Compliance Corner

Federal Updates

July 06, 2022

On June 29, 2022, the Office of Civil Rights (OCR) issued guidance concerning the disclosure of private health information (PHI) by covered entities pursuant to state law or a request by law enforcement, particularly in the context of reproductive healthcare. HHS also provided guidance for protecting PHI on personal phones and tablets.

The OCR guidance states that covered entities, such as health plans, healthcare clearinghouses, and most healthcare providers, as well as business associates that handle PHI on behalf of covered entities, can only disclose a person’s PHI without their consent if the HIPAA privacy rule expressly permits or requires it. The guidance points out that the privacy rule permits but does not require covered entities to disclose PHI pertaining to reproductive healthcare if the disclosure is required by another law and the disclosure complies with the requirements of the other law. Even this circumstance is limited to a “mandate[s] contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law,” and only to extent necessary to comply with that law.

In the example provided in the guidance, an individual goes to a hospital emergency department while experiencing complications related to a miscarriage during the tenth week of pregnancy. A hospital workforce member suspects the individual of having taken medication to end their pregnancy. State or other law prohibits abortion after six weeks of pregnancy but does not require the hospital to report individuals to law enforcement. Where state law does not expressly require such reporting, the privacy rule would not permit a disclosure to law enforcement under the “required by law” permission. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.

Similarly, the privacy rule permits but does not require covered entities to disclose PHI pertaining to reproductive healthcare for law enforcement purposes if the request is made pursuant to process and as otherwise required by law. Examples include such legal processes as a court order, court-ordered warrant, a subpoena or a summons. This does not allow a covered entity to voluntarily disclose PHI regarding reproductive health to law enforcement, either on the covered entity’s initiative or if requested by law enforcement (in the absence of a legal process like the examples above).

The OCR guidance notes that the privacy rule permits but does not require covered entities to disclose PHI when doing so would prevent a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person or persons who are reasonably able to prevent or lessen the threat. However, the guidance points out that some PHI pertaining to reproductive healthcare is not considered by some healthcare professional ethical standards to rise to the level of a serious and imminent threat to the health or safety of a person or the public.

HHS also provided guidance on protecting PHI on a personal phone or tablet. The guidance points out that PHI stored on a personal phone or tablet is not protected by the privacy rule. However, information stored on those devices can be used by apps to collect that information, which can then be sold or used without a person’s permission. The guidance provides several suggestions for eliminating or reducing that risk, such as turning off location services and enabling privacy settings in personal devices that prohibit apps from using data without the owner’s permission.

Employers should be aware of this guidance, particularly those whose plans are self-insured.

HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Healthcare »
Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet »