Time to Learn: 14 minutes
Well being Care
On June 24, 2022, the Supreme Courtroom issued its opinion in Dobbs v. Jackson Girls’s Well being Group, overturning precedent that protected entry to abortion companies earlier than the purpose of fetal viability. As an alternative, the Supreme Courtroom acknowledged that state legislatures have the authority to manage abortion, main a number of states to enact legal guidelines banning the process or to implement beforehand unenforceable legal guidelines banning abortion.1 In response to the Dobbs determination, on June 29, 2022, the U.S. Division of Well being and Human Providers (“HHS”) Workplace for Civil Rights (“OCR”) launched steerage supplies discussing the function that the Well being Insurance coverage Portability and Accountability Act of 1996, and its implementing laws, as amended (collectively, “HIPAA”) performs in safeguarding the protected well being info (“PHI”) of ladies.2
Moreover, on July 8, 2022, President Biden signed Govt Order 14076 to affirm reproductive well being care entry in gentle of the Supreme Courtroom’s determination in Dobbs.3 The Govt Order calls on leaders of federal companies to advertise entry to reproductive well being care, to guard the privateness and security of these in search of abortion and different reproductive well being care, and to coordinate efforts to attain these targets. In response to this Govt Order, HHS Secretary Xavier Becerra issued steerage on July 11, 2022, explaining the function of the federal Emergency Medical Remedy and Energetic Labor Act (“EMTALA”) in making certain reproductive well being care entry.4
Because the variety of restrictive abortion legal guidelines rises, and potential felony legal responsibility for these concerned in in search of or offering an abortion grows, the safety of sufferers’ well being info has taken on an more and more important function within the supply of well being care. Girls and different sufferers might really feel that their well being info, together with PHI, is now not safe and hesitate to have interaction with the broader well being care system, together with suppliers, well being plans, pharmacies, and digital well being functions. As well as, sufferers and suppliers have turn into extra involved about using cookies and comparable monitoring applied sciences by well being care corporations, together with well being care suppliers which can be thought-about to be “coated entities” below HIPAA. These applied sciences might monitor, for instance, sure web site searches, location info, and different on-line conduct, which many concern state officers might try to make use of in prosecuting abortion. For instance, a state official in a state that bans abortion might problem a subpoena to an organization utilizing such monitoring applied sciences in search of sure private info regarding a shopper’s on-line exercise, together with questions on contraception, being pregnant, prescribed drugs or abortion companies.5 Consequently, OCR has elevated enforcement exercise and reiterated the duty of coated entities to appropriately safeguard PHI. In keeping with the necessity to defend the privateness of all people, OCR additionally has indicated that it’s exploring the discharge of normal “acknowledged safety practices” below the Well being Info Know-how for Financial and Scientific Well being (“HITECH”) Act.6 A brand new and extra discerning gentle is now being shined on the vital significance of defending private well being info. Consequently, coated entities, enterprise associates and others who present help companies to the well being care business, will probably be held to stricter scrutiny. In response, coated entities and their enterprise associates should concentrate on, and be ready to fulfill, extra rigorous privateness and safety necessities imposed by HIPAA, together with when disclosures of PHI usually are not permitted, coaching workers on the brand new necessities, enhancing safety, and making certain that insurance policies and procedures are present and personnel is appropriately educated, and remaining knowledgeable about any new steerage paperwork launched by OCR or the relevant state authority. This consumer alert summarizes OCR’s current steerage on this space and highlights key areas of potential concern for purchasers.
