Is Disclosing a Pregnancy a HIPAA Violation?
Whether disclosing a pregnancy is a HIPAA violation depends on who is disclosing the information, the purpose of the disclosure, who the disclosure is made to, and whether any required consent, authorization, or attestation has been obtained. How the disclosure is made can also determine whether it constitutes a HIPAA violation.
In order to accurately answer the question is disclosing a pregnancy a HIPAA violation, it is necessary to take a number of factors into account. The first factor is who is making the disclosure. If the disclosure is made by a member of a HIPAA covered entity’s or business associate’s workforce, it could be a HIPAA violation depending on subsequent factors.
If the disclosure is made by somebody who does not work for a HIPAA covered entity or business associate, it will not be a HIPAA violation. However, if the discloser of the information had previously attested not to disclose information about the pregnancy under §164.509 of the HIPAA Privacy Rule, they would be in violation of §1177 of the Social Security Act.
The Purpose of the Disclosure
The second factor to take into account when answering the question is disclosing a pregnancy a HIPAA violation is the purpose of the disclosure. The HIPAA Privacy Rule permits disclosures of Protected Health Information (PHI) for treatment, payment, and health care operation purposes – including to other HIPAA covered entities when a treatment relationship with the patient exists.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
HIPAA covered entities are also permitted to disclose PHI for purposes covered by §164.512 of the HIPAA Privacy Rule – including disclosures required by law. This is relevant to answering is disclosing a pregnancy a HIPAA violation because many states have mandatory child abuse reporting requirements which can include reporting teen pregnancies attributable to abuse.
Other than when disclosures are permitted for treatment or required by law, the amount of PHI disclosed must be limited to the minimum necessary to achieve the purpose of the disclosure. Therefore, if an employer requests information about an employee’s injuries to fulfil their OSHA reporting requirements, and the pregnancy is not related to the employee’s injuries, it would be a HIPAA violation to disclose the pregnancy to the employer.
Who the Disclosure is Made To
Disclosures of PHI can be made to the subject of the PHI and HHS’ Office for Civil Rights, for treatment purposes, and when required by law without violating HIPAA. Who disclosures can be made to in other circumstances are most often event-specific determinations – which may be subject to restrictions if an individual has exercised their right to request privacy protections.
In the context of is disclosing a pregnancy a HIPAA violation, this could mean an expectant mother might request their partner or other family member is not informed of the pregnancy. In this case, it would be a HIPAA violation to disclose the pregnancy – or cause the pregnancy to be disclosed by failing to document the request and ensure other workforce members are aware of it.
It is also a HIPAA violation to disclose a pregnancy to any person or entity if the purpose of the disclosure is to support a prohibited activity. Prohibited activities include, but are not limited to, investigations into individuals who seek, obtain, provide, or facilitate lawful reproductive health care. Further prohibited activities, the rule of applicability, and presumptions can be found in §164.502 of the HIPAA Privacy Rule.
Consent, Authorization, and Attestation
While many disclosures of PHI are expressly permitted or prohibited by the HIPAA Privacy Rule, some disclosures of a patient’s pregnancy are subject to consent, authorization, or attestation requirements. The consent requirements are the most difficult to comply with as healthcare providers may be required to use their professional judgement if a pregnant patient is unable to agree or object to a disclosure.
There is also the issue of implied consent when a patient is accompanied to an appointment by a partner or family member. If consent to disclose information about a pregnancy is not explicitly communicated, healthcare providers must use their professional judgement to determine whether consent is implied based on the patient’s actions. In some circumstances, it may not be in the patient’s best interests to discuss the pregnancy with the partner or family member present.
In these circumstances – and in other events where the risk of an impermissible disclosure exists – healthcare providers can avoid HIPAA violations by asking patients to sign a valid HIPAA authorization or by requesting a third party to sign a valid HIPAA attestation. The circumstances in which these forms might be necessary and the correct way to complete and document them should be explained to all members of the workforce during HIPAA training.
How the Disclosure is Made
Disclosures of PHI are most often verbal, written, or electronic. When the disclosure of a pregnancy is verbal, it may be important that the conversation is private. This means the conversation should be conducted in a private area of the healthcare facility, or – if conducted remotely – the healthcare provider should ensure the conversation cannot be overheard or viewed by others at either end of the phone or video connection.
When the disclosure of a pregnancy is mailed to a patient, it may be necessary to check whether the patient has requested confidential communications are mailed to an address other than their home address. Thereafter, it will be necessary to ensure the letter is correctly addressed and that the nature of the communication is not visible – for example, by checking that only the address is visible through the envelope’s window.
With regards to electronic communications, these must comply with the HIPAA Security Rule unless a patient has consented to – or authorized – communications via non-compliant channels. As an electronic disclosure of a pregnancy is most likely to be by email, this means that the system used to send HIPAA compliant emails must comply with all applicable security standards and be used in compliance with the healthcare organization’s security policies.
Is Disclosing a Pregnancy a HIPAA Violation? Other Considerations
Disclosing a pregnancy is not a HIPAA violation when the purpose of the disclosure, the recipient of the disclosure, any required documentation supporting the disclosure, and how the disclosure is made comply with HIPAA. However, the disclosure may have to comply with other state and federal regulations that govern the privacy and security of individually identifiable health information.
A number of states have enacted privacy laws with more stringent requirements than HIPAA – some of which cross state boundaries and apply nationwide to citizens from the state (i.e., Texas, New York, etc.). It is important for healthcare providers to be aware of state laws that apply to their operations and accommodate any state requirements in HIPAA policies and procedures.
It may also be necessary when disclosing information about a pregnancy to consider federal laws that protect expectant mother against pregnancy discrimination and pregnancy related disability discrimination. While not a requirement of HIPAA, it may be advisable to inform first time mothers about their rights under Department of Labor and Equal Opportunities legislation.
