Privacy of Health Information After Dobbs: OCR Guidance On Disclosures of PHI and the Privacy of Personal Information On Devices

On 28 June 2022, within the wake of the U.S. Supreme Court’s ruling in Dobbs vs. Jackson Women’s Health Organization, the U.S. Department of Health and Human Services (HHS) Secretary Xavier Becerra directed the Office for Civil Rights (OCR) inside HHS to make sure affected person privateness and nondiscrimination for sufferers looking for reproductive well being care, in addition to for suppliers who supply reproductive well being care.In response, on 29 June 2022, OCR issued new steering addressing privateness rights associated to reproductive well being care beneath the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

OCR’s steering consists of two posts beneath a brand new Special Topic, HIPAA and Reproductive Health. The first steering reiterates that federal regulation protects Protected Health Information (PHI) (as outlined by HIPAA’s laws) from unauthorized disclosures, together with PHI associated to abortion and different sexual and reproductive well being care, and descriptions the “narrowly tailored” circumstances during which disclosures to regulation enforcement officers are permitted.The second submit, whereas posted beneath steering for professionals, is written straight for sufferers and shoppers and addresses considerations that well being data purposes (apps) on smartphones could threaten a person’s proper to privateness by clarifying how medical data on private cell telephones and tablets is or shouldn’t be protected by federal regulation, and offers tips for shielding privateness when utilizing these packages.4

This Alert outlines and additional explains OCR’s steering on each matters.  

HIPAA PRIVACY RULE AND DISCLOSURES OF INFORMATION RELATING TO REPRODUCTIVE HEALTH CARE 

When Are Law Enforcement Disclosures Permitted in a Post Dobbs World?

In its steering associated to HIPAA’s Privacy Rule and disclosures to regulation enforcement, OCR primarily focuses on two exceptions beneath HIPAA: (1) disclosures which can be “required by law,” and (2) disclosures “for law enforcement purposes.”  

Under the primary class, OCR emphasizes that disclosures not topic to affected person authorization however assembly HIPAA’s “required by law” exceptions are restricted to authorized mandates on the federal or state stage that particularly require the disclosure of PHI.In different phrases, it isn’t sufficient for a regulation to ban the underlying actions or actions that may be the topic of the disclosure to allow the disclosure of PHI beneath HIPAA; slightly, there should even be a authorized mandate for disclosure of such data or disclosure should be pursuant to authorized course of, resembling a courtroom order, offered all different situations outlined in HIPAA’s Privacy Rule are met. Even the place disclosures are legally mandated by one other regulation or a courtroom order, thus assembly HIPAA’s “required by law” exception, such disclosures are permissible provided that they’re restricted to the related necessities of such authorized mandate.

To illustrate disclosures which will or is probably not “required by law,” OCR offers the instance of a person who seeks remedy at a hospital emergency division as a result of problems associated to a miscarriage in the course of the tenth week of being pregnant. In that occasion, a hospital workforce member suspects the person of getting taken remedy to finish their being pregnant. Assuming state regulation prohibits abortion after six weeks of being pregnant, however doesn’t expressly require the hospital to report people to regulation enforcement, the Privacy Rule wouldn’t allow a disclosure to regulation enforcement beneath the “required by law” exception. OCR explains that, the place state regulation “does not expressly require such reporting” (emphasis in unique), a disclosure in such circumstances can be impermissible and would represent a breach of unsecured PHI, requiring a breach notification to each HHS and the person who was the topic of the disclosure.6

