The Biden Administration is taking action to support access to reproductive health care in response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization. This is occurring as some states seek to restrict or criminalize abortion services. So far, there has been action by the White House, through an Executive Order, and by the U.S. Department of Health and Human Services (HHS), through guidance on HIPAA and privacy.
Executive Order Regarding Reproductive Health Care Services
Today, President Biden issued an Executive Order Protecting Access to Reproductive Health Care Services. This Executive Order identifies four areas of focus for the Administration:
- Safeguarding access to reproductive health care services, including abortion and contraception;
- Protecting the privacy of patients and their access to accurate information;
- Promoting the safety and security of patients, providers, and clinics; and
- Coordinating the implementation of Federal efforts to protect reproductive rights and access to health care.
Many of the actions called for in the Executive Order direct action by the Secretary of Health and Human Services (HHS) and will impact health care providers, health plans and those supporting patients in seeking reproductive health services.
Safeguarding Access to Reproductive Health Care Services
The President has directed HHS to act within the next 30 days to protect access to reproductive health care services. The policy changes that most impact those delivering health care are:
- Protect access to medication abortion, including ensuring that FDA-approved medication is widely accessible.
- Ensure emergency medical care, including for pregnant women and those experiencing pregnancy loss, under the law through updates to guidance under Emergency Medical Treatment and Labor Act (EMTALA).
- Protect access to contraception, including under the Affordable Care Act which guarantees coverage of women’s preventive services, including free birth control and contraceptive counseling, for individuals and covered dependents.
Protecting Patient Privacy and Access to Accurate Information
The Executive Order takes steps to protect patient privacy, including by addressing the transfer and sales of sensitive health-related data, combatting digital surveillance related to reproductive health care services, and protecting people seeking reproductive health care from inaccurate information, fraudulent schemes, or deceptive practices. Specifically, the Executive Order directs:
- Protect consumers from privacy violations and fraudulent and deceptive practices by directing the Federal Trade Commission to consider actions to protect consumers’ privacy when seeking information about and provision of reproductive health care services and to work with HHS to consider options to address deceptive or fraudulent practices, including online, and protect access to accurate information.
- Protect sensitive health information by having HHS will consider additional actions to improve privacy protections for sensitive reproductive health information, including under the Health Insurance Portability and Accountability Act (HIPAA). This builds on recent HHS guidance described in detail below.
The Executive Order also addresses issues related to promoting safety and security and coordinating implementation efforts. Specifically, the Executive Order addresses the heightened risk related to seeking and providing reproductive health care and states that the Administration will ensure the safety of patients, providers, and others, and protect the security of entities that are providing or dispensing reproductive health care services. It also focuses on Federal government coordination to addressing reproductive rights and protecting access to reproductive health care.
The Executive Order notes action already taken by the Administration, including:
- Ensuring that all HHS-funded providers and clinics have appropriate training and resources to handle family planning needs, including through new funding for Title X family planning providers.
- Promoting access to accurate information, including information about patient and provider rights, through ReproductiveRights.gov.
- Providing leave for federal workers traveling for medical care, including guidance regarding paid sick leave to cover absences for travel to obtain reproductive health care
- Protecting access to reproductive health care services for service members, DoD civilians, and military families, including a Department of Defense (DoD) memo on access to women’s reproductive health care services.
HHS Guidance on HIPAA Rules Related to Reproductive Health Care and Use of Health Information Apps
Last week, the HHS Office for Civil Rights (“OCR”) issued two guidance documents (collectively, the “Guidance”) related to privacy and security concerns raised by the Supreme Court ruling in Dobbs. The first Guidance document (“Reproductive Health Care Guidance”) clarifies the application of various privacy rules under HIPAA to individuals’ health information related to abortion and other sexual and reproductive health care.
The second Guidance document (“Health Information App Guidance”) provides tips to individuals on protecting their privacy and security when using health information apps on their cell phones and tablets. The Health Information App Guidance aims to address the extent to which individuals’ health information is protected on personal cell phones and tablets, as well as provide tips for protecting individuals’ privacy when using period trackers and other health information apps. In the wake of Dobbs, many patients have expressed growing concerns that period trackers and other health information apps may threaten their privacy by disclosing geolocation data to third parties who might misuse that information to deny care.
