OCR Issues Post-Dobbs Guidance on HIPAA Privacy and Security Issues Relating to Reproductive Health Care


News Release: HHS Issues Guidance to Protect Patient Privacy in Wake of Supreme Court Decision on Roe (June 29, 2022); HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care (June 29, 2022); Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet (June 29, 2022)

Release

Disclosures

Personal Cell Phone

In response to the U.S. Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization, which concluded that the Constitution does not prohibit states from regulating or banning abortion (see our Checkpoint article), HHS’s Office for Civil Rights (OCR) has issued guidance addressing HIPAA privacy protections around reproductive health care. The guidance addresses how HIPAA protects the privacy of individuals’ protected health information (PHI) relating to abortion and other sexual and reproductive health care, emphasizing that covered entities (health plans, most health care providers, and health care clearinghouses) can use or disclose PHI only as expressly permitted or required by the HIPAA privacy rule. The guidance focuses on the privacy rule’s provisions for disclosures required by law, for law enforcement purposes, and to avert a serious threat to health or safety. OCR indicates that, except in the case of a law that expressly compels a covered entity to disclose PHI and is legally enforceable in court, these provisions permit but do not require covered entities to disclose PHI. Examples are provided of situations that providers may face in states where abortion is restricted or banned.

Separately, OCR has provided guidance for individuals on protecting the privacy and security of PHI when using a personal cell phone or tablet. OCR cautions that HIPAA generally does not protect the privacy or security of health information accessed through or stored on personal cell phones or tablets because the protections apply only to PHI created, received, maintained, or transmitted by covered entities and business associates. For example, HIPAA does not protect the privacy of an individual’s internet search history, information voluntarily shared online, or geographic location. In most cases, unless a health app is provided by a covered entity or its business associate (see our Checkpoint article), HIPAA also does not protect the privacy of data downloaded or entered into mobile apps for personal use, regardless of the information’s source. Tips are provided for maintaining the privacy and security of personal and health information on cell phones and tablets, with links to numerous resources.

EBIA Comment: Although the scenarios in the disclosures guidance are geared to providers, health plans also are likely to face HIPAA privacy and security challenges as states respond to the Dobbs decision. Employers sponsoring group health plans should pay particular attention to the rules for disclosing PHI from the plan to the plan sponsor’s employees. Among other requirements, the employees must perform plan administration functions, must not use the PHI for employment-related purposes, and must be inside the HIPAA firewall. Although not mentioned in the guidance, individuals also have the right to request alternate means of communication (e.g., to a P.O. box rather than a home address) and restrictions on uses and disclosures of PHI (e.g., that PHI not be disclosed to particular family members). A plan’s use and disclosure policies must be disclosed in its Notice of Privacy Practices; this would be an opportune time for health plans to review their Notices for accuracy and completeness. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXIII (“How the Privacy and Security Rules Affect Group Health Plans and Plan Sponsors”), XXIV.B (“What Is a Business Associate?”), XXVI (“Core Privacy Requirement #1: Use and Disclosure Rules”), XXVII.E (“Right to Request Restrictions on Uses and Disclosures”), XXVII.F (“Right to Request Alternate Communications”), and XXVII.G (“Right to Receive Notice of Privacy Practices”).

Contributing Editors: EBIA Staff.



Source link