Skip to content

HIPAA: Its Confidentiality Protections (And Limits) – Privacy Protection

To print this article, all you need is to be registered or login on

In the wake of the Supreme Court decision in Dobbsv. Jackson Women’s Health Organization, here is a reminder about the protections available for privacy and the confidentiality of health-related information under current law. This bulletin will discuss the Health Insurance Portability and Accountability Act (HIPAA).

First off, it is important to understand that HIPAA, composed of a Privacy Rule, Security Rule, and Data Breach Rule, regulates the use of patient information in the provision of health care in the United States. It only applies to “protected health information” (PHI) that is generated by a “covered entity” — health care provider, payer, or clearing house — in the provision of health care treatment, payment, or operations to a patient. Any other information, even if health related, does not get the protections of HIPAA.

For example, if one should enter and keep track of his weight, blood pressure, and medication use in a commercially available mobile application on his phone, that personal information is not PHI and not protected by HIPAA. Likewise, should a woman track her menstrual cycle or pregnancy in a commercially available mobile application, that information is not subject to the protections of HIPAA. The privacy of such data, in either example, including sharing of any data with a third party, would only be subject to the mobile application’s terms of use and privacy policy, which should meet any applicable state privacy law’s requirement.

Secondly, even if the information in question is PHI and even though HIPAA provides robust protections for the confidentiality of said PHI, it is important to note that patient consent is not always needed for all sharing or access to PHI.

The following are purposes for which PHI, including, but not limited to, abortion-related PHI, can be disclosed
without prior patient authorization:

  • Oversight of the health care system, including licensing and regulation;
  • Public health, and in emergencies affecting the life or safety of a patient or others;
  • Judicial and administrative proceedings;
  • Law enforcement;
  • To provide information to next of kin or information on decedents;
  • For identification of the body of the deceased person or the cause of death;
  • For directories;
  • workers’ compensation;
  • medical examiner;
  • Certain research; and
  • In other situations where the use or disclosure is mandated by other laws.

It is important to understand that HIPAA’s protections for the confidentiality of PHI, including, but not limited to, abortion-related PHI, are not absolute. Any patient receiving treatment should always receive a Notice of Privacy Practices, which details a covered entity’s practices in the process of PHI. Learn more about the basics of privacy and PHI from the Department of Health and Human Services in its Privacy Rule summary.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

POPULAR ARTICLES ON: Privacy from United States

HIPAA Privacy Concerns Post-Dobbs


The United States Supreme Court recently issued its decision in Dobbs v. Jackson Women’s Health Org., ––– US –––, 2022 WL 2276808 (2022), overturning Roe v. Wade, 410 US 113 (1973)…


Leave a Reply

Your email address will not be published.