New HHS Guidelines, HIPAA, Healthcare, PHI Privacy
While the legal, social, and civil rights implications of the historic overturning of Roe v. Wade in June of 2022 will continue to unfold for years to come, the ruling will have an immediate impact on the manner in which healthcare providers are required to protect the personal information and privacy of their respective patients. To this point, the United States Department of Health and Human Services Office for Civil Rights (HSS OCR) issued new privacy guidelines on Wednesday, Jun 29, 2022, in response to the Supreme Court’s decision concerning abortion rights. As the provisions of The Health Insurance Portability and Accountability Act of 1996 (HIPAA) prohibit healthcare providers from disclosing the personal data of their patients, there is a great level of confusion as it pertains to the forms of information that are still protected under the law.
HIPAA privacy rule
As many states around the country have passed or are working towards passing legislation that effectively restricts the abortion rights of women that reside within the U.S., certain categories of healthcare information that had previously been protected by the provisions of HIPAA would cease to be protected. More specifically, the HSS OCR is responsible for both administering and enforcing “the Privacy Rule, which establishes requirements with respect to the use, disclosure, and protection of PHI by covered entities (health plans, health care clearinghouses, and most health care providers)4 and, to some extent, by their business associates.” Likewise, the new privacy guidelines that were set forth are designed to give healthcare providers and patients alike more clarity regarding the situation.
Generally speaking, the guidance prohibits healthcare providers from disclosing the Protected Healthcare Information (PHI) of their patients to non-medical professionals. However, just as is the case with any other major law or regulation that has been passed at the Federal level in the U.S., there are exceptions to this rule. To illustrate this point further, many women around the country are concerned that mobile healthcare information applications such as period trackers will threaten their ability to receive medical care to the disclosure of geolocation data that is associated with the use of such software.
Speaking in broad terms, the new HHS OCR guidance contains two major points. Firstly, the guidance states that healthcare providers are not required to disclose the PHI of their patients to third parties, including information relating to sexual reproductive healthcare, as well as abortions. Secondly, the guidelines also state that the PHI that an individual may store within a smartphone, cellular device, or tablet is also protected under the law, irrespective of any legislation that has been passed within a particular state as it concerns the legality of abortion. To take it a step further, the HSS OCR has stated that “Anyone who believes their privacy rights have been violated can file a complaint with OCR as we are making this an enforcement priority.”
On the other hand, the new privacy guidelines do permit healthcare providers to disclose the PHI of their patients to third parties or non-medical personnel under certain circumstances. For example, healthcare providers are required to disclose the PHI of one of their patients to a law enforcement official if such information is “pursuant to the process and as otherwise required by law”. For example, a healthcare provider would be required to disclose a patient’s PHI in response to a court-ordered summons, subpoena, or warrant. However, healthcare providers are not required to disclose the PHI of a patient in the absence of a mandate that has been issued by a U.S. court of law.
Furthermore, the HHS OCR guidance also permits healthcare providers to disclose the PHI of their patients if such disclosure is necessary to avert a serious threat to the health or safety of said patients. Nevertheless, the law also states that “an individual’s intent to get a legal abortion, or any other care tied to pregnancy loss, ectopic pregnancy, or other complications related to or involving a pregnancy does not qualify as a serious and imminent threat to the health or safety of a person or the public”. For instance, an individual that lives in a state where abortion has been made illegal is free to seek such healthcare services in another state where abortion is legal. If the healthcare provider for said individual attempted to report their intent to a law enforcement official within the state, such actions would constitute a violation of HIPAA.
While the topic of abortion rights exists as the intersection of politics, healthcare, civil rights, and social issues, the overturning of Roe v. Wade does not give healthcare professionals or law enforcement officials the power to infringe on the personal privacy rights of citizens within the U.S. as it relates to the disclosure of PHI. Conversely, individuals that feel as though the privacy rights that they are entitled to under HIPAA have been violated by a healthcare provider or law enforcement official retain the right to seek legal action against any accused parties. With all this being said, all citizens within the U.S. have the right to keep their PHI private and confidential, regardless of any legal rulings that may transpire at either the State or Federal levels around the country.