COMMENTS OF THE ELECTRONIC PRIVACY INFORMATION CENTER
Department of Health and Human Services
Notice of Proposed Rulemaking:
HIPAA Privacy Rule to Support Reproductive Health Care Privacy
88 Fed. Reg. 23,506
June 16, 2023
The Electronic Privacy Information Center (EPIC) submits these comments in response to the Department of Health and Human Services (HHS)’s April 17, 2023 request for comment on its notice of proposed rulemaking to modify disclosure standards for protected health information under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The proposed modifications would limit uses and disclosures of Protected Health Information (PHI) where the information relates to lawfully obtained reproductive health care. EPIC commends HHS for taking meaningful steps to protect the privacy of people’s reproductive health information, but we recommend that the agency further strengthen the rule to ensure that these protections are not easily sidestepped, to raise the baseline level of protection for all health data to the constitutional standard, and to specifically overrule state mandatory reporting laws that would otherwise undermine the proposed rule.
EPIC is a public interest research center in Washington, D.C. established in 1994 to focus public attention on emerging civil liberties issues and to secure the fundamental right to privacy in the digital age for all people through advocacy, research, and litigation. EPIC routinely files comments in response to proposed rulemakings concerning the protection of personal information. EPIC has advocated for reproductive privacy and health privacy protections, including through our statement opposing the Supreme Court’s rollback of the constitutional right to abortion, our analysis of reproductive privacy after the overturn of Roe v. Wade, and our amicus brief to the Colorado Supreme Court explaining how new technologies like reverse keyword warrants can undermine access to abortion and reproductive health care. EPIC has also urged that businesses and other entities be required restrict their collection, use, disclosure, and retention of sensitive personal data, such as protected health information, to that which is strictly necessary.
To protect patient privacy, EPIC makes the following recommendations: (1) the Privacy Rule should remove “lawful” from the proposed language and require a sworn statement rather than a simple attestation; (2) the Privacy Rule should establish a warrant standard for law enforcement access to PHI for a permissible purpose; and (3) the Privacy Rule should Prohibit PHI disclosures in mandatory reporting regimes where that information may be used to identify a person who has obtained or assisted someone in obtaining an abortion.
I. The Updated Privacy Rule Should Not be Limited to Only ‘Lawful’ Reproductive Health Care Services and Should Require Sworn Statements
The Department should further strengthen the HIPAA Privacy Rule in order to protect patient privacy. The Privacy Rule dictates that a covered entity may only use or disclose PHI as permitted or required by the Rule. The Department’s proposed amendments to the Privacy Rule would “prohibit a regulated entity from using or disclosing PHI where the PHI would be used for a criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating lawful reproductive health care, or identifying any person for the purpose of initiating such an investigation or proceeding[.]”
While this amendment would impose significant new limits on the disclosure of reproductive health information to law enforcement, we are concerned that there would remain gaps in coverage that could expose individuals to improper law enforcement inquiries. Specifically, the rule would condition its heightened protections for reproductive health data on the “lawful[ness]” of the underlying reproductive care—a distinction that is unnecessarily restrictive, wrongly differentiates federal privacy protections according to state law, and risks deterring patients who are poorly situated to evaluate the legality of particular reproductive health services from seeking essential care.
EPIC therefore urges the Department to eliminate the term “lawful” from Section IV.B.2 of the proposed rule to prohibit a regulated entity from using or disclosing PHI for use in a criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care. The Department should not limit the prohibition against disclosure of PHI to law enforcement only to PHI pertaining to lawful reproductive health services.
Disclosing PHI to law enforcement in connection with an investigation into reproductive health care is a secondary use of personal information directly at odds with the purpose for which that data was collected: the rendering of health care services. When a patient seeks health care services and accordingly shares their sensitive information with a provider, the patient expects that their information will be used within this context. The patient may expect that some of their information may be used for billing or insurance purposes, or to verify the patient’s identity. But the patient would not expect that their sensitive personal information would be used in a law enforcement investigation—particularly not if the patient reasonably believed that the reproductive health services they sought were legal (only to discover later that a state considers them illegal). To ensure that reproductive PHI is safeguarded in a manner consistent with the context and purpose of its collection—and to avoid legal uncertainty that may deter patients from seeking essential health care—the Department should remove the limiting “lawful” terminology from the proposed Privacy Rule.
