Following a ruling by the US Supreme Court that overturned Roe v Wade, the US Department of Health and Human Services’ Office for Civil Rights (OCR) issued new guidance to protect patient privacy as it relates to the seeking of reproductive health care as well as clinicians who provide their care.
On June 29, 2022, OCR issued guidance on what is protected and what is not protected when using period trackers and other health information apps on smartphones.
The new guidance addresses how federal law and regulations protect individuals’ protected health information (PHI) relating to abortion and other sexual and reproductive health care. It states that providers are not required to disclose private medical information to third parties.
Cary Franklin, JD, Professor of Law at the UCLA School of Law and Faculty Director of the Center on Reproductive Health, Law, and Policy at UCLA, said particularly in anti-abortion states clinicians may find themselves in a difficult position. Although physicians are covered by HIPAA, which provides them with some protection when it comes to disclosing patient records, there are exceptions to privacy protections. Some of those privacy exceptions could allow overzealous prosecutors and law enforcement officials to compel physicians to turn over records related to reproductive health care in states where abortion and related forms of health care have been criminalized after Roe v Wade was overturned.
“Physicians could resist such efforts by demanding that the state produce warrants and subpoenas, and if and when the state does produce such documents, physicians could challenge them in court,” Franklin said. “But the physicians are not certain to win in every case.”
Federal vs State Requirements
Daniel Lebovic, JD, a regulatory attorney at Compliancy Group, a Long Island, New York-based HIPAA compliance software company, said physicians are in a difficult position because the federal government and individual states may differ in their requirements. “For example, HIPAA may require or permit a physician to not disclose PHI under certain circumstances, while a state law may require that the physician disclose the exact same information to assist with a law enforcement investigation,” Lebovic said. “When there is a legal gray area, there is a heightened chance of litigation, or a potential enforcement action involving the physician on the one hand and the state or federal government on the other.”
The new privacy guidance since Roe v Wade was overturned addresses the extent to which an individual’s medical information is protected on personal cell phones and tablets. There is a growing concern that period trackers and other health information apps on smartphones may threaten a person’s right to privacy by disclosing geolocation data. Clearly, these data could be misused by those seeking to deny care.
The new guidance states the circumstances under which the HIPAA Privacy Rule permits disclosure of PHI without an individual’s authorization. Disclosures to law enforcement officials are permitted only in narrow circumstances tailored to protect an individual’s privacy and support their access to health care, including abortion care.
Cell Phone PHI Not Protected
In most cases, the HIPAA Privacy, Security, and Breach Notification Rules do not protect the privacy or security of individuals’ health information when they access or store the information on personal cell phones or tablets. The guidance explains how to turn off the location services on Apple and Android devices and identifies best practices for selecting apps, browsers, and search engines that are recognized as supporting increased privacy and security.
The HIPAA rules apply only when PHI is created, received, maintained, or transmitted by covered entities and business associates. The HIPAA rules do not protect the privacy of a person’s Internet search history, information voluntarily shared online, or their geographic location information. In most cases, HIPAA rules do not protect the privacy of data that a person has downloaded or entered into mobile apps for personal use, regardless of where the information came from.
The information that the device or apps collect about a person may be viewed or collected by other entities or used by the device or app vendors to send specific ads. A patient’s personal information may also be sold to a data broker, someone who obtains and shares consumer information without their knowledge, often selling it for marketing or other purposes.
Although the HIPAA rules do not protect this information, there are steps that can help increase the privacy of personal health information when using personal mobile devices. It is not possible to eliminate the digital footprint entirely. However, there are steps that can decrease how a cell phone or tablet collects and shares health and other personal information, such as where a person goes and what they do.
Avoid Downloading Certain Apps
The federal guidance now suggests that physicians counsel their patients to avoid downloading unnecessary or random apps, especially those that are free. “HIPAA could be strengthened and Congress could pass additional laws seeking to protect patient privacy and physicians’ practice of medicine, but there are political obstacles to accomplishing this,” Franklin said.
Many clinicians are concerned that the new Supreme Court ruling endangers people’s health and wellbeing and places a major barrier to healthcare. “It makes it more difficult for people to access much-needed health care, and creates an atmosphere of fear and uncertainty among medical providers that may deter them from implementing the best course of treatment for their patients,” Franklin said.
Doriann Cain, JD, an attorney at the law firm Faegre Drinker based in Indianapolis, Indiana, who specializes in privacy, cybersecurity and data strategy, said she expects that the major issue regarding legal battles is going to stem from out-of-state subpoenas. In anticipation of the Dobbs decision, some states, including New York, Connecticut, and California, enacted safe-harbor laws. These laws prohibit courts in that state from issuing subpoenas to law enforcement agencies outside that state for support with abortion related investigations. “Consequently, I recommend that providers put together a plan to understand whether a subpoena relating to reproductive health information is enforceable in their jurisdiction and the process they will utilize when responding to these requests,” Cain said.