OCR Issues Patient Privacy, HIPAA Privacy Rule Guidance After Roe v. Wade Ruling

July 05, 2022 - The HHS Office for Civil Rights (OCR) issued guidance on patient privacy and rights under the HIPAA Privacy Rule that can help patients maintain security and privacy in light of the recent Roe v. Wade ruling.

The guidance contains information on how and when the HIPAA Privacy Rule restricts disclosures of protected health information (PHI) and how patients can safely and securely use their personal cell phones or tablets to access their health information.

The first guidance serves to remind HIPAA-covered entities and their business associates that they can only disclose PHI without a patient’s authorization in select circumstances outlined in the HIPAA Privacy Rule.

“The Privacy Rule permissions for disclosing PHI without an individual’s authorization for purposes not related to health care, such as disclosures to law enforcement officials, are narrowly tailored to protect the individual’s privacy and support their access to health services,” the guidance stated.

For example, HHS described a situation in which an individual went to the hospital with complications related to miscarriage during the tenth week of pregnancy, and a hospital worker suspected the individual of taking medication to terminate their pregnancy.

READ MORE: How New Federal, State Laws Impact Healthcare Data Privacy

State law in this scenario prohibits abortion after six weeks but does not mandate that the hospital report individuals to law enforcement.

“Where state law does not expressly require such reporting, the Privacy Rule would not permit a disclosure to law enforcement under the ‘required by law’ permission,” the guidance explained.

“Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.”

HHS also stressed that the HIPAA Privacy Rule permits but does not require covered entities to disclose PHI to law enforcement under specific circumstances.

“In the absence of a mandate enforceable in a court of law, the Privacy Rule’s permission to disclose PHI for law enforcement purposes does not permit a disclosure to law enforcement where a hospital or other health care provider’s workforce member chose to report an individual’s abortion or other reproductive health care,” HHS continued.

READ MORE: Senators Question Talkspace, BetterHelp On Patient Data Privacy Practices

“That is true whether the workforce member initiated the disclosure to law enforcement or others or the workforce member disclosed PHI at the request of law enforcement.”

In its second guidance document, HHS provided best practices for selecting browsers, applications, and search engines that support enhanced privacy and security and explained how patients can turn off location services on Apple and Android devices.

The guidance emphasized that the HIPAA Privacy, Security, and Breach Notification Rules do not protect an individual’s health information when it is stored on a personal cell phone or tablet.

“It is not possible to eliminate your digital footprint entirely,” HHS explained.

“But there are steps you can take to decrease how your cell phone or tablet collects and shares your health and other personal information, such as where you go and what you do, without your knowledge.”

READ MORE: Senators Call on FTC to Investigate Apple, Google’s “Deceptive” Data Privacy Practices

HHS recommended that patients look for apps that use strong encryption by default when transmitting data, do not collect or store personal information, and enable technologies that limit tracking tools, such as cookies.

HHS reminded users that even with these precautions, “the very nature of cell phones (and some tablets) permits tracking because your cellular service provider’s network records identifying information (such as subscriber and device information) when you are connected to it.”

The best way to protect health data is to limit the amount of data you share and store through the device, HHS stressed.

“How you access health care should not make you a target for discrimination. HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive health care information,” Xavier Becerra, HHS Secretary, explained in a press release.

“Anyone who believes their privacy rights have been violated can file a complaint with OCR as we are making this an enforcement priority. Today’s action is part of my commitment to President Biden to protect access to health care, including abortion care and other forms of sexual and reproductive health care.”

Lawmakers and government agencies across the country have been trying to protect patient privacy and security since the ruling. In late June, US Senators introduced the Health and Location Data Protection Act, which would ban data brokers from selling location and health data.

Additionally, a group of Senators sent a letter to the Federal Trade Commission (FTC) asking it to launch an investigation into Apple and Google’s “unfair and deceptive” privacy practices.

The letter alleged that the two tech giants were knowingly “enabling the collection and sale of hundreds of millions of mobile phone users’ personal data,” an action that could have serious consequences in the wake of the Supreme Court’s decision to overturn Roe v. Wade.

Senators also aimed to crack down on popular health apps, urging BetterHelp and Talkspace to provide clarity on their patient data privacy practices following reports of improper data collection, mining, and dissemination.

Patient privacy is increasingly becoming a top concern for lawmakers as reliable access to safe and legal reproductive care continues to be threatened in certain states.