As an additional step, the amended Privacy Rule should prohibit covered entities from using or disclosing reproductive PHI without receipt of a sworn statement that the use or disclosure is not being sought for a prohibited purpose. Absent such a statement made under penalty of perjury, a law enforcement agency or other entity may more readily conceal improper intent for obtaining PHI and subsequently use it for prohibited purposes. Although we separately advocate in Part II for an across-the-board warrant requirement for law enforcement access toPHI, requiring a sworn statement is an important mechanism for ensuring that the Privacy Rule’s safeguards against law enforcement misuse of reproductive PHI are effective.
Finally, in addition to the above measures, we note that the Department can and should use its authority to protect the health privacy of vulnerable populations in other ways. Other types of health information—in particular, PHI relating to gender-affirming care—is similarly sensitive to reproductive health care information (and may in some cases even qualify as reproductive PHI). The Department should explicitly extend the protections in the proposed Privacy Rule to data pertaining to other types of at-risk health care, including gender-affirming care and hormone treatments. Alternatively, the Department should update the Privacy Rule again in the future to protect these types of data.
II. The Department Should Establish a Warrant Requirement for Law Enforcement Access to PHI
The HIPAA Privacy Rule should establish that police must get a warrant supported by probable cause before obtaining a patient’s medical records unless a patient provides informed consent or an exigent circumstance requires warrantless access. Patients’ medical information is widely understood to be one of the most private and confidential categories of information. For this reason, many courts rightfully consider patients to have a reasonable expectation of privacy in that information, meaning police must obtain a warrant supported by probable cause to access the information absent consent or exigent circumstances. The current Privacy Rule defies the constitutional standard by allowing law enforcement to obtain medical information without a warrant. Amending the Privacy Rule to bring it in line with the Fourth Amendment standard would help normalize privacy protections nationwide and provide clarity to covered entities’ legal departments.
Under the Fourth Amendment, police must generally obtain a warrant when a search or seizure would violate a person’s reasonable expectation of privacy. In Smith v. Maryland, the Supreme Court explained that when a person subjectively expects something to remain private, and this expectation is something that society is prepared to recognize as reasonable, then police must obtain a warrant before conducting a search. Certain limited and pre-defined exceptions may excuse police from obtaining a warrant, such as when exigent circumstances make the warrant process untenable.
People have an expectation that their sensitive medical records are private documents, and society readily recognizes this expectation as reasonable. Medical records can include some of the most intimate details about a person’s life: the way a patient’s body and mind works, whether a patient has been subjected to violence or has done harm to him or herself, embarrassing details about a patient’s bodily functions, and more. Nearly 75 percent of patients are concerned about protecting the privacy of their health data. For this reason, medical records have long been treated as highly confidential. The Hippocratic Oath has bound health care providers to confidentiality for millennia. Several signers of the Declaration of Independence were physicians who had sworn an oath of confidentiality in treating patients. Every state has some form of statute restricting the use and disclosure of medical information.
Many courts have recognized that people are entitled to privacy protections for their medical records. The Supreme Court, for example, ruled that patients have a reasonable expectation of privacy in their medical records and that police must get a warrant before searching them, noting that the “reasonable expectation of privacy enjoyed by the typical patient undergoing diagnostic tests in a hospital is that the results of those tests will not be shared with nonmedical personnel without her consent.” Many other courts have ruled that medical records require privacy protections, such as federal courts of appeals in the Third Circuit, Fourth Circuit, and Ninth Circuit, and the highest courts in Louisiana, Montana, Massachusetts, Georgia, Pennsylvania, Vermont, and New York. The number and diversity of courts to have recognized a need for medical record privacy protection demonstrates that society’s expectation of privacy in these records is reasonable.
Some courts have recognized that patients’ privacy interest in their medical records is so strong that full Fourth Amendment protections such as the warrant requirement apply. The Supreme Court ruled that a hospital could not share pregnant patients’ drug testing results with law enforcement without a warrant supported by probable cause when the aim of the drug testing was aiding criminal law enforcement. The Fourth Circuit ruled that the Fourth Amendment requires police to obtain a warrant before searching through medical records for a criminal investigation. And many state courts of last resort have ruled similarly for the Fourth Amendment or their state constitutional analogs.
