OCR Issues Guidance for Providers and Individuals Following Supreme Court Decision on Roe v. Wade
President Biden and U.S. Department of Health and Human Services (HHS) Secretary Xavier Becerra recently called on HHS agencies to take action to protect access to sexual and reproductive health care, which includes abortion, pregnancy complications, and other related care, following the decision of the Supreme Court in Dobbs vs. Jackson Women’s Health Organization. The Supreme Court’s decision overruled Roe v. Wade and Planned Parenthood v. Casey and took away the right of women to have a safe and legal abortion, instead, the decision will be made by individual states. 13 states have trigger laws based on Rose v. Wade that outlaw abortions and other states are expected to make similar changes.
Yesterday, the HHS Office for Civil Rights (OCR) issued new guidance for healthcare providers and patients seeking access to reproductive health care services to ensure patient privacy is protected. The guidance explains that the federal Health Insurance Portability and Accountability Act (HIPAA) requires individuals’ private medical information, which includes information about abortion and other sexual and reproductive health care, is required to be kept private and confidential. That information is classed as protected health information (PHI) under HIPAA and healthcare providers are not required to disclose PHI to third parties.
The guidance also explains the extent to which private medical information is protected on personal cell phones and tablets and includes advice for protecting individuals’ privacy when using period trackers and other health information apps. Concern has been raised by women that health apps on smartphones, such as period trackers, threaten privacy as they disclose geolocation data. That information could potentially be abused by individuals seeking to deny them access to medical care.
“How you access health care should not make you a target for discrimination,” explained HHS Secretary Xavier Becerra. “HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive health care information.” Becerra is encouraging anyone who believes their privacy rights have been violated to file a complaint with OCR and explained that protecting access to health care, which includes abortion care and other forms of sexual and reproductive health care, is now an enforcement priority for OCR.
The guidance for healthcare providers explains that the HIPAA Privacy Rule allows HIPAA-covered entities, which includes healthcare providers, to disclose an individual’s PHI without obtaining authorization from that individual for the purposes of healthcare, payment, and healthcare operations, but other disclosures – to law enforcement officials for example – are only permitted in narrow circumstances, tailored to protect the individual’s privacy and support their access to health care, which includes abortion care. HIPAA-covered entities and their business associates are reminded that they can use and disclose PHI without an individual’s signed authorization, but only for reasons expressly permitted or required by the Privacy Rule. The guidance also explains the restrictions on disclosures of PHI under the HIPAA Privacy Rule when required by law, for law enforcement purposes, and to avert a serious threat to health or safety.
Examples of HIPAA Violations Related to Disclosures of Reproductive Health Care Data
While the HIPAA Privacy Rule permits disclosures to law enforcement, those disclosures are not required by HIPAA. With respect to information relating to reproductive health care, certain disclosures of that information to law enforcement would constitute a HIPAA violation that requires notification to the individual and could potentially result in a HIPAA fine.
Disclosures of PHI that are Required by Law
OCR explained that “permission to disclose PHI as “required by law” is limited to “a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.” An example was provided where such a disclosure would constitute a HIPAA violation.
“An individual goes to a hospital emergency department while experiencing complications related to a miscarriage during the tenth week of pregnancy. A hospital workforce member suspects the individual of having taken medication to end their pregnancy. State or other law prohibits abortion after six weeks of pregnancy but does not require the hospital to report individuals to law enforcement,” explained OCR in the guidance. “Where state law does not expressly require such reporting, the Privacy Rule would not permit a disclosure to law enforcement under the “required by law” permission. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.”
Disclosures of PHI for Law Enforcement Purposes
With respect to the Privacy Rule permitting (but not requiring) disclosures of PHI about an individual for law enforcement purposes, such a disclosure is only permitted if there is a mandate enforceable in a court of law.
“The Privacy Rule’s permission to disclose PHI for law enforcement purposes does not permit a disclosure to law enforcement where a hospital or other health care provider’s workforce member chose to report an individual’s abortion or other reproductive health care,” explained OCR. “That is true whether the workforce member initiated the disclosure to law enforcement or others or the workforce member disclosed PHI at the request of law enforcement.”
If a law enforcement official visited a reproductive healthcare clinic and requested the records of all abortions performed at the clinic, in the absence of a court order or other mandate enforceable in the court of law, that information could not be disclosed, as doing so would be a HIPAA violation.
OCR also explained that if such a situation occurred and a court order was presented, the HIPAA Privacy Rule would permit, but not require, the disclosure. If a disclosure is made, it must be limited to the exact PHI expressly authorized by the court order and no more.
Good Faith Disclosures of PHI to Avert a Serious Threat to Health and Safety
The HIPAA Privacy Rule does permit, but does not require, a covered entity to make a good faith disclosure of PHI “to prevent or lessen a serious and imminent threat to the health or safety of a person or the public”, provided the disclosure is to a person or persons who are reasonably able to prevent or lessen the threat.
OCR explained that such a disclosure to law enforcement or others regarding an individual’s interest, intent, or prior experience with reproductive health care would be inconsistent with professional standards of ethical conduct.
HIPAA and Mobile Health Apps
Separate guidance has been issued for individuals about protecting the privacy and security of their health information when using their personal cell phones or tablets. It is important for individuals to understand that most health apps, including period trackers, are not covered by the HIPAA Privacy or Security Rules. That means any personal healthcare data entered, collected, or transmitted by those apps or is stored on smartphones or tablets, is not protected and there are no restrictions on disclosures of that information.
The guidance explains best practices to adopt when using these health apps that will decrease the personal information collected by the apps and limit the potential for disclosures of personal information – including geolocation data – without the individual’s knowledge. The guidance explains how to turn off the location services on Apple and Android devices, and offers advice on selecting apps, browsers, and search engines that prioritize privacy and security.
Information on individuals’ rights to reproductive healthcare is available here.