Reproductive Health Care Guidance
The Reproductive Health Care Guidance clarifies that the HIPAA Privacy Rule supports access to comprehensive reproductive health care services, including abortion care, by protecting the confidentiality of individuals’ protected health information (PHI). As the Reproductive Health Care Guidance emphasizes, HIPAA-regulated entities may use or disclose PHI without an individual’s authorization only if expressly permitted or required by the HIPAA Privacy Rule.
Most often, such disclosures involve disclosures for treatment, payment, or health care operations. There are, however, certain other limited circumstances in which a HIPAA-regulated entity may disclose PHI to a third party. The Reproductive Health Care Guidance discusses these rules and their applicability to reproductive health care.
- Disclosures Required by Law. The HIPAA Privacy Rule permits, but does not require, covered entities to disclose PHI about an individual without that individual’s authorization when the disclosure is required by another law and the disclosure complies with that law’s requirements. However, disclosures of PHI that do not meet the “required by law” definition in the HIPAA regulations or that exceed what is required by such law are not permissible. If, for example, a state law prohibits abortion after six weeks of pregnancy but does not require hospitals to report individuals to law enforcement, then a hospital is not permitted to disclose PHI to law enforcement, even if it suspects an individual of having taken medication to end their pregnancy.
- Disclosures for Law Enforcement Purposes. The HIPAA Privacy Rule permits, but does not require, covered entities to disclose PHI about an individual for law enforcement purposes “pursuant to process and as otherwise required by law” (e.g., in response to a court order or subpoena). Absent a mandate enforceable in a court of law, this rule does not permit disclosures of PHI to law enforcement. Therefore, if a law enforcement official goes to a reproductive health care clinic and requests records of abortions performed at the clinic, but does not have a court order or other mandate enforceable in a court of law, the clinic would be prohibited from disclosing PHI in response to the request. If the law enforcement official were to present a court order requiring the clinic to produce PHI about an individual who obtained an abortion, HIPAA would permit, but not require, the clinic to disclose the requested PHI.
- Disclosures to Avert a Serious Threat to Health or Safety. The HIPAA Privacy Rule permits, but does not require, a covered entity to disclose PHI if it believes in good faith that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person or persons who are reasonably able to prevent or lessen the threat. OCR states that this rule would not permit a health care provider to report to law enforcement a pregnant individual’s stated intent to seek an abortion in a state where abortion is legal because it does not qualify as a “serious and imminent threat to the health or safety of a person or the public,” and such a disclosure would generally be inconsistent with professional ethical standards.
Health Information App Guidance
The Health Information App Guidance is intended to provide individuals with tips on how to protect the privacy and security of their health information when using health apps on their cell phones and tablets. In the wake of Dobbs, concerns have grown about the confidentiality of information stored or transmitted by certain apps related to reproductive health care such as period trackers.
As the Health Information App Guidance clarifies, HIPAA generally does not protect the privacy or security of health information when it is accessed through or stored on an individual’s cell phone or tablet. HIPAA only protects PHI that is created, received, maintained, or transmitted by a covered entity or business associate. Therefore, unless an app is provided by a covered entity or business associate, health information entered in the app is not protected by HIPAA. The Health Information App Guidance then discusses various tips for individuals to protect this information since it is not PHI subject to HIPAA. These include:
- Avoiding downloading unnecessary or random apps, particularly those that are “free”
- Avoiding giving any app permission to access the device’s location data except where location is necessary (e.g., navigation apps)
- Turning off location services and tracking in the device’s settings
- Using apps that are recognized as supporting increased privacy and security
- Taking steps before disposing of an old cell phone or tablet
Dobbs and the consequent increased scrutiny on abortion services and the associated health information has sparked many questions on health care delivery and the application of privacy laws and regulations to uses and disclosures of such information. Companies should expect significant legal developments in the wake of Dobbs, both on the state and federal level. We expect agencies to be active in the coming months in publishing guidance and making policy changes to address access to reproductive health care services and to address the applicability and enforcement of existing privacy regimes with respect to reproductive health care issues.
Given the sensitivity, complexity, and timing of these changes, it will be critical for health care providers, health plans, patient-facing organizations and those assisting them to stay on top of these changes and understand the compliance obligations, permissions and prohibitions that arise.
We will continue to follow these developments.