Dobbs and Privacy: President Biden’s Executive Order and OCR HIPAA Guidance
In response to the United States Supreme Court decision in Dobbs vs. Jackson Women’s Health Organization, President Joe Biden signed an Executive Order on Friday, July 8, 2022, designed to protect access to reproductive health care services. In addition to measures seeking to safeguard access to abortion and contraception, the Executive Order includes provisions aimed at protecting the privacy of patients and their access to accurate information, which will likely build on guidance from the Secretary of Health and Human Services issued June 29, 2022, addressing related concerns.
When individuals think about the privacy and security of their health information moving through U.S. health care system, their first stop usually is the complex set of rules under “HIPAA” – referring to the Privacy, Security and related rules under the Health Insurance Portability and Accountability Act of 1996. For nearly 20 years, the HIPAA rules applicable to most healthcare providers and health plans have worked to safeguard “protected health information” or “PHI.” During that time, a debate has raged over the effectiveness of the rules; some arguing the rules are too stringent, others arguing they are not stringent enough, and still others believing HIPAA is just right.
Of course, the protection of medical information does not begin or end with HIPAA. There is a myriad of other federal, state, and local laws that potentially impact the privacy and security of individual identifiable medical information generated in connection with the provision and payment for reproductive health care services. Here, we address the Executive Order and recent OCR guidance. However, organizations must also consider these other laws when making decisions concerning the collection, use, disclosure, retention, and security of such information.
With regard to protecting the privacy of patients and their access to accurate information, the Executive Order focuses on potential threats to patient privacy caused by (i) the transfer and sale of sensitive health-related data, and (ii) digital surveillance related to reproductive healthcare services. Related measures in the Order call for efforts to protect people seeking reproductive health services from fraudulent schemes or deceptive practices. To these ends, the Order directs:
the Secretary of Health and Human Services (HHS) to consider actions, including additional guidance under HIPAA, to strengthen the protection of sensitive information related to reproductive healthcare services and bolster patient-provider confidentiality. The Secretary also must work with the US Attorney General to consider actions designed to educate consumers on protecting privacy and limiting the collection and sharing of their sensitive health information.
the Chair of the Federal Trade Commission (FTC) to consider actions, including under the Federal Trade Commission Act, to protect consumers’ privacy when seeking information about and provision of reproductive healthcare services.
the Secretary to consult with the FTC Chair and Attorney General on ways to address deceptive and fraudulent practices related to reproductive healthcare services, including online, and to protect access to accurate information.
It remains to be seen what steps these agencies will take in response to the Executive Order. As noted above and summarized below, the Secretary has already issued guidance concerning patient privacy following Dobbs.
OCR Guidance Regarding Patient Privacy Following Dobbs.
Prior to the President’s Executive Order, the HHS Office for Civil Rights issued post-Dobbs guidance to help protect patients seeking reproductive care. The guidance comes in the form of reminders to providers and patients:
Reminder to providers about disclosures to third parties. In short, this guidance reminds HIPAA covered entities and business associates that they can use and disclose PHI, without an individual’s signed authorization, only as expressly permitted or required by the Privacy Rule. It reiterates some of the HIPAA Privacy Rule’s existing restrictions on disclosures of PHI (i) when required by law, (ii) for law enforcement purposes, and (iii) to avert a serious threat to health or safety. For example, the guidance makes clear that the HIPAA Privacy Rule permits but does not require covered entities to disclose PHI about an individual, without the individual’s authorization, when such disclosure is required by another law and the disclosure complies with the requirements of the other law. Further, the guidance reminds covered entities and business associates that the permission to disclose as “required by law” requires a mandate in the law that compels disclosure which is enforceable in court, explained through the following example:
"An individual goes to a hospital emergency department while experiencing complications related to a miscarriage during the tenth week of pregnancy. A hospital workforce member suspects the individual of having taken medication to end their pregnancy. State or other law prohibits abortion after six weeks of pregnancy but does not require the hospital to report individuals to law enforcement. Where state law does not expressly require such reporting, the Privacy Rule would not permit a disclosure to law enforcement under the “required by law” permission. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected. (emphasis added)"
The guidance includes a similar analysis when considering law enforcement requests made through legal processes such as court orders or subpoenas.
Reminders to patients to protect medical information when using period trackers and other health information apps. In general, PHI accessed or stored on individuals’ personal devices is not protected under the HIPAA rules. The OCR cites recent reports about patients expressing concerns that period trackers and other health information apps threaten privacy by disclosing geolocation data which may be misused by those seeking to deny care.
To help address these concerns, the guidance provides steps to limit how certain devices collect and share health and other personal information without the knowledge of the device’s owner. This includes instructions for turning off location services and best practices for selecting apps, browsers, and search engines. It also provides a list of several resources for protecting privacy when using apps and other electronic products, including from the FTC and Consumer Reports.
What all this means for healthcare providers, health plans, and business associates is heightened attention when handling individual identifiable health information related to reproductive health care services, including when it is permissible to disclose HIPAA protected health information, particularly without the authorization of the individual to whom it relates. Such organizations also will need to consider more stringent state law that may provide stronger protections for privacy, while health plans covered by the Employee Retirement Income Security Act will have to assess whether state laws might be preempted by ERISA. These are not easy tasks in a world with growing privacy protections, data breaches, labor shortages, and rapidly advancing technologies.