The Department of Health and Human Services (HHS) on Wednesday outlined plans to try to protect patients’ civil rights and privacy as states move to outlaw abortion, including reaffirming limits on medical professionals’ sharing of information with law enforcement officials.
HHS also offered tips for protecting health information shared with third-party apps. In these efforts, HHS highlighted the role of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in protecting patients while also effectively showing some limits to federal protection.
The HIPAA rules, for example, generally do not protect the privacy or security of information when it is accessed through or stored on personal cell phones or tablets, with some exceptions for ones developed by organizations covered by federal privacy law, HHS said. Information collected may be sold to data brokers, often selling it for marketing or other purposes.
The HHS Office for Civil Rights (OCR) issued new guidance addressing how federal law and regulations protect individuals’ private medical information (known as protected health information or PHI) relating to abortion and other sexual and reproductive health care. In it, HHS said that law enforcement officials seeking access to medical records must have court orders or otherwise have met privacy mandates.
HHS offered as an example a case of a woman who goes to a hospital emergency department while experiencing complications related to a miscarriage during the tenth week of pregnancy.
In this scenario, the woman is in a state that prohibits abortion after six weeks of pregnancy but does not require the hospital to report people to law enforcement. If members of the hospital staff suspected this woman of having taken medication to end the pregnancy, they would still be bound to respect the patient’s right to privacy, according to HHS. Doing otherwise would be a violation of federal rules, requiring notification to HHS and the patient affected.
HHS offered another example in which a law enforcement official went to a clinic with a court order demanding what would normally be “protected health information” (PHI).
“Because a court order is enforceable in a court of law, the Privacy Rule would permit but not require the clinic to disclose the requested PHI,” HHS said. “The clinic may disclose only the PHI expressly authorized by the court order.”
HHS also described why clinicians should not seek to report patients who say they intend to travel from states where abortion has been banned to ones where it remains legal to get this medical treatment.
Federal privacy rules would not permit the disclosure of this information to law enforcement for several reasons, including:
- A statement indicating an intent to get a legal abortion or any other care tied to pregnancy loss, ectopic pregnancy, or other complications related to or involving a pregnancy does not qualify as a “serious and imminent threat to the health or safety of a person or the public”.
- It would generally be inconsistent with professional and ethical standards as it compromises the integrity of the patient-physician relationship and may increase the risk of harm to the individual.
“This is a moment of crisis in health care. We will leave no stone unturned,” HHS Secretary Xavier Becerra said in a Tuesday speech about attempts to protect access to abortion. “ All options are on the table. We will do everything within the legal limit of the law to reach patients and support providers.”