The apex court of the US recently overturned Roe v. Wade(1973) and Planned Parenthood of Southeastern Pennsylvania v. Casey(1992) in the case of Dobbs v. Jackson Women’s Health Org (2022). The court returned the responsibility for controlling abortion to the individual states after concluding that the US Constitution does not provide a right to abortion.
For healthcare organizations countrywide, the seismic Dobbs v. Jackson Women’s Health Organization decision by the Supreme Court has caused upheaval and confusion regarding patient privacy issues and providers’ obligations for data protection.
If you are a healthcare provider, the Dobbs ruling will not impact your ability to use electronic health records or to communicate and share that information with other providers. This ruling only applies to patient information, not in an “active clinical setting,” Any documents transmitted outside of these settings must still be protected health information under HIPAA.
Question of Vulnerability of Reproductive Health after the Decision
In addition to the decision’s clear systemic ramifications, Dobbs has presented several difficulties for pharmacies and prompted concerns about adhering to Health Insurance Portability and Accountability Act (HIPAA) privacy regulations.
Many reproductive health proponents of HHC have expressed concerns about protecting reproductive health information after last month’s decision. This includes information saved in period tracking apps, text messages, web search history, and other places.
Modern Healthcare fears using the information to prosecute those who seek an abortion or even medical attention after a miscarriage and those who help them. Right now, HIPAA only protects the privacy of health information gathered by covered entities, such as health plans, clearinghouses for health information, and healthcare providers. Data collected by electronic devices and outside apps or organizations are not covered.
Response of Organizations
In the wake of the decision, several companies have taken steps to preserve and prevent using their users’ health data, particularly those about reproductive care. For example, Google announced that it would remove the location information if its search engine determined that a user visited an abortion clinic or another medical facility.
According to Planned Parenthood, a breach of protected health information has not occurred. It deleted marketing trackers from its search sites for abortions that shared data with third-party companies out of caution. It also mentioned that it offers a different appointment scheduling and confirmation tool that is, according to it, HIPAA-compliant.
Similarly, Electronic Frontier Foundation, a digital civil liberties organization, advised users to pay attention to privacy settings on their services, switch off location services on apps that don’t need them, and utilize encrypted messaging services to protect their electronic health data.
Some applications for tracking periods have also made efforts to reassure their users that their health information is safe and secure. As an illustration, Flo said it is creating an “anonymous mode” that will let users delete their names, email addresses, and other unique identifiers from their profiles.
Response of the Government
The Office for Civil Rights (OCR) published guidance on June 29, 2022, outlining how HIPAA constricts disclosures by covered entities and business associates to law enforcement agencies without a court order or other legal mandate.
In light of new state laws forbidding abortion, the guideline offers valuable insight into how OCR may employ HIPAA enforcement to prevent illegal disclosures of protected health information (PHI) to law enforcement personnel.
OCR makes it plain that it wants to protect the privacy of people getting abortions and other reproductive health care. According to OCR, regulations that forbid specific conduct do not authorize the sharing of Personal Health Information(PHI) concerning an individual and such prohibited behavior. Instead, all other requirements in the HIPAA Privacy Rule must be followed, and the law must expressly require such disclosure or disclosure following a legally recognized process. The guidance states that disclosure is only allowed without causing a HIPAA breach.
However, depending on the state, laws that permit criminal or civil action against
- Someone who seeks an abortion
- Someone who performs an abortion,
- Someone who provides the means for an abortion may be used as the justification for revealing PHI for law enforcement purposes, and in states where relevant laws are in force, disclosures may be allowed.
Therefore, HIPAA may not offer the amount of protection against disclosure of PHI that may be inferred based on OCR’s recommendations in light of new state laws that forbid particular conduct by third parties.
To avoid unauthorized disclosure of PHI and HIPAA violations, healthcare organizations should caution their employees and providers not to conflate mandatory reporting laws with state laws that forbid abortion. They should also remind them that legal counsel should review any mandatory reporting. Otherwise, there is a chance of breaking federal or state laws requiring secrecy.
In a nutshell, OCR’s guidance reminds consumers that HIPAA protections do not apply to apps used on personal devices like smartphones that are not directly offered by a Covered Entity or its Business Associate. This covers the numerous applications that provide healthcare-related services but are not offered by Covered Entities, such as period trackers.
However, disclosures needed by law or for law enforcement purposes may apply to Covered Entities and their Business Associates. Additionally, HIPAA does not apply to cell phone service providers, and HIPAA generally does not protect communications made using a mobile device, including calls, messages, and emails. Due to these factors, it will be crucial for people to decide whether and how to communicate with providers electronically for tasks like scheduling appointments.
If privacy is an issue, people should also limit the amount of personal information shared through mobile devices, including apps that might offer health-related services but are not provided through Covered Entities.
Regulations concerning data privacy will continue to change in the wake of the Dobbs ruling. Legal counsel should be consulted before pharmaceutical shops or businesses disclose PHI to stay current on the legal climate and guidelines. Reproductive health information will remain a significant concern for patients and application users.
The healthcare industry and application developers should consider updating their online privacy policies to address potential patient and user privacy concerns. Law enforcement agencies should not overstate the protections provided under HIPAA and other state privacy laws against disclosing health information.
With a vision to make the world a healthier place, Protected Harbor’s products are designed to secure and protect the health information of patients and providers in the hospital and clinical environments.
We offer tailored solutions to protect healthcare organizations against current and future cyber threats. Our offerings include network security, endpoint protection, remote monitoring and management, and other cybersecurity services. We have a team of certified engineers who are experts in their fields. A continuous learning and improvement culture helps us stay updated with evolving technological trends and best practices. We are focused on improving the health and wellness of our customers and their customers, which we accomplish by building trust, reliability, and transparency in every aspect of our service.
We are working to protect millions of Americans’ health information and critical data. Contact us today for a free security risk assessment.