Additionally, OCR’s steering emphasizes {that a} disclosure is “for law enforcement purposes” the place the disclosure is pursuant to authorized course of resembling a warrant, subpoena or summons and “as otherwise required by law,” offered all situations outlined within the Privacy Rule for such disclosures are met. For occasion, the place a hospital or different well being care supplier’s workforce member, absent a statutory requirement, initiated a report of a person’s abortion or different reproductive well being care to regulation enforcement or made a disclosure on the request of regulation enforcement, such disclosure wouldn’t be permissible “for law enforcement purposes.” OCR factors out the shortage of a regulation enforcement objective the place (a) state legal guidelines haven’t usually required well being care suppliers to report “an individual who self-managed the loss of a pregnancy” to regulation enforcement (e.g., a person experiencing a miscarriage); (b) state fetal murder legal guidelines haven’t particularly penalized pregnant people; and (c) appellate courts have traditionally rejected efforts to make use of present prison and civil legal guidelines meant to guard youngsters as the idea for arresting or detaining pregnant people. In different phrases, there may not be a ample “law enforcement purpose” for a disclosure the place a regulation doesn’t impose civil or prison legal responsibility on a pregnant particular person.

Another instance features a regulation enforcement official requesting information of abortions carried out at a reproductive well being care clinic. If the request shouldn’t be accompanied by a courtroom order or different mandate enforceable in a courtroom of regulation, the Privacy Rule would prohibit the clinic from disclosing PHI in response to the request.  In distinction, the place the regulation enforcement official presents a courtroom order requiring the clinic to provide PHI about an recognized particular person who has obtained an abortion, the Privacy Rule “would permit but not require the clinic to disclose the requested PHI,” and it might disclose solely the PHI expressly licensed by the courtroom order (emphasis in unique).OCR’s distinction between “required” and “permissive” disclosures usually refers to a selected disclosure that’s not mandated by the Privacy Rule itself, thus not “required,” however assuming the disclosure meets an exception, is permissible and wouldn’t represent a breach beneath HIPAA’s Privacy Rule. Of course, in lots of cases, a well being care supplier could also be compelled to behave pursuant to different authorized mandates, resembling a courtroom order or different lawful course of beneath state or federal regulation, and to the extent any objections to disclosure can be acceptable, they should be managed in step with relevant regulation. 

Lastly, OCR addresses disclosures to avert a severe risk to well being or security, and states that, based mostly on skilled societies, together with the American Medical Association and American College of Obstetricians and Gynecologists, it’s inconsistent with skilled requirements of moral conduct to reveal PHI to regulation enforcement or others “regarding an individual’s interest, intent, or prior experience with reproductive health care.”Examples embrace a press release by a pregnant particular person in a state that bans abortions demonstrating her intent to journey out of state for an abortion, and a need by the well being care supplier to report the assertion to regulation enforcement to aim to forestall the abortion from going down. OCR states that “[a] statement indicating an individual’s intent to get a legal abortion, or any other care tied to pregnancy loss, ectopic pregnancy, or other complications related to or involving a pregnancy” wouldn’t qualify as a “serious and imminent threat to the health or safety of a person or the public.”OCR additionally states that it will be inconsistent with lengthy held skilled moral requirements to compromise the integrity of the affected person–doctor relationship on this approach.10 According to OCR, such disclosures could each improve the danger of hurt to the person and might be thought-about by OCR to be a HIPAA breach.  

OCR ends its steering by reminding well being care suppliers to hunt authorized help navigating their tasks beneath state and federal legal guidelines concerning abortion and reproductive care, and informs sufferers the right way to file a criticism concerning a violation of their well being privateness rights.  

TAKE-AWAYS

With this steering, OCR makes clear its intent to guard the privateness of people looking for reproductive well being care, together with abortions. OCR means that legal guidelines prohibiting sure habits don’t, in and of themselves, allow disclosures of PHI about a person and such prohibited exercise. Instead, the regulation should particularly mandate such disclosure, or disclosure should be pursuant to a legally cognizable course of, and all different situations outlined in HIPAA’s Privacy Rule should be met. Only then, in keeping with the steering, is a disclosure permitted with out leading to a HIPAA breach. Depending on the state, nevertheless, legal guidelines that assist prison or civil motion towards (i) a person looking for an abortion, (ii) a person performing an abortion, or (iii) a person offering the means for an abortion (e.g., in some states, prescribing remedy abortion), could also be used as the idea for a disclosure of PHI “for law enforcement purposes,” and in states the place such legal guidelines are in impact, disclosures could also be permissible. Accordingly, within the face of latest state legal guidelines that proscribe sure actions of third events, HIPAA could not present the extent of safety towards disclosure of PHI which may be inferred based mostly on OCR’s steering.     

