HHS Issues Guidance on Patient Privacy Around Reproductive Rights
In the ongoing battle over the right to, and access to, abortion in the United States, on Friday, July 8, President Joe Biden signed an executive order doing what he could under federal law to protect women’s reproductive rights, with one element of that order being focused on protecting the privacy of patients seeking reproductive care. His order was followed by an announcement by Health and Human Services Secretary Xavier Becerra, announcing that the Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) has issued new guidance to support women seeking reproductive care, as well as to support their healthcare providers.
The President directed HHS to consider additional actions to safeguard sensitive information related to reproductive health care, including under the Health Insurance Portability and Accountability Act. Becerra has directed the HHS Office for Civil Rights to issue new guidance related to the HIPAA Privacy Rule to clarify that doctors and medical providers are in most cases not required – and in many instances not permitted – to disclose the private information of patients, including to law enforcement. The office will also issue a guide for consumers on how to protect personal data on mobile apps.
The White House published a transcript of the President Biden’s remarks on Friday. Among other things, the President said that “The executive order provides safeguards to access care. A patient comes into the emergency room in any state in the union. She’s expressing and experiencing a life-threatening miscarriage, but the doctor is going to be so concerned about being criminalized for treating her, they delay treatment to call the hospital lawyer who is concerned the hospital will be penalized if a doctor provides the lifesaving care. It’s outrageous. I don’t care what your position is. It’s outrageous, and it’s dangerous. That’s why this executive order directs the Department of Health and Human Services — HHS — to ensure all patients, including pregnant women and girls experience pregnant — experiencing pregnancy loss get emergency care they need under federal law, and that doctors have clear guidance on their own responsibilities and protections no matter what the state — no matter what state they’re in. “
Moving onto patient data privacy, Biden said, “And equally important, this executive order protects patient privacy and access to information, which looking at the press assembled before me, probably know more about it than I do. I’m not a tech guy. I’m learning. But right now, when you use a search engine or the app on your phone, companies collect your data, they sell it to other companies, and they even share it with law enforcement. There’s an increasing concern that extremist governors and others will try to get that data off of your phone, which is out there in the ether, to find what you’re seeking, where you’re going, and what you’re doing with regard to your healthcare. Talk about no privacy — no privacy in the Constitution. There’s no privacy, period. This executive order asks the FTC to crack down on data brokers that sell private information to extreme groups or, in my view, sell private information to anybody.”
Following up on the President’s issuance of that executive order, Health and Human Services Secretary Xavier Becerra issued his own statement, also on Friday. It began thus:
“On the heels of the Supreme Court ruling in Dobbs vs. Jackson Women’s Health Organization, where the right to safe and legal abortion was taken away, President Biden and U.S. Department of Health and Human Services (HHS) Secretary Xavier Becerra called on HHS agencies to take action to protect access to sexual and reproductive health care, including abortion, pregnancy complications, and other related care. Today, in direct response, the HHS Office for Civil Rights (OCR) issued new guidance to help protect patients seeking reproductive health care, as well as their providers.”
As the announcement stated, “In general, the guidance does two things:
addresses how federal law and regulations protect individuals’ private medical information (known as protected health information or PHI) relating to abortion and other sexual and reproductive health care – making it clear that providers are not required to disclose private medical information to third parties; and
addresses the extent to which private medical information is protected on personal cell phones and tablets, and provides tips for protecting individuals’ privacy when using period trackers and other health information apps.
According to recent reports, many patients are concerned that period trackers and other health information apps on smartphones may threaten their right to privacy by disclosing geolocation data which may be misused by those seeking to deny care.”
Further, Secretary Becerra stated that “How you access health care should not make you a target for discrimination. HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive health care information. Anyone who believes their privacy rights have been violated can file a complaint with OCR as we are making this an enforcement priority. Today’s action is part of my commitment to President Biden to protect access to health care, including abortion care and other forms of sexual and reproductive health care.”
The HHS announcement went on to state that “This guidance addresses the circumstances under which the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits disclosure of PHI without an individual’s authorization. It explains that disclosures for purposes not related to health care, such as disclosures to law enforcement officials, are permitted only in narrow circumstances tailored to protect the individual’s privacy and support their access to health care, including abortion care. Specifically, the guidance:
> Reminds HIPAA covered entities and business associates that they can use and disclose PHI, without an individual’s signed authorization, only as expressly permitted or required by the Privacy Rule.
> Explains the Privacy Rule’s restrictions on disclosures of PHI when required by law, for law enforcement purposes, and to avert a serious threat to health or safety.
OCR is also issuing information for individuals about protecting the privacy and security of their health information when using their personal cell phone or tablet. This guidance explains that, in most cases, the HIPAA Privacy, Security, and Breach Notification Rules do not protect the privacy or security of individuals’ health information when they access or store the information on personal cell phones or tablets. This guidance also provides tips about steps an individual can take to decrease how their cell phone or tablet collects and shares their health and other personal information without the individual’s knowledge. This guidance:
> Explains how to turn off the location services on Apple and Android devices.
> Identifies best practices for selecting apps, browsers, and search engines that are recognized as supporting increased privacy and security.
The guidance on the HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care may be found at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html.
The guidance on Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet may be found at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/index.html.
If you believe that a HIPAA-covered entity or its business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules, you may file a complaint at https://www.hhs.gov/hipaa/filing-a-complaint/index.html.”
And, it adds, “For more information on how HHS is working to protect reproductive rights, visit ReproductiveRights.gov.”