New HHS Guidelines, HIPAA, Healthcare, PHI Privacy

June 30, 2022 | 4 minutes read
New HHS Guidelines, HIPAA, Healthcare, PHI Privacy

While the legal, social, and civil rights implications of the historic overturning of Roe v. Wade in June of 2022 will continue to unfold for years to come, the ruling will have an immediate impact on the manner in which healthcare providers are required to protect the personal information and privacy of their respective patients. To this point, the United States Department of Health and Human Services Office for Civil Rights (HSS OCR) issued new privacy guidelines on Wednesday, Jun 29, 2022, in response to the Supreme Court’s decision concerning abortion rights. As the provisions of The Health Insurance Portability and Accountability Act of 1996 (HIPAA) prohibit healthcare providers from disclosing the personal data of their patients, there is a great level of confusion as it pertains to the forms of information that are still protected under the law.

HIPAA privacy rule

As many states around the country have passed or are working towards passing legislation that effectively restricts the abortion rights of women that reside within the U.S., certain categories of healthcare information that had previously been protected by the provisions of HIPAA would cease to be protected. More specifically, the HSS OCR is responsible for both administering and enforcing “the Privacy Rule, which establishes requirements with respect to the use, disclosure, and protection of PHI by covered entities (health plans, health care clearinghouses, and most health care providers)4 and, to some extent, by their business associates.” Likewise, the new privacy guidelines that were set forth are designed to give healthcare providers and patients alike more clarity regarding the situation.

Generally speaking, the guidance prohibits healthcare providers from disclosing the Protected Healthcare Information (PHI) of their patients to non-medical professionals. However, just as is the case with any other major law or regulation that has been passed at the Federal level in the U.S., there are exceptions to this rule. To illustrate this point further, many women around the country are concerned that mobile healthcare information applications such as period trackers will threaten their ability to receive medical care to the disclosure of geolocation data that is associated with the use of such software.

Disclosing PHI

Speaking in broad terms, the new HHS OCR guidance contains two major points. Firstly, the guidance states that healthcare providers are not required to disclose the PHI of their patients to third parties, including information relating to sexual reproductive healthcare, as well as abortions. Secondly, the guidelines also state that the PHI that an individual may store within a smartphone, cellular device, or tablet is also protected under the law, irrespective of any legislation that has been passed within a particular state as it concerns the legality of abortion. To take it a step further, the HSS OCR has stated that “Anyone who believes their privacy rights have been violated can file a complaint with OCR as we are making this an enforcement priority.”

On the other hand, the new privacy guidelines do permit healthcare providers to disclose the PHI of their patients to third parties or non-medical personnel under certain circumstances. For example, healthcare providers are required to disclose the PHI of one of their patients to a law enforcement official if such information is “pursuant to the process and as otherwise required by law”. For example, a healthcare provider would be required to disclose a patient’s PHI in response to a court-ordered summons, subpoena, or warrant. However, healthcare providers are not required to disclose the PHI of a patient in the absence of a mandate that has been issued by a U.S. court of law.

Interstate enforcement

Furthermore, the HHS OCR guidance also permits healthcare providers to disclose the PHI of their patients if such disclosure is necessary to avert a serious threat to the health or safety of said patients. Nevertheless, the law also states that “an individual’s intent to get a legal abortion, or any other care tied to pregnancy loss, ectopic pregnancy, or other complications related to or involving a pregnancy does not qualify as a serious and imminent threat to the health or safety of a person or the public”. For instance, an individual that lives in a state where abortion has been made illegal is free to seek such healthcare services in another state where abortion is legal. If the healthcare provider for said individual attempted to report their intent to a law enforcement official within the state, such actions would constitute a violation of HIPAA.

While the topic of abortion rights exists as the intersection of politics, healthcare, civil rights, and social issues, the overturning of Roe v. Wade does not give healthcare professionals or law enforcement officials the power to infringe on the personal privacy rights of citizens within the U.S. as it relates to the disclosure of PHI. Conversely, individuals that feel as though the privacy rights that they are entitled to under HIPAA have been violated by a healthcare provider or law enforcement official retain the right to seek legal action against any accused parties. With all this being said, all citizens within the U.S. have the right to keep their PHI private and confidential, regardless of any legal rulings that may transpire at either the State or Federal levels around the country.

Related Reads

Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
FISA Section 702, Is The US Government Monitoring You?
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
The Gap You Won’t Want to Close: Air-Gapped Systems
June 05, 2023 | 6 minutes read
The Gap You Won’t Want to Close: Air-Gapped Systems

An air-gapped system is a computer, or network that is physically isolated from any external connections and networks which includes the Internet. It operates in total isolation with neither wired nor wireless connections to other devices.

Learn More »
Arizona’s Proposed New Law on Public Records Requests
March 13, 2023 | 7 minutes read
Arizona’s Proposed New Law on Public Records Requests

A Bit of History The date February 14th might stand out to most of us, and if you haven’t figured out why, it’s because it is the anniversary of Arizona’s Statehood. Over 100 years ago, Arizona became the 48th state to be admitted into the United States. Since governance is as old as human history, […]

Learn More »
What is a Data Subject Access Request? New Privacy Laws
January 11, 2023 | 4 minutes read
What is a Data Subject Access Request? New Privacy Laws

Data Subject Access Requests (DSAR) are the primary means by which a business can maintain transparency with the customers they serve.

Learn More »