OCR has new guidance for patient privacy and PHI, following Dobbs ruling

The HHS agency is reminding providers that they aren't required to disclose private medical information to third parties. It also has tips for data security in using period trackers and other health-information apps.
By Mike Miliard
09:51 AM

Photo: Liza Summer/Pexels

The Supreme Court's seismic ruling in Dobbs vs. Jackson Women’s Health Organization has led to upheaval and confusion for healthcare organizations nationwide – not least when it comes to matters of patient privacy and providers' responsibilities around data protection.

On Thursday the Office for Civil Rights in the U.S. Department of Health and Human Services issued new guidance intended to help clarify some key considerations for this fraught new era of care delivery.

WHY IT MATTERS
HHS Secretary Xavier Becerra has expressed strong support for patient privacy protections in the wake of Roe v. Wade's reversal, and has asked HHS agencies to take action to safeguard access to care for abortion, pregnancy complications and other reproductive health issues.

On the topic of patient data and protected health information specifically, OCR's new guidance is meant to inform and protect patients seeking reproductive healthcare – and their providers.

The guidance addresses how federal law and regulations protect individuals' protected health information relating to abortion and other sexual and reproductive healthcare. It reminds providers that they are not required to disclose private medical information to third parties.

OCR's guidance, the HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care, can be found here.

In addition, the new guidance clarifies the extent to which private medical information is protected on personal smartphones and tablets, and gives suggestions for protecting individuals' privacy when using connected health tools such as period trackers and other health-information apps.

The new guidance, Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet, can be found here.

The broad goal of the new documents is to help explain the circumstances under which the HIPAA Privacy Rule permits disclosure of PHI without an individual’s authorization.

The guidance emphasizes that disclosures for purposes not related to healthcare – such as disclosures to law enforcement officials – are permitted "only in narrow circumstances tailored to protect the individual's privacy and support their access to healthcare, including abortion care," according to OCR.

In most cases, however, HIPAA rules "do not protect the privacy or security of individuals’ health information when they access or store the information on personal cell phones or tablets," OCR officials point out.

The new guidance outlines steps individuals can take to limit how their devices share their health and other personal information without the individual’s knowledge. It explains how to turn off geolocation services and identifies best practices for selecting apps, browsers and search engines that can better support privacy and security.

THE LARGER TREND
The Supreme Court's decision to overturn Roe v. Wade has not just stripped rights away from millions of American women. It has also ushered in a new era for healthcare privacy and security, where law enforcement officials in states that have outlawed abortion could turn to web browsing histories and smartphone usage patterns in their potential criminal investigations.

Already, online searches for abortion medications have surged, according to a new report from JAMA Internal Medicine. Meanwhile, popular reproductive health apps, such as period tracker Flo, are taking proactive steps to help protect their users' privacy.

But the patient privacy challenges of a post-Roe era – combined with some other recent allegations about the patient data-collection practices of Facebook's parent company Meta – have led some healthcare policy experts to decide it's time for Congress to enact some foundational changes to privacy rules, for a complex new world where patient information can be "weaponized."

ON THE RECORD
"How you access healthcare should not make you a target for discrimination," said HHS Secretary Becerra in a statement. "HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive healthcare information."

He added: "Anyone who believes their privacy rights have been violated can file a complaint with OCR as we are making this an enforcement priority. Today’s action is part of my commitment to President Biden to protect access to healthcare, including abortion care and other forms of sexual and reproductive healthcare."

 

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com

Healthcare IT News is a HIMSS publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.