Governance & Risk Management , Healthcare , Industry Specific
HHS Tackles Data Privacy Concerns Linked to Abortion Ruling
Issues New HIPAA Guidance and Pledges Enforcement Against ViolatorsNew healthcare privacy guidance from the Biden administration seeks to clarify when clinics can legally withhold patient information about abortion from law enforcement officials and other third parties.
See Also: Frost Radar™ on Healthcare IoT Security in the United States
The guidance comes shortly after the U.S. Supreme Court overthrew a key precedent guaranteeing nationwide access to abortion, paving the way for states to outlaw the procedure. The administration has scrambled to respond to the ruling, also yesterday launching a website laying out patients' rights to contraception and abortion options that include medication available via telehealth.
Enforcing patient privacy rights privacy will be a top priority, vowed U.S. Health and Human Services Secretary Xavier Becerra in a Wednesday press conference.
More than a dozen states have "trigger laws" banning abortions approved in anticipation of a high court repudiation of Roe v. Wade. Nearly 20 states have protected access to abortion. That checkerboard of differing state rights sets up the potential for clashes over patient privacy in states where authorities seek to control access to reproductive medicine.
Even in states where abortion is illegal, state laws generally do not require doctors to report an individual who "self-managed the loss of a pregnancy," the HHS Office of Civil Rights wrote.
OCR's new HIPAA guidelines are meant to clarify complicated scenarios where disclosures of patients' protected health information to law enforcement officials and other third parties are allowed, but not required, under the HIPAA privacy rule - as well as when such PHI disclosures are prohibited, amounting to potential violation or data breach.
Guidance for Individuals
The Roe v. Wade ruling has the potential to affect reproductive health beyond just pregnancy termination, which was underscored by separate HHS guidance targeted to consumers of mobile apps such as menstruation trackers. Although those health apps collect what most people think of as "health information," individual data is not covered by HIPAA unless the app is provided by a covered entity or business associate, the guidance reminds consumers.
Individuals can take steps to reduce their digital footprint by using tools that limit online activity tracking or by favoring apps that don't collect or store personal information. But those steps won't stop a third party from potentially obtaining information such as location, given how mobile devices transmit their whereabouts in order to connect to nearby cellular towers.
"If you are concerned about your cellphone or tablet tracking your location and activities, consider leaving the device at home," HHS tells consumers.
Healthcare Provider Guidance
The new HHS healthcare industry guidance addresses "tricky issues," says privacy attorney Kirk Nahra of the law firm WilmerHale.
"This was a useful document in a highly uncertain area. I don’t think HHS 'solved' the problems here at all, and there clearly is more work to do," he says.
Nonetheless, "this guidance will help entities that want to resist efforts by law enforcement to gather this kind of personal information and will make entities or individuals looking to provide this data on their own with reasons to think twice," he says.
The guidance is critically important to midsize and small providers and business associates, says Kate Borten, president of privacy and security consultancy The Marblehead Group.
"These organizations often lack expertise in the HIPAA privacy rule and may have misconceptions about the rule and what PHI may be disclosed," she says. "The guidance's scenarios are very realistic and instructive in these times of new, restrictive laws on reproductive health," she adds.
What is left unsaid in the guidance is that affected covered entities and business associates should now review their privacy policies and procedures to ensure compliance, and then follow up with workforce training and reminders, Borten says.
For instance, some of the scenarios included in the new guidance suggest that staff within a healthcare organization's workforce may feel inclined to disclose a patient's data to law enforcement officials, contrary to what is permitted under the HIPAA privacy rule, resulting in a breach, she says. "Covered entities and business associates should strive to avoid such breaches in advance," she adds.
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says that in the bigger picture, the Supreme Court decision also raises privacy questions concerning information sharing between organizations in different states.
"There are concerns that a court in a state that prohibits abortions could seek to compel a healthcare provider in another state to turn over records regarding individuals who travel out of state to receive abortion services," he says.
More to Do
Some experts say HHS could be doing more to protect sensitive information in the wake of the Supreme Court ruling.
”HHS is missing opportunities to protect collection and disclosure of sensitive health information that is not subject to the protections of the HIPAA privacy standards,” says privacy attorney David Holtzman of the consulting firm HITprivacy LLC.
For example, HHS could use its enforcement discretion to exclude information about reproductive health from the requirements of the Information Blocking Regulations, which prohibit interfering with access, exchange or use of electronic health information, says Holtzman, a former senior adviser at HHS OCR.
HHS could also modify the Information Blocking regulations and the health IT certification standards to address the use of technology that collects identifiable data about patients when they interact with patient portals maintained by electronic health records vendors, healthcare providers and health information exchanges, he says.