ľֱ

After Roe, HHS Guidance Aims to Keep Health Information Secure

— There may be vulnerabilities in privacy laws around use of cell phones, tablets, period trackers

MedpageToday
A photo of a woman looking at a period tracker app in the app store on her smartphone.

Following the Supreme Court's decision to strike down Roe v. Wade, the Biden administration warned that period trackers and other health information apps may be misusing private medical information.

HHS's Office for Civil Rights focused on helping individuals protect their private medical information, as well as and disclosure of information related to reproductive healthcare. The purpose of the documents is to clarify when federal laws and regulations allow and do not allow protected health information to be disclosed without an individual's permission.

"How you access healthcare should not make you a target for discrimination. HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive healthcare information," said HHS Secretary Xavier Becerra in a press release.

Becerra urged anyone who suspects that their privacy rights have been violated to with the Office for Civil Rights, stressing that the issue is "an enforcement priority."

The Office for Civil Rights enforces the HIPAA Privacy Rule, which governs the "use, disclosure, and protection" of protected health information by covered entities, including health plans, healthcare clearinghouses, most clinicians, and, to a degree, their business associates -- all of which are allowed to use or disclose protected health information without an individual's signed authorization, "only as expressly permitted or required" by the rule.

Protecting Information on Tablets, Cell Phones

In their guidance, HHS stressed that HIPAA in general does not protect the privacy of protected health information when it's accessed or stored on electronic devices, such as smartphones and tablets.

"The HIPAA Rules apply only when protected health information is created, received, maintained, or transmitted by covered entities and business associates," according to the guidance. In addition, HIPAA doesn't protect the privacy of an individual's search history, information shared online, or information on geographic location.

"In most cases, unless the app is provided to you by a covered entity or its business associate, the HIPAA Rules also do not protect the privacy of data you've downloaded or entered into mobile apps for your personal use, regardless of where the information came from," the guidance noted.

HHS further warned that information collected by devices or apps "may be viewed or collected by other entities or used by the device or app vendors to send you specific ads," or even sold to a data broker for marketing or other purposes.

The agency therefore provided tips on turning off location services on Apple and Android devices and recommended avoiding the download of "unnecessary or random apps" and not allowing apps to access location data.

The guidance also includes best practices for choosing apps, browsers, and search engines known to support privacy and security.

Privacy and Protected Health Information

Under federal law, clinicians are not required to share protected health information with third parties. Furthermore, disclosures of protected health information for reasons unrelated to healthcare -- for example, to law enforcement officials -- are "permitted only in narrow circumstances tailored to protect the individual's privacy and support their access to healthcare, including abortion care."

For example, if a hospital worker sees a patient in an emergency department who is complaining of complications after a miscarriage, and the hospital worker believes the patient has taken medication to end a pregnancy in a state where abortion is prohibited after 6 weeks, "where state law does not expressly require such reporting, the Privacy Rule would not permit a disclosure to law enforcement under the 'required by law' permission."

In such an instance, a disclosure of this kind would be "impermissible and constitute a breach of unsecured" protected health information, and would require the notification of HHS and the affected individual, according to the guidance.

HHS further explained that the Privacy Rule permits, but does not require, covered entities to disclose an individual's protected health information for law enforcement purposes, such as requests made through court-ordered warrants, subpoenas, or summonses.

The agency offered the example of a law enforcement official presenting a court order to a reproductive health clinic requiring the clinic to reveal protected health information about an individual who had an abortion. "Because a court order is enforceable in a court of law, the Privacy Rule would permit but not require the clinic to disclose the requested [information]." However, HHS stressed that the clinic "may disclose only the protected health information expressly authorized by the court order."

If such a request by law enforcement did not include a court order or other mandate, the agency clarified that the Privacy Rule would not permit the clinic to disclose protected information in response to the request. Again, in this case, such a disclosure would constitute a breach of unsecured protected health information.

Serious and Imminent Threat to Health

The guidance also looked specifically at the issue of disclosures "in good faith" -- that is, disclosures intended to prevent a serious threat to an individual's health or safety.

The Privacy Rule permits but does not require a covered entity, in keeping with applicable laws and ethical standards, to disclose protected information "if the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person or persons who are reasonably able to prevent or lessen the threat."

However, the guidance stated that "it would be inconsistent with professional standards of ethical conduct to make such a disclosure of protected health information to law enforcement or others regarding an individual's interest, intent, or prior experience with reproductive healthcare," citing the American Medical Association (AMA) and the American College of Obstetricians and Gynecologists as supporters of this policy.

For example, if a pregnant woman living in a state that bans abortion informs her healthcare provider of her intent to seek an abortion in a state where it is legal, the Privacy Rule would not permit the disclosure of this information by the provider to law enforcement. Again, such a disclosure would be a breach of unsecured information.

AMA President Jack Resneck, Jr., MD, applauded the Biden administration for quickly acting on this issue.

"The new guidance makes it clear that physicians are not required to disclose private medical information to third parties and provides patients with tips on the use of personal cell phones and tablets. The AMA has identified and recommended to increase transparency on what apps are doing with medical information," he said.

  • author['full_name']

    Shannon Firth has been reporting on health policy as ľֱ's Washington correspondent since 2014. She is also a member of the site's Enterprise & Investigative Reporting team.