The HHS’ Office for Civil Rights (OCR) has recently issued guidance on HIPAA and explained how HIPAA protects the privacy of individuals’ reproductive health information following the decision of the U.S. Supreme Court in Dobbs v. Jackson Women’s Health Organization, which overturned Roe v. Wade and removed the right for women to have an abortion. OCR has also issued guidance for consumers on when the HIPAA Rules do not apply to reproductive health data.
HIPAA and Reproductive Health Care Information
Guidance for healthcare organizations has been issued on the uses and disclosures of protected health information related to reproductive health care under HIPAA. OCR has confirmed that PHI related to reproductive health care cannot be disclosed without an authorization from the individual concerned, except in limited circumstances. Those circumstances are when the disclosure is necessary for treatment, payment, or healthcare operations.
Currently, 13 states have trigger laws in place that result in bans on abortions in the event of Roe v. Wade being overturned, and it is likely around half of U.S. states will similarly move to restrict abortions or make them illegal. While the HIPAA Privacy Rule permits a healthcare provider to disclose an individual’s protected health information – to law enforcement for example – to prevent or lessen a “serious and imminent threat to health or safety, they are not required to do so.
The HHS pointed out that if a patient has disclosed that they are planning to travel to another state to have an abortion, this does not constitute “a serious or imminent threat to health and safety”, and covered entities have been advised not to disclose that information to law enforcement, even if an abortion in the patient’s state is not legal. Such a disclosure would be “inconsistent with professional ethical standards as it compromises the integrity of the patient-physician relationship and may increase the risk of harm to the individual.” OCR also pointed out that such a disclosure would be a breach of unsecured protected health information – a HIPAA violation.
OCR explained that in the event of a law enforcement official going into a reproductive health care clinic and requesting records of abortions performed at the clinic, “If the request is not accompanied by a court order or other mandate enforceable in a court of law, the Privacy Rule would not permit the clinic to disclose PHI in response to the request.” If a court order is received to disclose protected health information, HIPAA-covered entities have been reminded that they should only disclose the information expressly authorized to be released by the court.
Guidance for Consumers on Reproductive Health Information Collected by Health Apps
Reproductive health information is classed as protected health information (PHI) under HIPAA and is subject to the HIPAA Privacy and Security Rules. The HIPAA Privacy Rule restricts uses and disclosures of PHI and the HIPAA Security Rule requires safeguards to be implemented to prevent unauthorized access.
When PHI is collected, stored, maintained, or transmitted by a HIPAA-covered entity or a business associate of a HIPAA-covered entity, the HIPAA Rules apply. However, the developers of many health apps – including fertility tracking apps and other pregnancy-related health apps – are not HIPAA-covered entities and are not usually business associates, so the HIPAA Rules do not apply. The issue at hand is that these apps can record geolocation data, which could be disclosed to third parties. In such cases, that information could be abused by individuals seeking to deny individuals access to reproductive health care services.
“How you access health care should not make you a target for discrimination. HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive health care information,” said HHS Secretary Xavier Becerra.
If individuals believe their privacy rights have been violated, Becerra encourages them to file a complaint with OCR, which will treat enforcement of compliance regarding reproductive health care data violations as an enforcement priority. OCR has also shared advice for consumers on how to better protect their privacy when using reproductive healthcare-related apps, such as how to remove permissions for apps to access the user’s location.
