Following the Supreme Court ruling in Dobbs vs. Jackson Women’s Health Organizationmuch has been written about how existing privacy laws, such as the Health Insurance Portability and Accountability Act (“HIPAA”), are useless for women because of provisions that allow the sharing health information (referred to as “protected health information” or “PHI” under HIPAA) with state regulatory authorities seeking to enforce abortion bans. For example, HIPAA allows health care providers from disclosing health information when required by law, such as state-mandated abortion reporting laws, or for law enforcement purposes, such as in response to a warrant , a subpoena or a summons.
However, HIPAA has other provisions, including listed patient rights, that are potentially helpful to women seeking to protect their reproductive health information. There are also state laws and practical strategies that women can use to protect their privacy. In the first of this two-part blog post series, we’ll highlight legal rights and practical strategies women can use to protect their own information. In a second installment, we’ll highlight strategies healthcare providers can use to protect their patient information stations. deer.
The Office of Civil Rights of the Department of Health and Human Services (“OCR”) recently released a guidance document (the “Guide”) on how HIPAA supports women’s efforts to have their information about reproductive health remain confidential. The Guide discusses the scope of HIPAA exceptions for disclosures required by law and law enforcement and highlights the important point that healthcare providers may not disclose health information to regulatory or regulatory authorities. law enforcement only when it is obligatory by the law. If a state law does not require reporting, any disclosure of a woman’s health information under that law would potentially violate HIPAA and form the basis of a complaint to OCR by the patient concerned.
How would a patient know if their information was used or disclosed by a healthcare provider in response to a government request? HIPAA gives patients the right to a record of their PHI disclosures. An accounting is a notice that tells a patient how their health information has been used or shared for certain purposes. For example, if a health care provider shares records with a public health authority for public health surveillance activities, all records shared with the public health authority have been “disclosed” for the purposes of the law. HIPAA. If the patient requests accountability, the provider must provide the identity and address, if known, of the public health authority to which the records were disclosed, a description of the records, and personal information about the health disclosed, the purpose of the disclosure and the date the access was provided. . Accounting law will not help a patient prevent a disclosure, but it could at least alert a patient to the fact that a disclosure has occurred and allow him or her to independently assess the validity of the disclosure.
Right to request restrictions
Patients have the right under HIPAA to request restrictions on how a healthcare provider uses or discloses their PHI. For example, a Patient may request that a Covered Entity limit PHI’s uses and disclosures to Provider’s treatment, payment, or healthcare operations (which are uses necessary to manage the Provider’s business). A patient may also request special privacy protections, for example, a patient may prohibit disclosure of PHI to family members or ask the provider to use an alternate mailing address or PO box for treatment-related communications . Under HIPAA, providers must allow patients to request restrictions, however, providers are not required to grant requested restrictions. There is one exception: if a woman pays for a reproductive health care visit, a prescription (or any other health care for that matter) out of pocket in full and requests that the health care provider or pharmacist does not share information about this visit with their health insurance plan, the provider and pharmacist must agree to this restriction. This HIPAA provision does not completely isolate reproductive health information, but it restricts the universe of authorized recipients, reduces the potential for re-disclosure, and reduces the number of places where regulatory authorities can collect health information. reproduction of a woman.
All of the rights described above should be addressed in a healthcare provider’s HIPAA Privacy Practices Notice. These notices are provided to patients on their first visit to a health care provider, they must be posted on the walls of a provider’s facility, and must also be available upon request and on any provider’s website with of a website. Finally, patients have the right to file a complaint with the OCR if any of the above patient rights requests are ignored or denied, or if a patient believes that their health information has been misused or disclosed. in a manner not permitted by HIPAA. Patients Can File a Complaint with OCR OCR will follow up, but patients do not have the right to sue for damages (known as a “private right of action”) under HIPAA.
State law protections
There may be additional protections available under different types of state laws, including private rights of action for unauthorized disclosure as a data breach or consumer protection actions. These will likely be tested in states that ban abortion, but let’s look at the current state of laws in states that ban abortion. Of the states where abortion is currently banned or mostly banned, or will be imminently banned under trigger laws, only a handful of states include health information as “personal information.” under the state’s data breach notification statutes, and their applicability is limited. In order to be considered a “breach” under national data breach notification laws, there must be unauthorized access or acquisition of personal information. In all states where abortion is banned or will be banned imminently, data breach notification laws are only triggered by the “acquisition” of personal/health information; in other words, someone actually has to take it.
The table below describes the possible additional protections that may be available.
Practical steps to take
The world has changed in the 50 years since deer c. Wade. Today, we all have vast “digital footprints” created from things like our internet search and browsing habits, information we share with apps, location data collected by our tablets and smartphones (even when we are not aware of such collection…). There are concerns about the ability of these digital fingerprints to be used against women to enforce criminal penalties in states that ban abortion.
We cannot disappear from the digital world. However, you can take some practical steps to protect this sensitive information.
- Limit the sharing of location data. You can disable location services on your smartphone or tablet. This will limit access to your activities, location, and where you travel. On an Apple or Android device, location services can be found in Settings/Privacy. You have the option to disable all access to location services, or you can browse your apps and select the ones for which you want to disable access to location data. While you do this, you can clean up unwanted apps on your device, clear history and data stored in those apps, and only add apps you trust. Also, when an app or website requests permission to access location data, you must opt out. Unless you’re using a navigation or traffic app, most apps and websites don’t need your location data. Avoid “free” apps: remember that if you are not paying for the “service”, you are the service.
Apple’s information regarding the privacy of your data on Apple devices is available at: https://www.apple.com/privacy/control. Information regarding the privacy of your data on Android devices is available at: https://www.android.com/safety.
- Consider using a burner phone. If you need to arrange services or travel, use a cell phone. If you use a personal device, all communications you send and receive (texts, incoming and outgoing calls, emails) are stored and can be tracked.
- Use a public computer for web searches. If you use a common search engine like Google, Yahoo! or Bing, your search history may be associated with your IP address and may be obtained by law enforcement from the service provider. If you need to research prohibited services, use a computer in a public library or other space.
- Otherwise, use a private search engine. There are search engines like DuckDuckGo that do not track your search history.
- Don’t forget your smartwatches or fitness trackers. These devices also collect or store information about your location, and fitness trackers may also contain information about menstrual cycles or other health-related information.
On Friday last week, Google announced it would delete location data after people visited abortion clinics, domestic violence shelters and other sensitive places. According to Google, the update “will go into effect in the coming weeks.” Additionally, the company will add a feature allowing users to delete multiple menstruation logs on both the Google Fit and Fitbit apps. Google’s announcement doesn’t say anything about the search results history, however.
The New York Times published an informative article on how simply removing period-tracking apps may not be enough (the article is behind the paywall).
There are other resources you should check out to help you reduce your digital footprint and protect your own medical privacy.
Advice from the Department of Health and Social Services
Federal Trade Commission tips on how to protect your phone and the data on it
How to limit location data exposure – National Security Agency
Federal Communications Commission consumer advice – telephone and cable recordings