Safety of Affected person Info below the HIPAA Privateness Rule
June 2022 OCR HIPAA Privateness Rule Steerage
Within the steerage materials titled HIPAA Privateness Rule and Disclosures of Info Referring to Reproductive Well being Care, launched on June 29, 2022 (the “HIPAA Privateness Rule Steerage”), OCR clarified the HIPAA Privateness Rule’s (the “Privateness Rule”) affect on post-Dobbs laws and practices.7 The Privateness Rule establishes necessities for the use, disclosure and safeguarding of PHI by coated entities and their enterprise associates.8 The HIPAA Privateness Rule Steerage reiterates that “regulated entities can use or disclose PHI, with out a person’s signed authorization, solely as expressly permitted or required by the Privateness Rule.”9 The HIPAA Privateness Rule Steerage confirms that “permissions for disclosing PHI with out a person’s authorization for functions not associated to well being care . . . are narrowly tailor-made to guard the person’s privateness and help their entry to well being companies.”10
When disclosure of a person’s PHI is required by one other legislation, coated entities are permitted, however not required, to adjust to the disclosure.11 Moreover, “[d]isclosures of PHI that don’t meet the ‘required by legislation’ definition within the HIPAA Guidelines, or that exceed what’s required by such legislation, don’t qualify as permissible disclosures.”12 The HIPAA Privateness Rule Steerage offers the instance of a person who goes to the hospital whereas experiencing a miscarriage. OCR acknowledged that even when the hospital employee suspects that the person took remedy to finish her being pregnant in violation of state legislation, if the state legislation doesn’t “expressly require such reporting,” the hospital employee might not report the person to legislation enforcement.13
The HIPAA Privateness Rule Steerage additionally discusses when coated entities are required to reveal a person’s PHI for legislation enforcement functions, and once more attracts a distinction between when a coated entity should disclose PHI versus when a coated entity might disclose PHI.14 Beneath the Privateness Rule, a coated entity might disclose PHI when confronted with a courtroom order, court-ordered warrant or subpoena so long as the coated entity meets the precise situations required by the Privateness Rule.15 For instance, a reproductive well being care clinic might not present data of abortions carried out on the clinic to a legislation enforcement officer absent a courtroom order or different mandate enforceable in a courtroom of legislation (e.g., court-ordered warrant or subpoena).”16 Importantly, nevertheless, even when confronted with a courtroom order or different mandate, the reproductive well being care clinic is by no means required by HIPAA to reveal the PHI.17 Additional, the HIPAA Privateness Rule Steerage clarifies that the Privateness Rule doesn’t allow a well being care supplier to report an abortion to legislation enforcement with out an enforceable mandate.18
Lastly, the HIPAA Privateness Rule Steerage states that the “Privateness Rule permits however doesn’t require a coated entity . . . to reveal PHI if the coated entity, in good religion, believes the use or disclosure is important to forestall or reduce” a severe menace to well being or security of an individual or the general public.19 Importantly, nevertheless, the HIPAA Privateness Rule Steerage, together with main skilled societies, maintains that this class of disclosure doesn’t apply within the reproductive well being care context, and thus any such disclosure shouldn’t be permitted by the Privateness Rule.
Implications of HIPAA Privateness Rule Steerage
To make sure compliance with HIPAA and the HIPAA Privateness Rule Steerage, coated entities ought to replace their HIPAA coaching supplies or in any other case interact their supplier workforce on the HIPAA Privateness Rule Steerage, emphasizing when the disclosure of PHI is remitted versus permitted. That is particularly essential in states the place well being care suppliers might face requests for info from legislation enforcement and anybody in search of to implement an abortion ban below a personal proper of motion. As acknowledged above, a number of states now ban abortion, and a few states criminalize those that help with or carry out an abortion.20 For instance, Texas’ legislation grants a personal proper of motion to any individual to convey a civil swimsuit towards one other who performs or induces an abortion or who aids or abets the efficiency of an abortion.21 Beneath this statute, a hospital worker who suspects a doctor of performing an abortion or a partner of bringing a accomplice to the hospital for an abortion might sue these people. Nonetheless, because the HIPAA Privateness Rule Steerage explains, this motion would violate HIPAA. Moreover, these statutes might have a chilling impact on sufferers’ use of assisted reproductive expertise (“ART”), reminiscent of in vitro fertilization. Widespread points of ART procedures, reminiscent of freezing embryos earlier than use and selective discount of nonviable embryos, might now be thought-about a felony act below new state abortion legal guidelines.22 Though HIPAA protects PHI associated to those procedures, sufferers might fear that an untrained member of the supplier’s workers may search to implement the abortion ban by the personal proper of motion. Coated entities might profit from establishing clear steerage for his or her workforce on defending PHI associated to reproductive well being, and if not already in place, growing a course of or designating a person or committee to evaluate and approve any disclosure associated to reproductive well being.
