In the wake of the Dobbs decision, the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) issued new guidance regarding the privacy of patients seeking reproductive health care.
The guidance addresses two issues: (1) how federal law and regulations protect patients’ medical information relating to reproductive health care, and (2) the extent to which private medical information is protected on personal devices and how consumers can protect the privacy of their health information when using period trackers and other health-related apps.
Protecting the Privacy of Patients’ Information in Health Care Settings
The guidance affirms that federal rules to protect individuals’ protected health information (PHI) are already in place under the Health Insurance Portability and Accountability Act (HIPAA). Specifically, the guidance emphasizes that covered entity health care providers, health plans and health care clearinghouses can use or disclose PHI, without an individual’s signed authorization, only as expressly permitted or required by the HIPAA Privacy Rule.
HHS OCR clarifies that disclosures for purposes not directly related to the provision of health care to an individual—such as disclosures to law enforcement officials or to avert a serious threat to health or safety—are permitted only in specific circumstances and if certain requirements are met. HIPAA covered entities and business associates should ensure that they have robust policies and procedures in place to address requests for information from law enforcement officials, disclosures to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and disclosures that are otherwise required by law.
Protecting Consumers’ Health Information When Using Personal Devices
Because HIPAA only applies to health information when it is maintained and transmitted by covered entities and business associates, the guidance clarifies that the HIPAA Privacy Rule generally does not protect the privacy or security of personal health information when it is saved or accessed through an individual’s personal phone or tablet. HHS OCR provides suggestions for consumers on how to protect the privacy of their health information stored on personal devices, including how to select more secure apps, delete stored data and turn off location services permissions on Apple and Android devices.