Within this context, well being care entities ought to remind its well being care suppliers and workforce members to not confuse or conflate state abortion prohibitions with obligatory reporting legal guidelines, and to bear in mind that any obligatory reporting needs to be reviewed by authorized counsel to keep away from an unauthorized disclosure of PHI and a HIPAA violation. Hospitals and well being methods could wish to  have interaction in dialogue with front-line well being care suppliers who’re obligatory reporters in different contexts, for instance youngster abuse and obligatory reporting of sure wounds, to guarantee that they perceive the distinctions between these reporting necessities and state regulation prohibitions or limitations on abortions and different reproductive well being care. Otherwise, there’s a danger of violating federal or state regulation confidentiality necessities.

PROTECTING THE PRIVACY AND SECURITY OF YOUR HEALTH INFORMATION WHEN USING YOUR CELL PHONE OR TABLET

Health Information and Personal Devices

Written straight for sufferers and shoppers, OCR’s steering on the usage of apps on private units stresses that HIPAA’s Privacy and Security Rules usually don’t shield the privateness and safety of well being data when it’s accessed by way of or saved on particular person cell telephones or tablets.11 OCR signifies that questions have arisen on this concern, specifically in relation to apps that present companies associated to reproductive well being, resembling monitoring menstruation cycles (also called “period trackers”). OCR emphasizes that, except  the app is straight offered by a Covered Entity or its Business Associate (as outlined beneath HIPAA), data voluntarily shared with the app, together with geographic location data and web search historical past, should not thought-about PHI and should not protected by HIPAA.12 This is true even when the supply of such data is a Covered Entity. Such data, OCR makes clear, already could also be considered or collected by different entities, used for focused advertising by the app or machine vendor, or bought to different third events, together with knowledge brokers who could use such private data for advertising or different functions. 

OCR’s steering contains a number of tips for lowering third occasion use of private data with out the person’s information, together with avoiding downloading apps, particularly apps which can be free; not permitting apps to entry the person’s machine’s location knowledge (apart from people who require location data for the service); and turning off location companies on private cell telephones and tablets.13 The steering additionally contains directions for Apple and Android customers to proactively take steps to attenuate disclosure of private data, together with turning off location companies, denying permission to trace exercise throughout apps and websites, and deleting the private promoting ID. The steering reminds shoppers that many apps observe location and exercise data, together with experience sharing apps, social media, and check-in apps, and encourages shoppers to assessment app assist and search capabilities to discover ways to delete location and exercise historical past.  

Even with these protecting measures, the steering signifies that the machine itself and the mobile service supplier usually should not thought-about HIPAA Covered Entities or Business Associates and will retailer communications despatched and acquired on the private machine, together with textual content messaging and electronic mail data, particulars concerning calls made and acquired, and when communications have been made.14 For these and different causes, OCR encourages shoppers to assessment Federal Trade Commission sources on defending privateness when utilizing apps, in addition to Consumer Reports’ opinions of knowledge practices, and to take steps to guard the privateness of well being and different private data earlier than disposing of outdated units. Lastly, OCR reminds shoppers that one of the best ways to guard well being and private data from being collected and shared with out their information is to restrict what private data is shipped and saved on or by way of units, except the buyer is assured that communications are despatched and acquired by way of a protected technique of communication resembling a well being care supplier portal.15 The steering offers a number of sources associated to defending the privateness of private data, together with from FTC, Office of the National Coordinator for Health IT (ONC), the Federal Communications Commission (FCC), and personal sources resembling The New York Times and The Washington Post.

Take-Aways

In abstract, OCR’s steering reminds shoppers that apps accessed by way of private units, resembling cell telephones, that aren’t offered straight by a Covered Entity or its Business Associate (resembling a well being system app that enables entry to information, appointment scheduling, communications with suppliers, and so forth.) should not protected by HIPAA. This contains the various apps that supply companies associated to well being care, resembling interval trackers, however should not offered by Covered Entities. However, even Covered Entities (and their Business Associates) could also be topic to disclosures required by regulation or for regulation enforcement functions (as outlined within the part above). Additionally, mobile phone service suppliers should not coated by HIPAA, and communications by way of a cell machine, whether or not calls, texts or emails, usually is not going to be protected by HIPAA. For these causes, will probably be essential for people to contemplate whether or not and the right way to electronically talk with suppliers for actions resembling appointment scheduling, and if privateness is a priority, to restrict the quantity of private data shared by way of cell units, together with apps which will present health-related companies however should not supplied by way of Covered Entities.  

OTHER FEDERAL INITIATIVES IN THE WAKE OF DOBBS

OCR’s steering is one in every of a number of initiatives arising from HHS’s Reproductive Access Task Force, launched previous to the Dobbs choice to handle entry to reproductive well being care. As a part of the Reproductive Access Task Force, Secretary Becerra expressed the purpose of making certain entry to remedy abortion and the flexibility for people to journey safely from states the place abortion is banned to states the place abortion is authorized. Among different issues, Secretary Becerra indicated that he’s directing HHS to look at the authority of the Emergency Medical Treatment and Labor Act (EMTALA) to guarantee that acceptable stabilizing care is offered to all sufferers, and the Center for Medicare and Medicaid Services (CMS) to take steps to guard entry to household planning care, together with emergency and long-term contraceptives. To perceive the impression of those directives on hospitals, well being methods, and different well being care suppliers, we’ll proceed to trace steering on the federal stage in relation to the Dobbs choice, together with initiatives of the Reproductive Access Task Force, in addition to state and federal efforts to handle knowledge privateness and safety.


FOOTNOTES

Remarks by Secretary Xavier Becerra on the Press Conference in Response to President Biden’s Directive Following Overturning of Roe v. Wade (Last Reviewed July 07, 2022), https://www.hhs.gov/about/news/2022/06/28/remarks-by-secretary-xavier-becerra-at-the-press-conference-in-response-to-president-bidens-directive-following-overturning-of-roe-v-wade.html 

U.S. Dept. of Health and Human Services, HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care (Last Reviewed June 29, 2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html (hereinafter, “HIPAA Reproductive Health Care Guidance”).

See HIPAA Reproductive Health Care Guidance, https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html

U.S. Dept. of Health and Human Services, Protecting the Privacy and Security of Your Health Information When Using Your Cell Phone or Tablet (Last Reviewed June 29, 2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/index.html (hereinafter, “Guidance on Protecting Your Health Information When Using Personal Devices”).

HIPAA Reproductive Health Care Guidance, https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html.

Id.

Id.

Id.

Id.

10 The American College of Obstetricians and Gynecologists (“ACOG”) and the American Medical Association (“AMA”) cite their respective opposition to interference with the authorized and moral requirement to guard personal medical data and the elemental tenet of the patient-physician relationship of respecting the affected person’s privateness and confidentiality. See https://www.acog.org/clinical-information/policy-and-position-statements/position-statements/2017/decriminalization-of-self-induced-abortion. and AMA, Patient Rights, Code of Medical Ethics Opinion 1.1.3. https://policysearch.ama-assn.org/policyfinder/detail/E-1.1.3?uri=%2FAMADoc%2FEthics.xml-E-1.1.3.xml.  

11 Guidance on Protecting Your Health Information When Using Personal Devices https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/index.html 

12 Id.

13 Id. 

14 Id.

15 Id.

Leave a Reply

Your email address will not be published.