OCR Points Put up-Dobbs Steering on HIPAA Privateness and Safety Points Regarding Reproductive Well being Care

In response to the U.S. Supreme Courtroom’s ruling in Dobbs v. Jackson Ladies’s Well being Group, which concluded that the Structure doesn’t prohibit states from regulating or banning abortion (see our Checkpoint article), HHS’s Workplace for Civil Rights (OCR) has issued steerage addressing HIPAA privateness protections round reproductive well being care. The steerage addresses how HIPAA protects the privateness of people’ protected well being data (PHI) referring to abortion and different sexual and reproductive well being care, emphasizing that lined entities (well being plans, most well being care suppliers, and well being care clearinghouses) can use or disclose PHI solely as expressly permitted or required by the HIPAA privateness rule. The steerage focuses on the privateness rule’s provisions for disclosures required by regulation, for regulation enforcement functions, and to avert a critical risk to well being or security. OCR signifies that, besides within the case of a regulation that expressly compels a lined entity to reveal PHI and is legally enforceable in court docket, these provisions allow however don’t require lined entities to reveal PHI. Examples are offered of conditions that suppliers might face in states the place abortion is restricted or banned.

Individually, OCR has offered steerage for people on defending the privateness and safety of PHI when utilizing a private cellphone or pill. OCR cautions that HIPAA usually doesn’t defend the privateness or safety of well being data accessed by way of or saved on private cell telephones or tablets as a result of the protections apply solely to PHI created, obtained, maintained, or transmitted by lined entities and enterprise associates. For instance, HIPAA doesn’t defend the privateness of a person’s web search historical past, data voluntarily shared on-line, or geographic location. Typically, until a well being app is offered by a lined entity or its enterprise affiliate (see our Checkpoint article), HIPAA additionally doesn’t defend the privateness of knowledge downloaded or entered into cellular apps for private use, whatever the data’s supply. Ideas are offered for sustaining the privateness and safety of non-public and well being data on cell telephones and tablets, with hyperlinks to quite a few sources.

EBIA Remark: Though the situations within the disclosures steerage are geared to suppliers, well being plans are also more likely to face HIPAA privateness and safety challenges as states reply to the Dobbs choice. Employers sponsoring group well being plans ought to pay explicit consideration to the principles for disclosing PHI from the plan to the plan sponsor’s workers. Amongst different necessities, the staff should carry out plan administration capabilities, should not use the PHI for employment-related functions, and should be contained in the HIPAA firewall. Though not talked about within the steerage, people even have the appropriate to request alternate technique of communication (e.g., to a P.O. field reasonably than a house deal with) and restrictions on makes use of and disclosures of PHI (e.g., that PHI not be disclosed to explicit relations). A plan’s use and disclosure insurance policies should be disclosed in its Discover of Privateness Practices; this is able to be an opportune time for well being plans to evaluation their Notices for accuracy and completeness. For extra data, see EBIA’s HIPAA Portability, Privateness & Safety handbook at Sections XXIII (“How the Privateness and Safety Guidelines Have an effect on Group Well being Plans and Plan Sponsors”), XXIV.B (“What Is a Enterprise Affiliate?”), XXVI (“Core Privateness Requirement #1: Use and Disclosure Guidelines”), XXVII.E (“Proper to Request Restrictions on Makes use of and Disclosures”), XXVII.F (“Proper to Request Alternate Communications”), and XXVII.G (“Proper to Obtain Discover of Privateness Practices”).

Contributing Editors: EBIA Workers.