In response to the Supreme Court ruling in Dobbs v. Jackson Women’s Health Organization, which overturned Roe v. Wade, the U.S. Department of Health and Human Services (“HHS”) has issued new HIPAA guidance to help protect patients and their providers with respect to reproductive health care.
According to an HHS news release, in general, the guidance does two things:
- addresses how HIPAA protects individuals’ private medical information relating to abortion and other sexual and reproductive health care, making it clear that providers are not required to disclose private medical information to third parties; and
- addresses the extent to which private medical information is protected on personal cell phones and tablets, and provides tips for protecting individuals’ privacy when using period trackers and other health information apps.
Law: The HIPAA Privacy Rule establishes standards to protect individuals’ medical records and other protected health information (“PHI”). The rule applies to group health plans and their business associates, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Privacy Rule requires covered entities to implement appropriate safeguards to protect the privacy of PHI, and sets limits and conditions on the uses and disclosures of PHI by covered entities without individual authorization.
The HIPAA Security Rule applies to group health plans (and business associates), health care clearinghouses, and to any health care provider who transmits PHI in electronic form (“e-PHI”). The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically, covered entities must ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit, and identify and protect against reasonably anticipated threats to the security or integrity of the information.
New Guidance. The new guidance addresses the circumstances under which the HIPAA Privacy Rule permits disclosure of PHI without an individual’s authorization. It explains that disclosures for purposes not related to health care, such as disclosures to law enforcement officials, are permitted only in narrow circumstances tailored to protect the individual’s privacy and support their access to health care, including abortion care. According to the news release, the guidance:
- reminds HIPAA-covered entities (including group health plans and business associates) that they can use and disclose PHI, without an individual’s signed authorization, only as expressly permitted or required by the Privacy Rule, and
- explains the Privacy Rule’s restrictions on disclosures of PHI when required by law, for law enforcement purposes, and to avert a serious threat to health or safety.
HHS has also issued guidance for individuals about protecting the privacy and security of their health information when using their personal cell phone or tablet. This guidance explains that, in most cases, the HIPAA Privacy and Security Rules do not protect the privacy or security of individuals’ health information when they access or store the information on personal cell phones or tablets. This guidance also provides tips about how individuals can protect their phone’s security.
The guidance on the HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care may be found at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html.
The guidance on Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet may be found at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/index.html.
If someone believes that a HIPAA-covered entity or its business associate violated their health information privacy rights or committed another HIPAA violation, they may file a complaint at: https://www.hhs.gov/hipaa/filing-a-complaint/index.html.
The news release can be found at: https://www.hhs.gov/about/news/2022/06/29/hhs-issues-guidance-to-protect-patient-privacy-in-wake-of-supreme-court-decision-on-roe.html