HHS issues guidance on patient privacy in wake of SCOTUS abortion ruling

Healthcare providers are not permitted to disclose patient health information unless faced with a court order, including information relating to abortion and other sexual and reproductive health care, the Department of Health and Human Services (HHS) said Wednesday. 

On the heels of the Supreme Court's ruling overturning Roe v. Wade, HHS' Office of Civil Rights issued guidance to address how federal law and regulations protect individuals’ private medical information and to clarify that providers are not required to disclose private medical information to third parties.

The guidance also addresses what consumer information is protected—and what isn't—when using period trackers and other health information apps on smartphones.

According to recent reports, many patients are concerned that period trackers and other health information apps on smartphones may threaten their right to privacy by disclosing geolocation data which may be misused by those seeking to deny care, HHS said in a press release.

“How you access health care should not make you a target for discrimination. HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive health care information,” said HHS Secretary Xavier Becerra in a statement. “Anyone who believes their privacy rights have been violated can file a complaint with OCR as we are making this an enforcement priority. Today’s action is part of my commitment to President Biden to protect access to health care, including abortion care and other forms of sexual and reproductive health care.”

Thirteen states including Mississippi have “trigger laws” in place that banned abortion upon the overturning of Roe v. Wade. Still more began moving abortion restrictions through their legislative processes following the May leak of the draft opinion. More than half of all states are expected to pursue such laws now that the draft decision is official.

Under federal privacy rules, disclosures without patient authorization “are permitted only in narrow circumstances," according to HHS.

Under the Health Insurance Portability and Accountability Act (HIPAA) privacy rule, providers are permitted but not required to disclose a patient's protected health information to law enforcement if the provider believes it's necessary to prevent or lessen a "serious and imminent threat to health or safety," HHS said.

As an example, a patient's plan to get a legal abortion, even if they intend to travel to another state, does not qualify as a serious or imminent threat to health and safety, the agency said in the guidance. HHS advised providers not to tell law enforcement about the patient's intention to get an abortion based on that standard even if the patient and provider are based in a state that bans abortion.

This disclosure of information to law enforcement would be "inconsistent with professional ethical standards as it compromises the integrity of the patient-physician relationship and may increase the risk of harm to the individual," HHS said.

Such a disclosure would be impermissible and constitute a breach of unsecured protected health information requiring notification to HHS and the individual affected, according to the agency.

In another example, a patient goes to a hospital emergency department while experiencing complications related to a miscarriage during the tenth week of pregnancy. A hospital clinician suspects the individual of having taken medication to end their pregnancy. Even if state or local law prohibits abortion after six weeks, providers would not be forced to notify law enforcement if the law does not expressly require such reporting, HHS OCR said.

Where state law does not expressly require such reporting, HIPAA would not permit disclosing protected health information to law enforcement under the “required by law” permission. Disclosing such information to law enforcement under those circumstances would be impermissible and constitute a breach of unsecured protected health information requiring notification to HHS and the individual affected, the agency said in the guidance.

Under HIPAA, the only time a reproductive health clinic is permitted to disclose patients' medical information is when a law enforcement official presents a court order requiring the clinic to produce the protected health information.

The federal privacy rule would permit this disclosure but does not require it. If the request is not accompanied by a court order or other mandate enforceable in a court of law, the privacy rule would not permit the clinic to disclose protected health information in response to the request, HHS said.

In a case where there is a court order, the clinic may disclose only the protected health information expressly authorized by the court order.

HHS' guidance also addresses how consumers can protect health information held on smartphones such as information entered into health apps, internet search history and geolocation data. The agency reiterated that in most cases, the HIPAA privacy, security and breach notification rules do not protect the privacy or security of individuals’ health information when they access or store the information on personal cellphones or tablets or when using third-party apps.

The guidance advises consumers to turn off the location services on smartphones and tablets and to use apps that put an increased focus on privacy and security.

The American Medical Association (AMA) praised HHS' patient privacy guidance.

"With the Supreme Court ruling in Dobbs v. Jackson Women’s Health Organization, the lack of privacy raises many questions that could put patients and physicians in legal peril. That medical information was previously being siphoned off and monetized was always a concern. Now, it’s a legal threat as zealous prosecutors can track patients and access their medical records to determine what medical services were provided," Jack Resneck Jr., M.D., AMA president.

He added, "The Supreme Court has created chaos in health care with its irresponsible decision. The AMA is working with regulators to protect the patient-physician relationship in the face of so much uncertainty, and this new guidance will help.”