As abortion access is debated within the United States, concerns have risen over the ability to protect patient privacy. The Biden-Harris Administration announced new actions to safeguard patient privacy at the third meeting of the Task Force on Reproductive Healthcare Access with Vice President Harris. The administration announced actions to:
Strengthen reproductive health privacy under HIPAA. The Department of Health and Human Services (HHS) is issuing a Notice of Proposed Rulemaking to strengthen privacy protections under the Health Insurance Portability and Accountability Act (HIPAA). This rule would prohibit doctors, other health care providers and health plans from disclosing individuals’ protected health information, including information related to reproductive health care, under certain circumstances. Specifically, the rule would prevent an individual’s information from being disclosed to investigate, sue or prosecute an individual, a health care provider or a loved one simply because that person sought, obtained, provided or facilitated legal reproductive health care, including abortion.
Protect students’ health information. The Department of Education (ED) is issuing guidance to over 20,000 school officials to remind them of their obligations to protect student privacy under the Family Educational Rights and Privacy Act (FERPA). The guidance helps ensure that school officials — including those at federally funded school districts, colleges and universities — know that, with certain exceptions, they must obtain written consent from eligible students or parents before disclosing personally identifiable information from students’ educational records, which may include student health information. ED is also issuing a know-your-rights resource to help students understand their privacy rights for health records at school.
Support consumer privacy. The Federal Communications Commission (FCC) is launching a new guide for consumers on best practices for protecting their personal data on mobile phones. The guide also explains how existing FCC requirements protect against the disclosure of consumers’ sensitive information, including geolocation data, which can be especially important in the context of accessing reproductive health care.
Safeguard patients’ electronic health information. HHS is issuing guidance affirming that doctors and other medical providers can take steps to protect patients’ electronic health information, including their information related to reproductive health care. HHS will make clear that patients have the right to ask that their electronic health information generally not be disclosed by their physician, hospital or other health care provider — including to other health care providers. The guidance also reminds health care providers that HIPAA’s privacy protections continue to apply to patients’ electronic health information.
The administration has also taken action to:
Prevent illegal use and sharing of sensitive health information. The Federal Trade Commission (FTC) has committed to enforcing the law against illegal use and sharing of highly sensitive data, including information related to reproductive health care. Consistent with this commitment, the FTC recently took enforcement action against companies for disclosing consumers’ personal health information without permission to Facebook, Google and others.
Reinforce existing protections under the HIPAA privacy rule. Immediately after Dobbs, HHS issued guidance to help ensure doctors and other health care providers and health plans know that, with limited exceptions, they are not required — and in many cases, are not permitted — to disclose individuals’ health information, including to law enforcement. This guidance, which helps protect individuals seeking or receiving reproductive health care, remains in effect while today’s rulemaking is underway. The Notice of Proposed Rulemaking noted above would further strengthen privacy protections under the HIPAA Privacy Rule.
Protect individuals’ health information online. HHS issued a bulletin to affirm that HIPAA’s privacy protections extend to the use of online tools offered by or on behalf of covered entities that collect protected health information through websites and mobile apps. These tools, such as “cookies” on a website, can be used to track online activity and information about website and app users, sometimes in ways that collect or reveal protected health information. This can include information about reproductive health care, such as the location of where an individual sought medical treatment. The bulletin makes clear that health care providers and health plans — as well as many of the entities that these organizations do business with — cannot use online tracking tools or share patient information with third parties in a way that violates HIPAA.
Help consumers protect their personal data. HHS issued a how-to guide for consumers on steps they can take to make sure they are protecting their personal data on personal cell phones or tablets. HHS also provided tips for protecting individuals’ privacy when using mobile health apps, like period trackers.
Promote the privacy of service members. The Department of Defense issued an updated policy to provide service members with time and flexibility to make private health care decisions while accounting for the responsibility placed on commanders to meet operational requirements and protect the health and safety of those in their care. This policy standardized the timeframe for service members to inform their commanders about a pregnancy, generally allowing service members until up to 20 weeks of pregnancy to notify their commanders of their pregnancy status, with limited exceptions to account for specific military duties, occupational health hazards and medical conditions.