In the wake of the Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization, the Department of Health and Human Services Office for Civil Rights (OCR) yesterday issued guidance addressing how the Health Insurance Portability and Accountability Act (HIPAA) protects health information relating to abortion and other sexual and reproductive health care. Separately, OCR also issued guidance addressing the extent to which health information is protected on personal cell phones and tablets, and provides tips for protecting individuals’ privacy when using health information apps.
The first guidance document referenced above, titled “HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care,” notes that disclosures for purposes not related to health care, such as disclosures to law enforcement officials, are permitted only in narrow circumstances. The guidance notes that the Privacy Rule permits but does not require covered entities to disclose protected health information (PHI) about an individual without the individual’s authorization, when such disclosure is required by another law, and that the permission to disclose PHI as “required by law” is limited to “a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.”
Consistent with the foregoing, the guidance notes that if an individual goes to a hospital emergency department while experiencing complications related to a miscarriage during the tenth week of pregnancy, and a hospital workforce member suspects the individual of having taken medication to end their pregnancy in violation of a state law prohibiting abortion after six weeks of pregnancy, the HIPAA Privacy Rule would not permit the hospital to report the patient absent a state law expressly requiring such reporting. Similarly, if a law enforcement official requests records of abortions performed at a reproductive health care clinic, the Privacy Rule would not permit the clinic to disclose such records unless the request is accompanied by a court order or other legally enforceable mandate, or the state adopted a law requiring such reporting.
The guidance also notes that if a pregnant individual in a state that bans abortion informs their health care provider that they intend to seek an abortion in another state where abortion is legal, the Privacy Rule would not permit the provider to report the statement to law enforcement, both because a statement indicating an individual’s intent to get a legal abortion does not qualify as a serious and imminent threat to the health or safety of a person or the public, and because reporting the statement would compromise the integrity of the patient–physician relationship and could increase the risk of harm to the patient. In doing so, the guidance effectively takes the position that a fetus is not a “person” subject to certain protections.
The second guidance document referenced above, “Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet,” notes that in most cases, HIPAA does not protect the privacy or security of individuals’ health information when they access or store the information on personal cell phones or tablets, and provides tips about steps an individual can take to protect their information, including by turning off location services, avoiding downloading unnecessary apps and adjusting cell phone or tablet settings to automatically deny app developer requests to track an individual’s activity. The guidance acknowledges that even if an individual follows all of the recommended steps, doing so will not eliminate an individual’s digital footprint related to reproductive health.
The guidance documents can be found here: HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care and Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet.