Protection file

OCR Releases Reproductive Health Data Protection Guidelines | Manatt, Phelps & Phillips, LLP

Following the Supreme Court ruling in Dobbs v. Jackson Women’s Health Organization, the Department of Health and Human Services’ Office of Civil Rights (OCR) yesterday released guidance on how the Health Insurance Portability and Accountability Act (HIPAA) protects health information relating to abortion and other sexual and reproductive health care. Separately, the OCR has also issued guidelines on the extent to which health information is protected on personal cellphones and tablets, and provides guidance for protecting the privacy of individuals when using health information apps.

The first guidance document mentioned above, titled “HIPAA Privacy Policy and Reproductive Health Care Information Disclosure”, notes that disclosures for non-health care purposes, such as disclosures to officials of law enforcement, are permitted only in narrow circumstances. The guidance states that the Privacy Rule permits, but does not require Covered Entities, to disclose Protected Health Information (PHI) about an individual without that individual’s authorization, when such disclosure is required by another. law, and that authorization to disclose PHI as “required by law” is limited to “a mandate contained in law that requires an entity to use or disclose PHI and that is enforceable in court.”

In line with the above, the guidelines state that if a person goes to a hospital emergency department with complications from a miscarriage in the tenth week of pregnancy, and a member of the hospital staff suspect the person took medication to end the pregnancy in violation of a state law prohibiting abortion after six weeks of pregnancy, the HIPAA privacy rule would not allow the hospital to report the patient in the absence of state law expressly requiring such declaration. Similarly, if a law enforcement official requests records of abortions performed at a reproductive health care clinic, the confidentiality rule would not allow the clinic to release those records unless the request is accompanied court order or other legally enforceable warrant, or the State has enacted a law requiring such declaration.

The guide also notes that if a pregnant person in a state that prohibits abortion informs their health care provider that they intend to have an abortion in another state where abortion is legal, the confidentiality rule would not allow the supplier to report the statement to law enforcement. , both because a statement indicating a person’s intention to have a legal abortion does not pose a serious and imminent threat to the health or safety of any person or the public, and because the statement would compromise the integrity of the patient-physician relationship and could increase the risk of harm to the patient. In doing so, the guidelines effectively take the position that a fetus is not a “person” subject to certain protections.

The second guidance document mentioned above, “Protecting the privacy and security of your health information when using your personal cell phone or tablet,” notes that in most cases HIPAA does not protect not protect the privacy or security of individuals’ health information when they access or store the information on personal mobile phones or tablets, and provides guidance on steps an individual can take to protect their information, including disabling location services, avoiding downloading unnecessary apps and adjusting mobile phone or tablet settings to automatically deny requests from app developers to track an individual’s activity. The guidelines recognize that even if a person follows all of the recommended steps, it will not eliminate their reproductive health digital footprint.

Guidance documents can be found here: HIPAA Privacy Policy and Reproductive Health Care Information Disclosure and Protecting the Privacy and Security of Your Health Information When Using Your Mobile Phone or Tablet personal.