On June 24, 2022, the United States Supreme Court held in Dobbs v. Jackson Women’s Health Organization that the United States Constitution doesn’t confer a proper to an abortion. In Dobbs, the Court explicitly overruled Roe vs. Wade and Casey vs. Planned Parenthood, elevating many questions on the way forward for entry to reproductive well being care providers for sufferers and the way well being care entities ought to tackle privateness issues when sufferers search abortion providers or counseling or different reproductive well being providers on this quickly evolving regulatory surroundings.
Following a request from U.S. Department of Health and Human Services (HHS) Secretary Xavier Becerra for HHS businesses to take motion to guard entry to sexual and reproductive well being care, the HHS Office for Civil Rights (OCR) launched guidance on June 29, 2022, associated to the disclosure of Health Insurance Portability and Accountability Act (HIPAA) and non-HIPAA lined well being info and information to assist shield sufferers looking for reproductive well being care.
HIPAA Covered Information Guidance
The steering makes it clear that well being care suppliers normally should get hold of a affected person’s authorization earlier than disclosing protected well being info (PHI). Provider could disclose PHI with out a affected person’s authorization solely in restricted circumstances, and the steering emphasizes that HIPAA permits however doesn’t require such disclosures. Specifically, via a sequence of illustrative examples, OCR units out the next circumstances below which PHI could also be disclosed:
Disclosures of PHI Required by Law
OCR explains that disclosures required by regulation are restricted to “a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.” Using an instance the place a person arrives at an emergency division experiencing miscarriage problems throughout the tenth week of being pregnant, OCR explains that even when a hospital employee suspects the person took remedy to finish their being pregnant, and the person resides in a state that prohibits abortion at six weeks, the hospital can not report such incident to regulation enforcement until there’s a regulation expressly requiring the hospital to make such a report. Put merely, legal guidelines prohibiting abortions however not explicitly requiring reporting to regulation enforcement wouldn’t match inside within the “required by law” permissible disclosure.
Disclosures of PHI for Law Enforcement Purposes
HIPAA permits — however doesn’t require — well being care suppliers to reveal PHI about a person for regulation enforcement functions; such disclosure is permitted provided that there’s a mandate enforceable by regulation. For instance, a well being care supplier may disclose the minimal quantity of PHI crucial to reply to a courtroom order, search warrant, felony or civil subpoena, and certified protecting order.
The steering particularly states that HIPAA’s “permission to disclose PHI for law enforcement purposes does not permit a disclosure to law enforcement where a hospital or other health care provider’s workforce member chose to report an individual’s abortion or other reproductive health care.” Consequently, absent a courtroom order or different mandate enforceable in a courtroom of regulation, suppliers can not disclose PHI pursuant to a regulation enforcement request nor can they provoke a disclosure to regulation enforcement.
Separately, even when suppliers obtain subpoenas or related authorized course of, suppliers might want to contemplate whether or not a particular mandate is enforceable in their very own jurisdiction. Schisms throughout jurisdictions have already arisen, and we’re more likely to see new legal guidelines that search to counter Dobbs. These legal guidelines could prohibit suppliers from responding to abortion-specific subpoenas or different regulation enforcement calls for, particularly in the event that they originate in a unique state.
Disclosures of PHI to Avert a Serious Threat to Health and Safety
The steering additionally reiterates that disclosures to avert severe menace to well being or security are slim. Specifically, this kind of disclosure is barely allowed if: (1) it’s in line with relevant regulation and requirements of moral conduct; (2) the supplier believes the use or disclosure is important to stop or reduce a severe and imminent menace to the well being or security of an individual or the general public; and (3) the disclosure is to an individual who is fairly in a position to stop or reduce the menace.
OCR makes it clear that a person’s need to hunt an abortion in one other state that legally permits abortions doesn’t qualify as a “a serious and imminent threat to the health or safety of a person or the public.” Additionally, it might be inconsistent with the supplier’s skilled requirements of moral conduct to make this kind of disclosure.
Non-HIPAA Covered Information Guidance
In addition to the steering associated to HIPAA-covered well being info, OCR additionally launched guidance associated to non-HIPAA lined well being info and addressed the extent to which non-public well being info is protected on private cell telephones and tablets.
One of the most typical misconceptions about HIPAA is that the HIPAA Rules shield all well being info, no matter who holds the knowledge or the place it’s saved. This isn’t the case. As OCR’s steering clarified, HIPAA applies when private well being info is created, acquired, maintained or transmitted by lined entities, equivalent to a well being plan or well being care supplier, and their enterprise associates. The HIPAA Rules “generally do not protect the privacy or security of your health information when it is accessed through or stored on your personal cell phones or tablets.” HIPAA additionally typically doesn’t shield the privateness of any information that an individual downloads or voluntarily enters right into a cellular app for private use, until the app was offered by a lined entity or a enterprise affiliate.
OCR’s steering offered detailed details about greatest practices for safeguarding the privateness and safety of well being info accessed or saved on private cell telephones and tablets, together with tips on scale back the quantity of knowledge a mobile phone or pill collects and shares with out a person’s information.
OCR’s steering notes that whereas it’s inconceivable to completely get rid of an individual’s digital footprint, there are a lot of steps that may improve privateness protections, together with:
- Avoid downloading random or pointless apps, particularly these which might be “free”
- Avoid granting any app permission to entry location information, besides when crucial (e.g., navigation apps)
- Turn off the placement providers on private cell telephones or tablets
- Use sturdy encryption by default when transmitting information
- Enable applied sciences to restrict or block monitoring instruments
- Ensure that each one information is faraway from previous cell telephones or tablets previous to disposing of them
OCR’s steering comes amid experiences that “many patients are concerned that period trackers and other health information apps on smartphones may threaten their right to privacy by disclosing geolocation data” that could possibly be accessed by these looking for to disclaim care. Secretary Becerra emphasised that “HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive health care information.” General consciousness of the bounds of HIPAA and the way non-public well being info and non-PHI could also be inadvertently shared and accessed is necessary to guard the general privateness of private well being info collected or saved on cell telephones or tablets.
We anticipate the steering from OCR to proceed to evolve, and we are going to proceed to observe these updates.