As well as, legislation enforcement officers might try to entry info from third-party corporations with which coated entities or their enterprise associates share info.23 Whereas subpoenas to coated entities or enterprise associates should be appropriately tailor-made to be enforceable below HIPAA, legislation enforcement might search to subpoena corporations with which a coated entity or enterprise associates has already shared sure info regarding the on-line exercise of its sufferers (e.g., a affected person’s search on a supplier web site for reproductive well being companies). Thus, coated entities and enterprise associates ought to reexamine their information assortment and destruction insurance policies; talk throughout enterprise departments to make sure transparency inside corporations regarding what info could also be saved, tracked, and shared with third events; and replace its information sharing and use practices accordingly.24
Relatedly, well being care suppliers should even be aware of the interplay between EMTALA and state abortion legal guidelines. For instance, whereas Texas legislation typically states that performing or inducing an abortion is illegal, EMTALA requires a doctor to take these actions if wanted to stabilize a pregnant lady who got here to a hospital emergency division and introduced with an emergency medical situation (“EMC”).25 OCR issued steerage on July 11, 2022 that reiterated hospitals’ current obligations below EMTALA (the “EMTALA Steerage”).26 Beneath EMTALA, hospitals and physicians are required to display screen people who come to an emergency division to find out if an EMC is current, to stabilize these people who’ve an EMC, and usually to not switch these with EMCs until the medical advantages of the switch outweigh the dangers.27 Thus, EMTALA mandates that hospitals and physicians present pregnant sufferers who come to a hospital emergency division, and are decided to have an EMC, with stabilizing therapy. The EMTALA Steerage gives ectopic being pregnant, extreme preeclampsia, emergency hypertension problems and issues of being pregnant loss as examples of EMCs that require emergency reproductive well being care, together with abortion.28 The EMTALA Steerage additionally discusses problems with preemption of state legal guidelines. EMTALA preempts all conflicting state legal guidelines, laws and practices, together with extra restrictive definitions of EMC and prohibitions towards offering needed abortion care.29
Along with complying with federal guidelines, coated entities and enterprise associates ought to make sure that they’re in compliance with any new state legal guidelines. New York, for instance, lately handed a legislation that “shields corporations within the state from having to honor a subpoena request from one other state if it pertains to legally carried out abortion companies.”30 Connecticut handed an identical legislation stating that well being care suppliers typically can’t disclose affected person info to legislation enforcement with no affected person’s written consent.31 Sufferers might search care, by telehealth or in any other case, from suppliers in states that let abortion and supply further protections for well being info.32 Most states require telehealth sufferers to be bodily current within the state the place abortion is permitted as a way to obtain the telehealth appointment and drugs.33 Thus, states that let abortion predict an inflow of sufferers from different states who want remedy abortion.34 As beforehand talked about, New York handed its legislation partly to guard suppliers who present abortion care to nonresidents from authorized motion exterior of the state (e.g., stopping the extradition of abortion suppliers to states the place abortion is banned and offering further authorized protections to suppliers).35 We count on extra regulation on this space within the coming months, in addition to challenges to such legal guidelines.
