuses EHR Employee accesses PHI without justification Clinician searches for information about a patient considering an abortion and reads the medical record of a patient for whom they are not providing care

  • Increase access control granularity and auditing to ensure access on a need-to-know basis (eg, flag records of possible interest)

  • Reinforce education for health professionals about patient privacy
Healthcare Organization Employee Shares Information Employee accesses PHI and alerts law enforcement of possible antiabortion law violation Clinician reads note in patient record for complications of possible abortion, no matter where it occurred, and alerts authorities

  • Educate employees that PHI is protected no matter where the care occurred and that decisions to disclose it should be made by the institution and not the employee
Healthcare Organization Shares Information HIPAA requires protection of PHI, but there are exceptions as “required by law” A prosecutor makes a request for EHR records given suspicion of abortion care

  • Healthcare organizations should follow guidance from the Office for Civil at the U.S. Department of Health and Human Services and not comply with request without a specific statute or presentation of a subpoena, warrant, or court order (see Table 1)
Business Associate (BA) of Healthcare Organization Shares Information Business associate shares data more readily than health system due to different interpretation and internal policies A prosecutor makes a request for EHR records to BA rather than healthcare system given suspicion of abortion care

  • HCO should enter into data use agreements (DUAs) with business associates requiring them to comply with institutional policy and notify HCO before release

  • BA should follow guidance from the Office for Civil at the U.S. Department of Health and Human Services and not comply with request without a specific statute, or presentation of a subpoena, warrant, or court order (see Table 1)
Patient Downloads Information Patients download data from EHR and share with third parties that are not bound by HIPAA An Individual shares data from their healthcare provider’s EHR to their smart-phone with third party apps and they have “consented” to allow further sharing

  • Encourage healthcare organizations to inform patients that following sharing such data is no longer covered by HIPAA

  • Expand definition of health information
Consumer Uses Application to Document Health Information Data from personal apps are made available to or accessed by law enforcement to screen for and/or serve as evidence of failed pregnancy A woman keeps track of her period using a mobile application in which the terms of service do not provide limitations on resharing

  • Congress could consider the expansion of the definition of protected health information under HIPAA

  • Congress could pass new laws to protect privacy rights more broadly

Abbreviations: EHR: electronic health record; HIPAA: Health Insurance Portability and Accountability Act of 1996; PHI: protected health information.