HHS Issues New Guidance on Protecting Patient Privacy Following Supreme Court Ruling
On June 29, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced new guidance to help protect the privacy of patients seeking reproductive healthcare, as well as their providers. “On the heels of the Supreme Court ruling in Dobbs vs. Jackson Women’s Health Organization, where the right to safe and legal abortion was taken away, President Biden and U.S. Department of Health and Human Services (HHS) Secretary Xavier Becerra called on HHS agencies to take action to protect access to sexual and reproductive health care, including abortion, pregnancy complications, and other related care,” an article on the guidance says.
The article states that “In general, the guidance does two things:
- addresses how federal law and regulations protect individuals’ private medical information (known as protected health information or PHI) relating to abortion and other sexual and reproductive health care – making it clear that providers are not required to disclose private medical information to third parties; and
- addresses the extent to which private medical information is protected on personal cell phones and tablets, and provides tips for protecting individuals’ privacy when using period trackers and other health information apps.”
Recent reports have surfaced that found patients are concerned about period trackers and other health information apps on smartphones potentially disclose geolocation data which now may be misused by those looking to deny care.
The article adds that the guidance addresses circumstances under which the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits disclosure of PHI without an individual’s authorization. The guidance details that disclosures for purposes that are unrelated to healthcare—like disclosure to law enforcement—are allowed in only very narrow circumstances designed to protect the individual’s privacy and support their access to healthcare, including abortion care. In particular, the guidance reminds HIPAA covered entities and business that they can use and disclose PHI without an individual’s signed authorization only as expressly permitted or required by the privacy rule and clarifies the Privacy Rule’s limitations on disclosures of PHI when required by law, for law enforcement purposes, and to avoid a serious threat to health or safety.
Moreover, “OCR is also issuing information for individuals about protecting the privacy and security of their health information when using their personal cell phone or tablet. This guidance explains that, in most cases, the HIPAA Privacy, Security, and Breach Notification Rules do not protect the privacy or security of individuals’ health information when they access or store the information on personal cell phones or tablets. This guidance also provides tips about steps an individual can take to decrease how their cell phone or tablet collects and shares their health and other personal information without the individual’s knowledge. This guidance:
- Explains how to turn off the location services on Apple and Android devices.
- Identifies best practices for selecting apps, browsers, and search engines that are recognized as supporting increased privacy and security.”
HHS Secretary Xavier Becerra was quoted in the article saying that “How you access healthcare should not make you a target for discrimination. HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive health care information. Anyone who believes their privacy rights have been violated can file a complaint with OCR as we are making this an enforcement priority. Today’s action is part of my commitment to President Biden to protect access to healthcare, including abortion care and other forms of sexual and reproductive healthcare.”