When the Supreme Court overturned Roe v. Wade on June 24, 2022, a cascade of things happened affecting healthcare providers and women in their care. Concerns about privacy and where and how HIPAA applies are being discussed by lawmakers, providers and patients. More questions have been raised than answered and the situation is still unfolding. The landscape is chaotic. (Dobbs v. Jackson Women’s Health Organization)
One immediate change occurred when 13 states banned or severely curtailed abortion access overnight – these so-called “trigger laws” were already on the books and ready to go into effect immediately (with limited exceptions) once Roe was overturned. Another 13 states are expected to follow. By contrast, some states continue to allow abortions and have even strengthened protections for women seeking reproductive health care.
As a result, the Court’s ruling has left a patchwork of state laws, with many designed to both limit access to abortion and to punish providers providing reproductive health care. Providers are asking whether they will be required to disclose protected health information (PHI) to law enforcement or even be prosecuted themselves. Patients are concerned that they may be prosecuted if they seek reproductive health care.
HIPAA Privacy is Not Political
Although abortion is a heated topic politically, the fundamental right to privacy in healthcare has never been political. Protecting the confidentiality of communications between patient and physician has been the bedrock of quality healthcare since the time of Hippocrates in ancient Greece.
The Roe v. Wade decision, at its core, was about privacy. The Court said a “right to privacy” protects a pregnant woman’s right to choose an abortion. It relied on a string of cases that came before, where the Court acknowledged that an individual’s privacy was a fundamental right protected by the due process clause of the Constitution.
Roe was decided in 1973, nearly a quarter century before HIPAA became law in 1996. The recent Dobbs decision twenty-six years later does not change HIPAA, but many providers are asking practical questions about how to apply it while treating women for reproductive health.
OCR Issues New Guidance to Help
To help clear up some confusion, on June 29, 2022 the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), the agency that enforces HIPAA, issued new Guidance for providers and to assist patients in protecting their privacy surrounding reproductive health.
The two new publications are:
- HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care
- Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet NOTE: this does not address smart watches or fitness trackers, which may also collect or store information about one’s location, nor does it address email.
The Guidance states that, in general, it does two things:
- addresses how federal law and regulations protect individuals’ private medical information (known as protected health information or PHI) relating to abortion and other sexual and reproductive health care – making it clear that providers are not required to disclose private medical information to third parties; and
- addresses the extent to which private medical information is protected on personal cell phones and tablets, and provides tips for protecting individuals’ privacy when using period trackers and other health information apps.
A Quick Summary of Both
Review of the HIPAA Privacy Rule
The HIPAA Privacy Rule supports access to healthcare by giving individuals confidence that their protected health information (PHI) will be kept private. The Guidance is a reminder that covered entities can use or disclose PHI, without an individual’s signed authorization, only as expressly permitted or required by the Privacy Rule.
In general, a covered entity is permitted, but not required, to disclose PHI in cases: required by law; for law enforcement purposes; or to avert a serious threat to health or safety. In each case, OCR emphasizes that the exceptions are narrowly tailored to protect the individual’s privacy and support their access to health services. The Guidance provides examples of each to illustrate how they might apply.
The Guidance also cautions that providers who may be concerned about their obligations to disclose PHI concerning reproductive health care should seek legal advice regarding their responsibilities under other federal and state laws.
Safeguard Privacy on Personal Devices
This Guidance is written for patients, explaining HIPAA basics and what it can and can not protect. The core message is that information generated by individuals (and stored or transmitted on personal devices) is not covered by HIPAA. However, there are steps individuals can take to increase their privacy and the Guidance outlines those steps for both Apple and Android devices.
Earlier this week we wrote about the proposed Health and Location Data Protection Act designed to prohibit data brokers from selling personal information gathered from personal devices. But that is not the law today. Unfortunately, our personal devices which provide so much convenience and quick access to information we want every day, also expose our own information to the outside world.
The HIPAA E-Tool® Stays Up to Date
Even during times of change, covered entities and business associates with The HIPAA E-Tool® don’t need to worry about whether they have the latest information. You can avoid chaos because we keep current on HIPAA law so you don’t have to.