On June 29, 2022, the U.S. Department of Health and Human Services Office for Civil Rights released two guidance documents addressing (1) disclosures under the HIPAA Privacy Rule relating to reproductive health care (“Disclosure Guidance”), and (2) the privacy and security of reproductive health information on personal cell phones and tables (“Personal Device Guidance”). Both guidance documents were posted several days after the Supreme Court ruling in Dobbs vs. Jackson Women’s Health Organization, which overturned a woman’s right to an abortion established under Roe v. Wade and Casey v. Planned Parenthood of Pennsylvania. These guidance documents seek to provide clarity for entities and individuals concerned about the health care and privacy law implications resulting from the Dobbs decision and the interplay with state laws and public comments in the wake of this decision.
What You Need to Know:
- Following the Supreme Court decision overturning Roe v. Wade, the U.S. Department of Health and Human Services Office for Civil Rights released two guidance documents to provide clarity for entities and individuals concerned about the health care and privacy law implications resulting from the decision.
- The Disclosure Guidance addresses the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule relating to reproductive health care.
- The Personal Device Guidance addresses the extent to which private medical information is protected on an individual's personal cell phone and tablet.
1. The Disclosure Guidance addresses the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule, which provides disclosure guidelines to HIPAA-covered entities in order to protect the privacy of individuals’ protected health information (“PHI”), including information relating to abortion, contraception, and other sexual and reproductive health care provided to HIPAA-covered entities. Specifically, the Disclosure Guidance address three scenarios and provides examples in which the HIPAA Privacy Rule permits, but does not require, a HIPAA-covered entity to disclose PHI without an individual’s authorization:
- Disclosures required by law: The HIPAA Privacy Rule permits a covered entity to disclose PHI required by another law, so long as the disclosure is limited to the “mandate contained” in that law. Any such disclosure is limited to the requirements of that law; disclosures that exceed what is required by such law are not a permissible disclosure.
- Disclosures for law enforcement purposes: A HIPAA-covered entity can respond to a law enforcement request (such as a court ordered warrant or subpoena) by disclosing only the requested PHI. The covered entity must ensure all conditions specified in the HIPAA Privacy Rule for a disclosure to law enforcement is satisfied.
- Disclosures to avert a serious threat to health or safety: A HIPAA-covered entity is permitted (but not required) to disclose PHI if the covered entity, in good faith, and consistent with applicable law and standards of ethical conduct, believes the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety or a person or the public. The disclosure must be made to person(s) who can reasonably prevent or lessen the threat.
2. The Personal Device Guidance addresses the extent to which private medical information is protected on an individuals’ personal cell phone and tablet. In response to patient concerns regarding the use of period trackers and other health information applications, the Personal Device Guidance provides tips for protecting individuals’ privacy when using these tools. Generally, HIPAA does not protect the privacy or security of health information that is accessed or stored on personal devices. Unless a period tracking or reproductive health app is provided by a HIPAA-covered entity or business associate, the HIPAA regulations do not protect the privacy of that data. The Personal Device Guidance provides step-by-step guidance for individuals to protect their data on various portable personal devices.
As a result of the Dobbs decision, there is increased uncertainty by and between various state laws and the role of HIPAA and the protection of PHI. Covered entities and business associates will likely confront scenarios involving patient care that may be addressed by the Disclosure Guidance and or the Personal Device Guidance. If these documents do not address your particular situation or you are not sure of the impact of Dobbs upon state law(s) and your responsibilities, you should seek legal counsel. Saul Ewing attorneys regularly assist covered entities with HIPAA compliance and the Firm has created a post-Dobbs task force of attorneys who practice in multiple disciplines to respond to queries from clients. For more information relating to the Firm’s heath care, HIPAA and or issues post-Dobbs, please contact the authors or the Firm's attorney with whom you are regularly in contact.