OCR Issues HIPAA Guidance Post Dobbs
Alerts
June 30, 2022
On June 29, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) released two new guidance documents in response to President Biden and Secretary Becerra’s call to HHS agencies to take actions to protect access to sexual and reproductive health care. OCR’s guidance addresses: (i) how federal law and regulations protect PHI relating to sexual and reproductive health care; and (ii) the extent to which private medical information is protected on personal cell phones and tablets. Although the guidance does not make new law or alter the existing HIPAA regulations in any way, it underscores HIPAA’s fundamental premise that entities subject to HIPAA cannot use or disclose patient protected health information (PHI) without an individual’s signed authorization except as expressly permitted or required by HIPAA’s Privacy Rule.
More specifically, the guidance addresses those narrowly tailored exceptions for disclosing PHI without an individual’s authorization for purposes not related to health care, and underscores that for disclosures required by law and for disclosures for law enforcement purposes, the Privacy Rule permits but does not require disclosure, and the law or law enforcement request must contain or be accompanied by a court-enforceable mandate to compel an entity to make a use or disclosure of PHI, and the disclosure must be limited to the relevant requirements of the law or law enforcement request. Regulated entities are also permitted, but again not required, to disclose PHI if the entity, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person or persons who are reasonably able to prevent or lessen the threat. This would not include, in OCR’s opinion, making such a disclosure of PHI to law enforcement or others regarding an individual’s interest, intent, or prior experience with abortion or other reproductive health care.
The second guidance document from OCR explains that generally, HIPAA does not protect the privacy and security of individuals’ medical information when it is accessed through or stored on personal devices, unless using an app provided by a HIPAA-regulated entity. This would include menstrual cycle trackers, for example, and other health information apps. Thus, in most cases, OCR explains that HIPAA does not protect the privacy of data individuals download or enter into mobile apps for their personal use.
Finally, the guidance explains that while HIPAA does not protect this information, and that the information that devices or apps collect about individuals may be viewed or collected by other entities or used by the device or app vendors to send specific ads, or sold to a data broker, there are practical tips and steps individuals can take to increase the privacy of their medical and personal information collected and shared by a mobile device, including best practices for selecting apps, browsers, and search engines.
The guidance can be accessed at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html and https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/index.html.
We will continue to update our Dobbs Decision Resource Center as guidance warrants. If you have any questions regarding OCR's HIPAA guidance, please contact a member of our Health Law or Privacy, Cybersecurity and Data Innovation practice groups.