Young woman patient discuss medical tests with a doctor showing HIPAA patient privacy with Roe v. Wade repeal

Roe v. Wade Repeal Prompts New Guidelines From HHS on Patient Privacy Under HIPAA

The overturn of Roe v. Wade has left thousands of patients seeking abortions in a tough spot across the United States, forced to travel to other states to seek care and concerned about facing criminal charges in their home state if they do. The HHS Office for Civil Rights (OCR) has issued new guidelines in response, laying out federal protections for patient privacy under the Health Insurance Portability and Accountability Act (HIPAA) and providing guidance for individuals in protecting their personal phones and devices.

HHS spells out federal protections for patient privacy in abortion cases

The Supreme Court’s recent ruling overturns the Roe v. Wade decision’s constitutional guarantee of access to abortions, which forced states to make a certain minimum standard of care available. Over a dozen states have either already greatly restricted access to abortions in the wake of this ruling, or have indicated that they plan to in the immediate future.

This has forced people residing in those states to travel to others that have opted to maintain the access to abortions established during the Roe v. Wade period. But this is more than just a potential inconvenience and added expense for the patients; prosecutors now have some legal leeway to file criminal charges even if the abortion takes place in another state, and there is the added possibility of states passing new laws to facilitate this.

It remains to be seen exactly how far state prosecutors will actually go in charging those who travel for abortions; current cases on the books consist of a relative handful that often involve stretching existing laws beyond their intended scope, but this level of legal freedom and possibility has not existed for anti-abortion litigators since the Roe v. Wade decision was handed down in 1973. Many are taking an understandable “better safe than sorry” approach to patient privacy in this environment, looking to curtail the digital paper trail created by seeking health care and using period and pregnancy tracking apps out of concern it might be dug up and used against them in the future.

The new OCR guidelines focus on two specific areas: what federal-level protections are offered under the umbrella of HIPAA’s patient privacy protections, and how patients can protect their phones and internet history from potential snooping and subpoenas. OCR has also said that patients who believe HIPAA has been violated can file complaints directly with the agency.

The guidance reaffirms that the HIPAA Privacy Rule, which covers all individually identifiable health information in any format (including spoken transmission), is not altered by the Roe v. Wade repeal. This rule greatly limits law enforcement access to information involving patient privacy, and virtually eliminates access to it for anyone else without the patient affirming it with their signature.

However, there are some important exceptions. The rule only applies to HIPAA-covered entities; most health care and health insurance providers are (as are federal programs such as Medicare and Medicaid), but only if they transfer patient records or health information in an electronic format.  HIPAA coverage also generally ends either when the patient signs over the right for other businesses to access these records, or when the patient manually transfers covered information to their own personal devices.

General federal-level exceptions to HIPAA patient privacy rules mostly revolve around public health emergenices and should not be relevant to cases of individuals seeking abortions, but there are some unusual state-level exceptions that are not widely known. One major exception is that HIPAA does not automatically apply to educational institutions that provide medical services on campus, as those records are classified differently and governed by a different federal privacy law (FERPA). However, some individual states have their own privacy bills that class on-campus treatment as medical records, and HIPAA defers to this as a “stronger” standard than the level of protection it offers.

Private ancillary services in the third party provider / vendor chain of health care facilities may also not be covered by HIPAA. One big exception is ambulance services that do not bill electronically.

Roe v. Wade repeal forces patients to take crash courses in device security

OCR adds guidance for use of personal devices as things like apps, search history and medical information stored at home are not covered by HIPAA patient privacy protections. These include some fairly standard guides for disabling geolocation on Apple and Android devices, and best practices for selecting online tools that will offer enhanced privacy and safeguards against third party access.

There are concerns about states issuing subpoenas to the major tech platforms, particularly mobile OS providers Apple and Google, requesting things like user messages and search histories. But prosecutors have a potentially easier angle available to them: third party data broker profiles fed by apps and advertising networks, which could simply be purchased.

The repeal of Roe v. Wade could also create indirect patient privacy problems for organizations that handle any of this sort of data, whether they are HIPAA-covered or not. Some of this information may be protected by state laws, such as California’s CCPA. It is possible that there will be incidents in which law enforcement approaches an organization with requests for information that are not legally binding, or staff may errantly release information to these agencies when they are not actually supposed to. This could cause a data breach situation under these laws, and are scenarios that organizations should be prepared for with employee awareness and training.