Unfortunately, patients’ privacy rights have not been consistently protected, and the state of the law is confusing due in part to the current version of the HIPAA Privacy Rule. The Privacy Rule conflicts with the aforementioned judicial rulings by permitting covered entities to share patients’ medical records with law enforcement based only on the presence of a subpoena, which is insufficient for Fourth Amendment purposes. Subpoenas do not include the Fourth Amendment protections of judicial oversight, probable cause, and particularity. They have often been subject to abuse—for example, government officials having been exposed as having served subpoenas they claim are from grand juries when those grand juries in fact do not exist.
The Department should amend the HIPAA Privacy Rule to meet the constitutional standard by requiring law enforcement to obtain a warrant for medical records unless a patient provides informed consent or a warrant exception applies. This would help avoid confusion and distress for patients and would provide uniformity and clarity to hospitals’ legal departments. It could also ensure that courts adopt the warrant requirement more uniformly in more circumstances, since courts sometimes look to statutes and regulations when determining whether society regards a person’s expectation of privacy as reasonable.
EPIC proposes that the Department amend the Privacy Rule consistent with the redlines in Attachment A.
III. The Privacy Rule Should Prohibit Mandatory Reporting Requirements that Could be Used to Identify a Person Who has Obtained or Aided Someone to Obtain an Abortion
While the Department’s proposal to strengthen the HIPAA Privacy Rule rightly focuses on limiting law enforcement access to reproductive health records, the rule as proposed would not address a major vehicle through which that data is currently exposed: state mandatory reporting laws. For the proposed to rule to be most effective, it must also address mandatory reporting regimes because that data collection becomes a source to propel or initiate criminal intervention. For that reason, HHS should prohibit disclosure of identifying reproductive health information in response to mandatory reporting laws.
Health information can be viewed as a “valuable commodity that society needs in order to identify criminal suspects, investigate epidemics, calculate budgets, monitor the quality of care, develop social policy, and conduct biomedical and behavioral research.” However, a person’s reproductive health information is also intensely personal. The mandatory collection and potential disclosure of reproductive health information is harmful in myriad ways, spanning from the invasion of privacy to the threat of criminalization, social consequences, and chilling access to health care. Considering the growing risk and volatility surrounding reproductive health information and health care criminalization after Dobbs, HHS should reevaluate the balance between the public health surveillance benefits and the harms caused by the collection, threat of disclosure, and actual disclosure of reproductive health information fueled by mandatory reporting laws.
a. Mandatory Reporting Laws Amass Reproductive Health Care Information
There are various types of mandatory reporting laws that require the collection of reproductive health information. Mandatory reporting requirements produce troves of information that can be shared with third parties or disclosed in a way that may enable re-identification. Most states in the U.S. have mandatory reporting laws that require providers to submit abortion data. Typically, abortion providers are required to disclose many of the following categories of information: physician and facility where the abortion was performed, demographic information about the patient (e.g., age, race, marital status, ethnicity, other birth history), gestational age, and type of abortion procedure. Most states also require abortion providers to report abortion procedures, abortion complications, abortion records for minors, and abortion information relating medical emergencies and informed consent. Many states submit abortion data to the Center for Disease Control and Prevention (CDC), further expanding the breadth of disclosure. “Although patients’ names are removed [in accordance with confidentiality requirements], many potentially identifying characteristics remain. This information, too, is useful for law enforcement and may be subject to FOIA requests.” The demographic information required by mandatory reporting forms is sometimes so extensive that people can be re-identified. “Thus, pregnant persons may unwittingly create incriminating documentation that has scant legal protection and is useful for enforcing abortion restrictions.”
State mandatory reporting laws relating to childhood abuse can also be interpreted to cover abortions or related health care. This is particularly evident where state laws define life as beginning at fertilization or if they have redefined “personhood” to include the unborn. Currently there are laws in “38 states [that] authorize homicide charges to be brought for causing the loss of pregnancy.” In this way, criminal action can be taken on behalf of a fetus, and in some states even a zygote or an embryo. Mandatory reporting could also implicate fetal homicide laws that “authorize charges for abortion, assisted reproductive technology, or contraception[.]”
Mandatory reporting for drug use of pregnant people can also lead to criminalization and other harmful outcomes. Hospitals are required to screen for drug use in labor and delivery units to “comply with federal and state regulations for safe care for infants affected by substance abuse during pregnancy.” A recent study found that hospitals in Pennsylvania were racially biased because providers were more likely to give drug tests to Black women, exposing them to various harms from criminalization. Another report focused on the harsh effects of mandated reporting for prenatal use of medication to treat opioid use disorder. This includes when clinicians prescribe medications to treat infants exposed to opioids in utero. These mandatory reporting policies “are ostensibly designed to identify infants at risk for abuse and neglect to prevent harm. However, [researchers] identified that reporting itself caused tangible harm due to the trauma cause by an investigation of parental fitness in the immediate postpartum period.” Mandatory reporting contributed to avoidance of prenatal and postpartum services and caused anxiety from the loss of privacy.
b. Mandatory Reporting Regimes Are Harmful To Patients
Mandatory reporting of reproductive care in various contexts can cause serious physical and emotional harm, chill access to health care, cause reputational harm from disclosure, and lead to a loss of liberty and other consequences through criminalization. Mandatory reporting is often the inception of a criminal investigation related to abortion care. In a recent study evaluating the criminalization of self-managed abortion, most cases came to the attention of law enforcement through mandatory reporting, with 36% of the cases reported by health care providers and 6% reported by social workers. Criminal action was not limited to the person seeking an abortion, as 26% of the adult sample involved the criminalization of people helping others self-manage an abortion. Critically, these investigations and arrests were not limited to states with statutes that criminalize self-managed abortion: “prosecutors applied criminal laws meant to address mishandling of human remains, concealment of a birth, practicing medicine without a license, child abuse and assault, and murder and homicide allegations of self-managed abortion.” Once law enforcement accesses information, often through mandatory reporting, they have various means to criminalize people seeking abortion care. The study also revealed a stark racial disparity: “a homicide consideration was two times more frequent in cases involving people of color compared to those involving non-Hispanic white individuals.”
Criminal intervention related to abortion care, and the fear of criminal investigation, can have harmful impacts beyond an arrest. People can lose custody of their children, face shame within their communities, or face immigration consequences. The looming threat of criminalization can impact the ability of people to seek reproductive health care. Criminalization has a chilling effect on women’s health generally, decreasing access and “causing physicians to withhold information from patients for fear that their medical advice could violate their state’s anti-abortion statutes.”
c. The HIPAA Privacy Rule Must Address Mandatory Reporting Laws
It is critical that the Department examine the effects of mandatory reporting laws on reproductive health care in the HIPAA Privacy Rule. HHS should develop language in the HIPAA Privacy Rule to prohibit mandatory disclosure identifying an individual that has obtained or has aided someone in obtaining an abortion. The process for developing this provision should balance the need to prohibit mandatory disclosures that are most likely to lead to criminalization of care with the benefits that certain mandatory reporting mechanisms have for public health purposes. The information gathered by mandatory reporting laws lead to circumstances that most frequently and immediately lead to criminal investigations of people seeking reproductive health care. The threat of criminalization chills access to care for people, further harming health outcomes even without criminal involvement. Addressing mandatory reporting in the HIPAA Privacy Rule is a necessary and impactful way to support reproductive health care privacy.
 HIPAA Privacy Rule To Support Reproductive Health Care Privacy, 88 Fed. Reg. 23,506 (Apr. 17, 2023) [hereinafter NPRM].
 EPIC, The Supreme Court Must Not Undermine the Constitutional Right to Privacy (May 3, 2022), https://epic.org/the-supreme-court-must-not-undermine-the-constitutional-right-to-privacy/.
 Sara Geoghegan & Dana Khabbaz, Reproductive Privacy in the Age of Surveillance Capitalism, EPIC (July 7, 2022), https://epic.org/reproductive-privacy-in-the-age-of-surveillance-capitalism/.
 Brief of EPIC as Amicus Curiae Supporting Petitioner and Reversal at 5, People v. Seymour, No. 2023SA12 (Colo. Jan. 11, 2023), https://epic.org/wp-content/uploads/2023/01/Seymour-v.-Colorado-CO-Supreme-Court.pdf (“Reverse keyword warrants . . . threaten that right by exposing significant amounts of sensitive personal data to law enforcement scrutiny without a valid basis.”).
