After Roe, HHS Guidance aims to keep health information safe
Following the Supreme Court’s decision to overturn Roe vs. Wadethe Biden administration has warned that period-tracking tools and other health-information apps could misuse private medical information.
The HHS Civil Rights Office has released guidance to help individuals protect their private health information, as well as guidance on the HIPAA privacy rule and the disclosure of information related to reproductive health care. The purpose of the documents is to clarify when federal laws and regulations allow and do not allow the disclosure of protected health information without an individual’s permission.
“The way you access health care should not make you a target of discrimination. HHS stands with patients and providers to protect HIPAA privacy rights and reproductive health care information. “HHS Secretary Xavier Becerra said in a press release.
Becerra urged anyone who suspects their privacy rights have been violated to file a complaint with the Office of Civil Rights, stressing that the issue is “an enforcement priority.”
The Office for Civil Rights enforces the HIPAA Privacy Rule, which governs the “use, disclosure, and protection” of protected health information by covered entities, including health plans, healthcare clearinghouses of health, most clinicians, and, to some extent, their business associates — all of whom are permitted to use or disclose protected health information without an individual’s signed permission, “only to the extent expressly authorized or required” by the rule.
Protect information on tablets, mobile phones
In its guidance, HHS emphasized that HIPAA in general does not protect the privacy of protected health information when accessed or stored on electronic devices, such as smartphones and tablets.
“HIPAA rules apply only when protected health information is created, received, maintained or transmitted by covered entities and business associates,” according to the guidelines. Additionally, HIPAA does not protect the privacy of an individual’s search history, information shared online, or geographic location information.
“In most cases, unless the application is provided to you by a Covered Entity or its business associate, HIPAA rules also do not protect the privacy of data you have downloaded or entered into mobile applications for your personal use, regardless of where the information came from,” the guidelines noted.
HHS further warned that information collected by devices or apps “may be accessed or collected by other entities or used by device or app providers to send you specific advertisements,” or even sold. to a data broker for marketing or other purposes.
The agency therefore provided guidance on disabling location services on Apple and Android devices and recommended avoiding downloading “unnecessary or random apps” and not allowing apps to access location data. .
The tips also include best practices for choosing apps, browsers, and search engines known to support privacy and security.
Privacy and Protected Health Information
Under federal law, clinicians are not required to share protected health information with third parties. In addition, disclosure of protected health information for reasons unrelated to health care – for example, to law enforcement officials – is “allowed only in narrow circumstances designed to protect the privacy of the individual and support their access to health care, including abortion care”.
For example, if a hospital worker sees a patient in an emergency department complaining of complications after a miscarriage, and the hospital worker believes the patient took medication to end the a pregnancy in a state where abortion is prohibited after 6 weeks, “where state law does not expressly require such reporting, the rule of confidentiality not permit disclosure to law enforcement under the authority “required by law”.
In such a case, such disclosure would be “impermissible and would constitute a breach of unsecured protected health information,” and would require notification of HHS and the affected individual, according to the guidelines.
HHS further explained that the Privacy Rule permits, but does not require, Covered Entities to disclose an individual’s protected health information for law enforcement purposes, such as requests made by the through court-ordered warrants, subpoenas or subpoenas.
The agency gave the example of a law enforcement official presenting a court order to a reproductive health clinic demanding that the clinic reveal protected health information about a person who had an abortion. “Because a court order is enforceable in court, the confidentiality rule would allow, but not require, the clinic to disclose the requested information. [information]However, HHS stressed that the clinic “may only disclose protected health information expressly authorized by the court order.”
If such a request from law enforcement did not include a court order or other warrant, the agency clarified that the confidentiality rule would not allow the clinic to disclose protected information in response to the request. . Again, in this case, such disclosure would constitute a breach of unsecured protected health information.
Serious and imminent threat to health
The guidelines also specifically addressed the issue of “good faith” disclosures, meaning disclosures intended to prevent a serious threat to an individual’s health or safety.
The Privacy Rule permits, but does not require, a Covered Entity, consistent with applicable laws and ethical standards, to disclose protected information “if the use or disclosure is necessary to prevent or mitigate a serious and imminent threat to the health or safety of a person or the public, and the disclosure is made to a person or persons who are reasonably capable of preventing or mitigating the threat.”
However, the guidelines stated that “it would be inconsistent with professional standards of ethical conduct to make such disclosure of protected health information to law enforcement or others regarding the interest, intent or an individual’s previous experience with reproductive health care,” citing the American Medical Association (AMA) and the American College of Obstetricians and Gynecologists as proponents of the policy.
For example, if a pregnant woman living in a state that prohibits abortion informs her health care provider of her intention to have an abortion in a state where it is legal, the confidentiality rule would not allow the disclosure of this information. by the supplier to law enforcement. . Again, such disclosure would constitute a breach of unsecured information.
AMA President Jack Resneck, Jr., MD applauded the Biden administration for moving quickly on this issue.
“The new guidelines make clear that physicians are not required to disclose private medical information to third parties and provide guidance to patients on the use of personal cellphones and tablets. The AMA has identified and recommended additional actions to increase transparency about apps are doing with medical information,” he said.