OCR Clarifies How HIPAA Applies to Reproductive Health Care Information in Response to SCOTUS Decision

The landmark decision of the Supreme Court in Dobbs vs. Jackson Women’s Health Organization, where the court held that there is no legal right to abortion in the Constitution of the United States, resulted in Roe v Wade and Planned Parenthood v. Casey being overruled. With no federal right to abortion, it is down to individual states to determine the legality of abortion. More than a dozen states had trigger laws in place that rendered abortion illegal in the event of Roe v. Wade being overruled. It is probable that around half of U.S. states will end up following suit and making abortion illegal.

As a direct result of the SCOTUS decision, the Department of Health and Human Services’ Office for Civil Rights issued guidance for healthcare providers and patients on how the HIPAA Rules apply to individuals’ private reproductive health care information and the privacy and protection of reproductive health care information on cell phones and tablets.

HIPAA Does Not Require Healthcare Providers to Disclose Reproductive Health Care Information to Third Parties

OCR has issued a clarification on the applicability of the HIPAA Privacy Rule to reproductive health care information and disclosures of that information to third parties. The HIPAA Privacy Rule permits disclosures of protected health information (PHI) for the purpose of treatment, payment, or healthcare operations without requiring written consent from patients. Consent is required from an individual for most other disclosures of PHI, except in very limited circumstances.

A potential area of confusion is the HIPAA Privacy Rule permits disclosures of PHI for law enforcement purposes “pursuant to process and as otherwise required by law.” If a healthcare provider is issued with a court order, court-ordered warrant, or a subpoena or summons, a disclosure of PHI can be made; however, the only PHI permitted to be disclosed is the exact types of PHI stated in the court order, court-ordered warrant, or a subpoena or summons. If any further information is disclosed, it would be classed as an impermissible disclosure.

If there is no mandate enforceable in a court of law, a disclosure of PHI is not permitted. “The Privacy Rule’s permission to disclose PHI for law enforcement purposes does not permit a disclosure to law enforcement where a hospital or other health care provider’s workforce member chose to report an individual’s abortion or other reproductive health care,” explained OCR.

OCR also explained that “state laws do not require doctors or other health care providers to report an individual who self-managed the loss of a pregnancy to law enforcement,” and state-level fetal homicide laws generally do not penalize the pregnant individual.

OCR also explained that if a law enforcement officer visited a reproductive health care clinic and requested records of abortions performed at the clinic, the clinic would not be permitted to disclose that information under HIPAA, unless the request was accompanied by a court order or other mandate enforceable in a court of law. Such a disclosure in the absence of a court order, court-ordered warrant, or a subpoena or summons would be an impermissible disclosure.

If a patient visited a hospital and a workforce member suspects the patient has taken medication to end her pregnancy, in violation of state or other law, the hospital would not be required to report that to law enforcement. There would only be such a requirement if state law expressly required such reporting. In the absence of such a state law, this would be an impermissible disclosure of PHI.

A disclosure of PHI to prevent or lessen a serious and imminent threat to the health or safety of a person or the public is permitted by HIPAA, but disclosures to law enforcement or others about abortions would be inconsistent with professional standards of ethical conduct.

“How you access health care should not make you a target for discrimination. HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive health care information,” said HHS Secretary Xavier Becerra. “Anyone who believes their privacy rights have been violated can file a complaint with OCR as we are making this an enforcement priority. Today’s action is part of my commitment to President Biden to protect access to health care, including abortion care and other forms of sexual and reproductive health care.”

Most Health Apps are Not Covered by HIPAA

OCR also provided confirmation on how HIPAA applies to health apps, such as those used to track fertility. OCR clarified that most health app developers are not classed as business associates under HIPAA, and nor are they HIPAA-covered entities. Health apps may collect, store, or transmit information that would be classed as PHI if it were collected, stored, or transmitted by a HIPAA-regulated entity, but health apps are generally not covered by HIPAA, so the privacy and security of any information collected or shared via the apps is not protected.

If these apps are used, there is a risk that sensitive reproductive health care information and location data may be disclosed to third parties without an individual’s knowledge, such as to a data broker or other individual for the purpose of serving targeted advertisements or other purposes.

OCR has provided best practices on selecting apps, browsers, and search engines that are recognized as supporting increased privacy and security, and has provided instructions on how to turn off location services on mobile devices.