The Department of Health and Human Services (HHS) has issued guidance on the state of patient privacy protections after the Supreme Court’s decision to overturn Roe v. Wade.
The decision threw patient privacy protections into question, as the ruling gave states the ability to criminalize receiving and providing abortions. There is now a new sense of uncertainty when it comes to sexual and reproductive healthcare, including abortions, pregnancy complications and other related care.
The guidance addresses how federal law and regulations protect individuals’ private medical information, called protected health information (PHI), relating to abortion and other sexual and reproductive healthcare. HHS made it clear that providers are not required to disclose private medical information to third parties. Additionally, the guidance addresses the extent to which private medical information is protected on personal cell phones and tables. HHS also offered tips to protect privacy when using period trackers and other health information apps.
The guidance comes after reports of concerns about period trackers on cell phones and other health tracking apps in wake of the Supreme Court’s decision. Worries centered around apps disclosing geolocation data which could potentially be misused by those seeking to deny reproductive healthcare. The concerns have led some to urge users to delete these apps off their phones and scrub the data.
“How you access healthcare should not make you a target for discrimination,” HHS Secretary Xavier Becerra said in a statement. “HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive health care information. Anyone who believes their privacy rights have been violated can file a complaint with OCR as we are making this an enforcement priority.”
HHS noted that, under terms of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, disclosing health information for purposes not related to healthcare, such as to law enforcement officials, are only permitted in narrow circumstances “tailored to protect the individual’s privacy and support their access to health care, including abortion care.” HIPAA-covered entities and business associates can only use and disclose PHI without an individual’s signed authorization only as expressly permitted or required by the rule. It also explained the restrictions on disclosures of PHI when required by law, for law enforcement purposes, and to avert a serious threat to health or safety.
In addition to guidance for providers and businesses, HHS also issued tips for individuals, including how to turn off location services on Apple and Android devices and best practices for selecting apps, browsers, and search engines that are recognized as supporting increased privacy and security.
Find the full guidance here.