In the wake of the Supreme Court’s decision to overturn Roe v. Wade, the Department of Health and Human Services (HHS) Office for Civil Rights issued new guidance on June 30 regarding patient privacy for health care providers and patients seeking access to reproductive health care services.
The guidance, titled “HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care,” explains that the federal Health Insurance Portability and Accountability Act (HIPAA) permits providers to disclose protected health information (which would include information about abortion and other sexual and reproductive care) without a person’s authorization for purposes not related to health care only in “narrow circumstances.”
According to the guidance, HIPAA allows disclosure of protected health information when expressly required by another law when the request is made “through such legal processes as a court order or court-ordered warrant.” When a disclosure is required by law, the disclosure must be limited only to the relevant requirements of that law.
The guidance also points out that if a patient notifies their provider that they plan to seek an abortion in another state where abortion is legal, the privacy rule does not permit the provider to report that statement to law enforcement, because the statement does not qualify as a serious and imminent threat to the health and safety of a person or the public.
The guidance provides several examples of situations regarding a provider’s responsibility to protect this health information, including if the provider suspects the patient induced an abortion, when a patient notifies the provider that they are planning to have an abortion, and when law enforcement requests patient information.
The HHS also issued separate guidance about protecting the privacy and security of health information when using personal cellphones or tablets. This guidance explains that most health apps are not covered by the HIPAA privacy or security rules, since most app developers are not HIPAA-covered entities. As a result, personal health care data entered, collected, or transmitted by those apps (e.g., geolocation data) is not protected and the information could potentially be disclosed. The guidance includes best practices for using these health apps to limit potential disclosures of personal health information. This includes turning off location services on apps and selecting apps and other browsers that prioritize privacy.