 See Letter from EPIC et al. to Google on Location Data and Abortion Access (June 1, 2022), https://epic.org/wp-content/uploads/2022/06/Letter-to-Google-on-Location-Data-and-Abortion-Access-06-01-2022.pdf; EPIC, Disrupting Data Abuse: Protecting Consumers from Commercial Surveillance in the Online Ecosystem (Nov. 2022), https://epic.org/wp-content/uploads/2022/12/EPIC-FTC-commercial-surveillance-ANPRM-comments-Nov2022.pdf; EPIC & Consumer Reports, How the FTC Can Mandate Data Minimization Through a Section 5 Unfairness Rulemaking (Jan. 26, 2022), https://epic.org/wp-content/uploads/2022/01/CR_Epic_FTCDataMinimization_012522_VF_.pdf.
 NPRM IV(B)(1).
 NPRM IV(B)(2).
 NPRM IV(B)(2) (“[T]he Department issued its prior iterations of the Privacy Rule at a time when individuals, as a practical matter, generally would not have expected their highly sensitive health care information to be used or disclosed for criminal, civil, or administrative investigations into or proceedings about that health care. The current regulatory and legal environment is in tension with that expectation and threatens to erode the trust that is essential to access to and quality of health care.”).
 Smith v. Maryland, 442 U.S. 735, 743 (1979) (citing Katz v. United States, 389 U.S. 347, 361 (1967)).
 Kentucky v. King, 563 U.S. 452, 460 (2011).
 American Medical Association, Patient Perspectives Around Data Privacy (2022), https://www.ama-assn.org/system/files/ama-patient-data-privacy-survey-results.pdf.
 See Oregon Prescription Drug Monitoring Program v. U.S. Drug Enf’t Admin., 998 F. Supp. 2d 957, 964 (D. Or. 2014), rev’d on other grounds, 860 F.3d 1228 (9th Cir. 2017).
 Jacob M. Appel, Trends in Confidentiality and Disclosure, 17 Focus 360 (2019), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7011305/?report=reader.
 Ferguson v. City of Charleston, 532 U.S. 67, 78 (2001).
 United States v. Westinghouse Elec. Corp., 638 F.2d 570, 577 (3d Cir. 1980) (“There can be no question that an employee’s medical records, which may contain intimate facts of a personal nature, are well within the ambit of materials entitled to privacy protection.”)
 Doe v. Broderick, 225 F.3d 440, 450 (4th Cir. 2000) (finding a Fourth Amendment reasonable expectation of privacy).
 Tucson Woman’s Clinic v. Eden, 379 F.3d 531 (9th Cir. 2004), abrogated on other grounds by Dobbs v. Jackson Women’s Health Org., 213 L. Ed. 2d 545, 142 S. Ct. 2228 (2022) (warrantless search of abortion clinic violated the Fourth Amendment).
 State v. Skinner, 2008-2522 (La. 5/5/09), 10 So. 3d 1212, 1218 (finding a Fourth Amendment reasonable expectation of privacy).
 State v. Nelson, 941 P.2d 441, 449 (Mont. 1997) (finding the state must show probable cause to issue an investigative subpoena for the discovery of medical records).
 Alberts v. Devine, 479 N.E.2d 113, 118 (Mass. 1985) (“We continue to recognize a patient’s valid interest in preserving the confidentiality of medical facts communicated to a physician or discovered by the physician through examination.”).
 King v. State, 535 S.E.2d 492, 495 (Ga. 2000) (“[A] patient’s medical information, as reflected in the records maintained by his or her medical providers, is certainly a matter which a reasonable person would consider to be private.”).
 Commonwealth v. Riedel, 651 A.2d 135, 139-40 (Pa. 1994) (noting that a person has “a reasonable expectation of privacy in his medical records” and requiring probable cause for access to medical records, though in this case exigent circumstances applied).
 State v. Welch, 624 A.2d 1105 (Vt. 1992) (finding a reasonable expectation of privacy in medical records).
 In re Grand Jury Investigation in New York Cnty., 98 N.Y.2d 525 (2002) (finding that a hospital could cite New York’s patient confidentiality statute to refuse a grand jury subpoena seeking patients’ medical records).
