Despite the HHS actions, women may still wonder whether their health information is entirely safe going forward — a potential challenge for the creators of digital health software.
The new HHS Office for Civil Rights (OCR) guidance addresses when the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits disclosure of PHI without an individual’s authorization. Its release comes amid calls on social media for women to delete period tracking apps. (The New York Times, however, reports that the opposite is happening, with a Berlin-based period-tracking app company called Clue saying it would not comply with U.S. law enforcement seeking information.)
“How you access health care should not make you a target for discrimination. HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive health care information,” HHS Secretary Xavier Becerra said in a news release. “Anyone who believes their privacy rights have been violated can file a complaint with OCR as we are making this an enforcement priority. Today’s action is part of my commitment to President Biden to protect access to health care, including abortion care and other forms of sexual and reproductive health care.”
It appears, however, that there are cases where women in states with abortion bans could find law enforcement gaining access to health information. For example, here is an example provided in the new guidance:
“An individual goes to a hospital emergency department while experiencing complications related to a miscarriage during the tenth week of pregnancy. A hospital workforce member suspects the individual of having taken medication to end their pregnancy. State or other law prohibits abortion after six weeks of pregnancy but does not require the hospital to report individuals to law enforcement. Where state law does not expressly require such reporting, the Privacy Rule would not [emphasis in original] permit a disclosure to law enforcement under the ‘required by law’ permission. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.”
It seems that reporting would take place in a state that requires it, though the guidance notes that most state laws presently do not require doctors or other health care providers to report an individual who self-managed the loss of a pregnancy to law enforcement
Here’s another example from the guidance:
“A law enforcement official presents a reproductive health care clinic with a court order requiring the clinic to produce [personal health information] about an individual who has obtained an abortion. Because a court order is enforceable in a court of law, the Privacy Rule would permit but not require the clinic to disclose the requested PHI. The clinic may disclose only [emphasis in original] the PHI expressly authorized by the court order.”
There are privacy protections — but also some leeway.
The HIPAA Privacy Rule permits health providers to disclose information to law enforcement if they in good faith think there is a serious threat to health and safety. But HHS in today’s guidance says disclosure of a woman’s plan to, for example, get an abortion out of state would not be consistent with professional standards of ethical conduct. Says the guidance: “The provider wants to report the statement to law enforcement to attempt to prevent the abortion from taking place. However, the Privacy Rule would not [emphasis in original] permit this disclosure of PHI to law enforcement.”