In the wake of the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, here is a reminder about the protections available for privacy and the confidentiality of health-related information under current law. This bulletin will discuss the Health Insurance Portability and Accountability Act (HIPAA).
First off, it is important to understand that HIPAA, composed of a Privacy Rule, Security Rule, and Data Breach Rule, regulates the use of patient information in the provision of health care in the United States. It only applies to “protected health information” (PHI) that is generated by a “covered entity” — health care provider, payer, or clearing house — in the provision of health care treatment, payment, or operations to a patient. Any other information, even if health-related, does not get the protections of HIPAA.
For example, if one should enter and keep track of his weight, blood pressure, and medication use in a commercially available mobile application on his phone, that personal information is not PHI and not protected by HIPAA. Likewise, should a woman track her menstrual cycle or pregnancy in a commercially available mobile application, that information is not subject to the protections of HIPAA. The privacy of such data, in either example, including sharing of any data with a third party, would only be subject to the mobile application’s terms of use and privacy policy, which should meet any applicable state privacy law’s requirement.
Secondly, even if the information in question is PHI and even though HIPAA provides robust protections for the confidentiality of said PHI, it is important to note that patient consent is not always needed for all sharing or access to PHI.
The following are purposes for which PHI, including, but not limited to, abortion-related PHI, can be disclosed without prior patient authorization:
- Oversight of the health care system, including licensing and regulation;
- Public health, and in emergencies affecting the life or safety of a patient or others;
- Judicial and administrative proceedings;
- Law enforcement;
- To provide information to next of kin or information on decedents;
- For identification of the body of the deceased person or the cause of death;
- For directories;
- Workers’ compensation;
- Medical examiner;
- Certain research; and
- In other situations where the use or disclosure is mandated by other laws.
It is important to understand that HIPAA’s protections for the confidentiality of PHI, including, but not limited to, abortion-related PHI, are not absolute. Any patient receiving treatment should always receive a Notice of Privacy Practices, which details a covered entity’s practices in the process of PHI. Learn more about the basics of privacy and PHI from the Department of Health and Human Services in its Privacy Rule summary.
If you have questions regarding the privacy of health data, please contact the author or Taft’s Post-Roe v. Wade Task Force.