 Ferguson, 532 U.S. at 78.
 Broderick, 225 F.3d at 450–52.
 E.g., Skinner, 10 So. 3d at 1218 (Louisiana); Riedel, 651 A.3d at 190–40 (Pennsylvania); Welch, 624 A.2d at 1109 (Vermont).
 45 C.F.R. § 164.512(f)(1)(i)–(ii).
 E.g., People v. O’Dette, 2017 IL App (2d) 150884 ¶¶ 5–6, 21, https://www.illinoiscourts.gov/Resources/982b9725-1187-4edd-a3d6-1891eced43b6/2150884.pdf; Petition for Writ of Certiorari at 23–24, Huse v. Texas (No. 16-535), https://www.scotusblog.com/wp-content/uploads/2016/10/16-535-cert-petition.pdf.
 See, e.g., Doe v. Broderick, 225 F.3d 440, 450 (4th Cir. 2000) (evaluating a privacy statute as part of the determination of whether society would consider a defendant’s expectation of privacy reasonable); Florida v. Riley, 488 U.S. 445, 451–52 (1989) (considering Federal Aviation Administration regulations when deciding whether a police practice violated a reasonable expectation of privacy).
 Wendy K. Mariner, Reconsidering Constitutional Protection for Health Information Privacy, 18 U. Pa. J. Const. L. 975, 981-82 (2016).
 Guttmacher Institute, Abortion Reporting Requirements (Mar. 1, 2023), https://www.guttmacher.org/state-policy/explore/abortion-reporting-requirements.
 Temple Law Center for Public Health Law Research, Abortion Reporting Requirements (Sept. 30, 2020), https://phlr.org/product/abortion-reporting-requirements.
 Guttmacher Institute, supra note 34.
 Katye Spector-Bagdady & Michelle M. Mello, Protecting the Privacy of Reproductive Health Information After the Fall of Roe v Wade, JAMA Health Forum (June 30, 2022), https://jamanetwork.com/journals/jama-health-forum/fullarticle/2794032 [hereinafter JAMA Health Forum].
 JAMA Health Forum, supra note 37.
 See Id.
 Pregnancy Justice, Who Do Fetal Homicide Laws Protect? An Analysis for A Post-Roe America (Aug. 17, 2022), https://www.pregnancyjusticeus.org/wp-content/uploads/2022/12/fetal-homicide-brief-with-appendix-UPDATED.pdf.
 Roni Caryn Rabin, Black Pregnant Women Are Tested More Frequently For Drug Use, Study Suggests, N.Y. Times (Apr. 14, 2023), https://www.nytimes.com/2023/04/14/health/black-mothers-pregnancy-drug-testing.html.
 Erin C. Work et al., Prescribed and Penalized: The Detrimental Impact of Mandated Reporting for Prenatal Utilization of Medication for Opioid Use Disorder, Maternal Health J. (2023), https://doi.org/10.1007/s10995-023-03672-x.
 Laura Huss et al., Self-Care, Criminalized: August 2022 Preliminary Findings, If/When/How (2022), https://www.ifwhenhow.org/resources/self-care-criminalized-preliminary-findings/.
 See If/When/How, Making Abortion A Crime (Again): How Extreme Prosecutors Attempt to Punish People for Abortions in the U.S.,https://www.ifwhenhow.org/resources/making-abortion-a-crime-again/ (last visited June 13, 2023)(“While a few states have explicit bans on self-administered abortion care, there are roughly 40 other types of laws that politically motivated prosecutors may wield against people who end their own pregnancies and those who help them.”).
 Laura Huss et al., supra note 49.
 Human Rights Watch, Human Rights Crisis: Abortion in the United States After Dobbs (April 18, 2023), https://www.hrw.org/news/2023/04/18/human-rights-crisis-abortion-united-states-after-dobbs. See American Psychological Association, Frequently Asked Questions About Abortion Laws and Psychology Practice (Sept. 1, 2022), https://www.apaservices.org/practice/business/hipaa/abortion-laws#report (“Until state laws on abortion reporting are more settled, and the enforcement of these laws has been tested, one strategy to consider is discussing with your patient the potential limits to your confidentiality and potential duty-to-report obligations in your state.”).