HHS Issues New Guidance on Patient Privacy Following Dobbs Decision

On June 24, 2022, the United States Supreme Court held in Dobbs v. Jackson Women’s Health Organization that the United States Constitution does not confer a right to an abortion. In Dobbs, the Court explicitly overruled Roe vs. Wade and Casey vs. Planned Parenthood, raising many questions about the future of access to reproductive health care services for patients and how health care entities should address privacy concerns when patients seek abortion services or counseling or other reproductive health services in this rapidly evolving regulatory environment. 

Following a request from U.S. Department of Health and Human Services (HHS) Secretary Xavier Becerra for HHS agencies to take action to protect access to sexual and reproductive health care, the HHS Office for Civil Rights (OCR) released guidance on June 29, 2022, related to the disclosure of Health Insurance Portability and Accountability Act (HIPAA) and non-HIPAA covered health information and data to help protect patients seeking reproductive health care.

HIPAA Covered Information Guidance 

The guidance makes it clear that health care providers usually must obtain a patient's authorization before disclosing protected health information (PHI). Provider may disclose PHI without a patient’s authorization only in limited circumstances, and the guidance emphasizes that HIPAA permits but does not require such disclosures. Specifically, through a series of illustrative examples, OCR sets out the following conditions under which PHI may be disclosed: 

Disclosures of PHI Required by Law 

OCR explains that disclosures required by law are limited to “a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.” Using an example where an individual arrives at an emergency department experiencing miscarriage complications during the tenth week of pregnancy, OCR explains that even if a hospital worker suspects the individual took medication to end their pregnancy, and the individual resides in a state that prohibits abortion at six weeks, the hospital cannot report such incident to law enforcement unless there is a law expressly requiring the hospital to make such a report. Put simply, laws prohibiting abortions but not explicitly requiring reporting to law enforcement would not fit within in the “required by law” permissible disclosure. 

Disclosures of PHI for Law Enforcement Purposes

HIPAA permits — but does not require — health care providers to disclose PHI about an individual for law enforcement purposes; such disclosure is permitted only if there is a mandate enforceable by law. For example, a health care provider could disclose the minimum amount of PHI necessary to respond to a court order, search warrant, criminal or civil subpoena, and qualified protective order. 

The guidance specifically states that HIPAA’s “permission to disclose PHI for law enforcement purposes does not permit a disclosure to law enforcement where a hospital or other health care provider’s workforce member chose to report an individual’s abortion or other reproductive health care.” Consequently, absent a court order or other mandate enforceable in a court of law, providers cannot disclose PHI pursuant to a law enforcement request nor can they initiate a disclosure to law enforcement. 

Separately, even if providers receive subpoenas or similar legal process, providers will need to consider whether a specific mandate is enforceable in their own jurisdiction. Schisms across jurisdictions have already arisen, and we are likely to see new laws that seek to counter Dobbs. These laws may prohibit providers from responding to abortion-specific subpoenas or other law enforcement demands, especially if they originate in a different state.

Disclosures of PHI to Avert a Serious Threat to Health and Safety

The guidance also reiterates that disclosures to avert serious threat to health or safety are narrow. Specifically, this type of disclosure is only allowed if: (1) it is consistent with applicable law and standards of ethical conduct; (2) the provider believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and (3) the disclosure is to a person who is reasonably able to prevent or lessen the threat. 

OCR makes it clear that an individual’s desire to seek an abortion in another state that legally permits abortions does not qualify as a “a serious and imminent threat to the health or safety of a person or the public.” Additionally, it would be inconsistent with the provider’s professional standards of ethical conduct to make this type of disclosure. 

Non-HIPAA Covered Information Guidance 

In addition to the guidance related to HIPAA-covered health information, OCR also released guidance related to non-HIPAA covered health information and addressed the extent to which private health information is protected on personal cell phones and tablets. 

One of the most common misconceptions about HIPAA is that the HIPAA Rules protect all health information, regardless of who holds the information or where it is stored. This is not the case. As OCR’s guidance clarified, HIPAA applies when personal health information is created, received, maintained or transmitted by covered entities, such as a health plan or health care provider, and their business associates. The HIPAA Rules “generally do not protect the privacy or security of your health information when it is accessed through or stored on your personal cell phones or tablets.” HIPAA also generally does not protect the privacy of any data that a person downloads or voluntarily enters into a mobile app for personal use, unless the app was provided by a covered entity or a business associate.

OCR’s guidance provided detailed information about best practices for protecting the privacy and security of health information accessed or stored on personal cell phones and tablets, including tips on how to reduce the amount of information a cell phone or tablet collects and shares without an individual’s knowledge.

OCR’s guidance notes that while it is impossible to entirely eliminate a person’s digital footprint, there are many steps that can enhance privacy protections, including:

• Avoid downloading random or unnecessary apps, especially those that are “free”
• Avoid granting any app permission to access location data, except when necessary (e.g., navigation apps)
• Turn off the location services on personal cell phones or tablets
• Use strong encryption by default when transmitting data
• Enable technologies to limit or block tracking tools
• Ensure that all data is removed from old cell phones or tablets prior to disposing of them

OCR’s guidance comes amid reports that “many patients are concerned that period trackers and other health information apps on smartphones may threaten their right to privacy by disclosing geolocation data” that could be accessed by those seeking to deny care. Secretary Becerra emphasized that “HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive health care information.” General awareness of the limits of HIPAA and how private health information and non-PHI may be inadvertently shared and accessed is important to protect the overall privacy of personal health information collected or stored on cell phones or tablets.

We expect the guidance from OCR to continue to evolve, and we will continue to monitor these updates.