HIPAA privacy violations enforcement a priority for feds after abortion ruling
The Department of Health and Human Services Office for Civil Rights issued new guidance targeting patient privacy risks posed by the recent Supreme Court ruling overturning Roe v. Wade, taking away “the right to safe and legal abortion.”
Since the decision, HHS Secretary Xavier Becerra has already taken action to ensure all HHS agencies are taking steps to protect access to sexual and reproductive healthcare, including abortion. HHS is encouraging patients to report any suspected violation of their privacy rights with OCR, as the agencies are making these violations an enforcement priority.
The guide is the latest effort to address ongoing privacy and safety concerns, reminding healthcare providers of the federal laws and regulations requiring the protection of all patients’ health information, regardless of the care service received. OCR stressed that “providers are not required to disclose private medical information to third parties.”
The insights also detail the protections for medical data stored on personal cell phones and other devices, as well as privacy protections for individuals using period trackers, reproductive health apps, and other health apps.
Privacy, health data concerns posed by mobile apps
Immediately following the leak of the Supreme Court document, privacy stakeholders sounded the alarm on privacy and safety risks posed by the ruling, in addition to the obvious risks posed to women’s health. Since the ruling, patients have also raised similar concerns, particularly as period trackers and other health apps are prone to sharing data with third parties.
“How you access health care should not make you a target for discrimination,” Becerra said in a statement. “HHS stands with patients and providers in protecting the Health Insurance Portability and Accountability Act privacy rights and reproductive health care information.”
Providers should review the guidance to verify the circumstances under which HIPAA permits the disclosure of protected health information without patient authorization. The regulation specifically enforces that any PHI disclosures unrelated to healthcare, including disclosures to law enforcement, are only permitted in “narrow circumstances.”
In short, HIPAA is “tailored to protect the individual’s privacy and support their access to health care, including abortion care.”
The guidance further reminds covered entities and relevant business associates that PHI can be used or disclosed without authorization only as outlined by HIPAA, while providing the exact restrictions on PHI disclosures to “avert a serious threat to health or safety.”
OCR also issued information for patients about health apps, and the serious risks posed to the privacy and security of their health information. In the majority of cases, HIPAA doesn’t protect the health data generated or stored by health apps. This patient-specific guide sheds light on the steps consumers can take to protect their data.
Providers can refer to this guide to support patients with health app education, as multiple studies have confirmed that mental health and health apps share data with third parties, often without transparency into the process.