Post-Roe Patient Privacy: What Telehealth Companies Should Know
Disclaimer: The information contained in this blog post is provided for informational purposes only and should not be construed as legal advice. You should not act or refrain from acting on the basis of any content included in this blog without seeking legal or other professional advice.
Reproductive healthcare privacy takes on a new meaning in a post-Roe era. As states criminalize abortions, and may even permit private citizens to enforce abortion bans, personal data may be vulnerable, particularly in an increasingly digital society.
When can companies and providers release patient data? And what data is susceptible?
These are important questions when navigating a rapidly changing legal environment following the Supreme Court’s Dobbs ruling.
When can providers and companies share patient health information?
It’s important to remember that the Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects patient privacy and sets boundaries on how patient information is used and disclosed. If the company is regulated by HIPAA, there are limited circumstances where patient information may be disclosed without the patient’s authorization.[1]
HIPAA only permits companies to use and disclose protected health information (PHI) without patient authorization in the following situations:
To the Individual (unless required for access or accounting of disclosures)
Treatment, Payment, and Health Care Operations (some examples are quality assessment and improvement, competency assurance activities, and credentialing activities)
Uses and Disclosures with Opportunity to Agree or Object
Incident to an otherwise permitted use and disclosure
Public Interest and Benefit Activities (includes disclosures required by law, for law enforcement purposes and judicial administrative proceedings)
Limited Data Set for the purposes of research, public health or health care operations
Even within these categories of permissible uses and disclosures, there are still limitations. Just because something may be disclosed, it doesn’t always mean it must be disclosed. HHS has a great resource for understanding more about these uses and disclosures.
When are companies “required by law” to disclose PHI?
Following the Dobbs ruling, determining when to disclose PHI to law enforcement without patient authorization will undoubtedly be a source of confusion for companies. The key questions are: (1) When are companies required by law to disclose PHI? or (2) When should companies disclose PHI for law enforcement purposes?
Disclosures Required by Law: According to new guidance for patient privacy and PHI related to reproductive healthcare issued by the Department of Health and Human Services (HHS), HHS stated that "[t]his permission to disclose PHI as “required by law” is limited to “a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.” Further, where a disclosure is required by law, the disclosure is limited to the relevant requirements of such law.”
Disclosures for Law Enforcement Purposes: Further, HHS stated that “[i]n the absence of a mandate enforceable in a court of law, the Privacy Rule’s permission to disclose PHI for law enforcement purposes does not permit a disclosure to law enforcement where a hospital or other health care provider’s workforce member chose to report an individual’s abortion or other reproductive health care.”
These statements from HHS highlight the need for companies to ensure that any disclosures required by law or for law enforcement purposes are narrowly tailored and do not exceed what the law requires. In other words, companies and clinicians can ask to see a valid warrant, court order, or subpoena before turning over any patient records. HHS provided the below example of the “required by law provision,” which provides great insight to how companies and clinicians can approach their analysis on whether a disclosure is in fact required by law.
An individual goes to a hospital emergency department while experiencing complications related to a miscarriage during the tenth week of pregnancy. A hospital workforce member suspects the individual of having taken medication to end their pregnancy. State or other law prohibits abortion after six weeks of pregnancy but does not require the hospital to report individuals to law enforcement. Where state law does not expressly require such reporting, the Privacy Rule would not permit a disclosure to law enforcement under the “required by law” permission. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.
Digital privacy
Although HIPAA may provide some assurances, reproductive health information in data collection apps presents unique challenges. Today, we leave a digital footprint in everything we do online — from our search histories to phone location data. We also store a lot of data and personal information online and in apps. This information ranges from how much water we drink in a day to tracking menstrual cycles. The latter of which falls within a category of reproductive health information that may be subjected to scrutiny by law enforcement or private citizens in states that criminalize abortions.
According to HHS, “[t]he HIPAA Rules generally do not protect the privacy or security of your health information when it is accessed through or stored on your personal cell phones or tablets.” This means that data such as search histories related to abortion services, location data, or reproductive health apps could be an easy target for court orders or subpoenas as the information is not shielded by HIPAA. Law enforcement or private citizens may use information gleaned from digital footprints to prosecute patients seeking reproductive health services.
As a result, it is imperative that companies are transparent about how patient and customer information will be used and protected.
Considerations for companies
Notice of Privacy Practices: Companies covered by HIPAA should have a Notice of Privacy Practices (NPP) that clearly describes individuals’ rights regarding their health information. Specifically, the NPP should explain how the company will use and disclose PHI with and without patient authorization.
Privacy Policy: Companies that are not covered by HIPAA should consider explicitly describing how the company handles and protects customer data. For example, the policy should identify whether customer information is shared with or sold to third parties.
Anonymity: Companies can consider ways to offer anonymous modes that permit customers to remove identifying information from accounts.
Commitment to Privacy & Security: Companies should ensure that resources are appropriately allocated to privacy and security teams so patients and customers know that protecting their data is a priority. Specifically, companies can evaluate their data retention policies to limit the information they retain and consider data minimization practices overall.
In a post-Roe environment, it is important to remember that patients still have a federally protected right to privacy when it comes to their healthcare information. However, companies can consider ways to be more transparent with patients and customers. As laws continue to evolve and enforcement takes shape at the state level, the extent to which data will be susceptible remains to be seen.