Safety of Well being Info on Private Gadgets
June 2022 OCR HIPAA Private Machine Steerage
On the identical day because the HIPAA Privateness Rule Steerage, OCR issued separate steerage supplies associated to the privateness and safety of a person’s well being info on their private gadgets (the “HIPAA Private Machine Steerage”).36 Whereas OCR primarily addressed the HIPAA Privateness Rule Steerage to coated entities, the HIPAA Private Machine Steerage addresses the exercise of particular person sufferers. The HIPAA Private Machine Steerage explains to people that HIPAA typically “doesn’t defend the privateness or safety of  well being info when it’s entry[ed] by or saved on” private gadgets, reminiscent of cell telephones or tablets.37 Particularly, the HIPAA Private Machine Steerage notes that HIPAA doesn’t apply to geographic location info, Web search historical past, info voluntarily shared on-line or information entered into cellular apps (until a coated entity offers the app).38 The HIPAA Private Machine Steerage gives a number of steps people can take to restrict the quantity of non-public information shared with apps, reminiscent of turning off location companies and app monitoring of consumer exercise.39
Implications of 2022 Privateness Steerage
The 2022 Privateness Steerage might mirror a scarcity of public belief within the safety of non-public info in digital well being functions. Customers are more and more extra conscious of how corporations collect and use their private info, together with how info regarding well being companies obtained or sought out could also be shared with third events.40 For instance, ladies who use digital well being instruments to trace their menstrual cycles have began deleting these apps, involved that their info shouldn’t be personal and safe.41 As well as, and as additional mentioned beneath, hospitals and different entities have seen a rise in profitable lawsuits introduced by sufferers, alleging improper disclosure of their private well being info.42
Well being care-related companies, together with software program improvement corporations, creators of digital well being instruments, and any well being care suppliers with which they contract, might wish to take into account limiting using sure monitoring applied sciences, together with location tracing of app customers, or offering different protecting measures with respect to such information. These instruments are put in inside web sites that ship a packet of information to a delegated social media platform each time an individual clicks sure buttons on the web site.43 This instrument can turn into problematic when it’s embedded with a hospital’s web site, monitoring when sufferers schedule physician’s appointments, enter search phrases about medical situations and request prescriptions.44 These monitoring instruments are additionally generally discovered inside a affected person’s password-protected affected person portal, gathering delicate info and sending the information to a delegated social media platform.
Use of third-party advertising and marketing tracing applied sciences on well being care associated web sites has already resulted in school actions. For instance, lately, a category motion lawsuit was filed towards a hospital system, alleging that the system violated state privateness legal guidelines, and one other alleging that the recipient was conscious that it was improperly receiving affected person information.45 As shoppers turn into extra conscious of the ways in which corporations can monitor and share their exercise, they could be much less more likely to make the most of digital well being instruments. Nonetheless, there are steps that corporations can take to reassure shoppers that their private info, together with well being info, stays personal and safe, together with efforts to comprehensively perceive how web sites, apps, and different Web-enabled applied sciences accumulate, retailer, and share information.
Corporations ought to proceed to observe developments on this space, together with new state and federal legal guidelines or steerage. Notably, OCR lately launched a request for info (“RFI”) asking for feedback on what constitutes “acknowledged safety practices” of coated entities and enterprise associates and the way people must be compensated when harmed by a coated entity or enterprise affiliate’s practices.46 In gentle of the RFI, corporations ought to take into account reviewing current information privateness insurance policies and procedures to make sure they’re conscious of their firm’s practices, and replace workforce coaching as wanted. Coated entities and enterprise associates also can take proactive steps to restrict their legal responsibility, together with ceasing use of monitoring applied sciences in sure circumstances, and both turning off or limiting location and monitoring companies for sufferers on private gadgets and browsers. For instance, Google lately introduced that it might “delete abortion clinic visits from the placement historical past of its customers.”47
The steerage supplies issued within the wake of Dobbs point out that federal and state governments are ready to scrutinize actions by well being care suppliers associated to the use and disclosure of delicate well being info, significantly info regarding using reproductive well being companies. Well being care suppliers ought to make sure that their workforce understands when HIPAA doesn’t allow the disclosure of protected well being info, even when requested by a legislation enforcement official. As well as, well being care suppliers should adjust to EMTALA, even when doing so conflicts with state statutes and laws. Final, corporations ought to evaluate their privateness insurance policies and the way they’re accumulating and sharing shopper information, significantly in reference to how such information might relate to an individual’s well being or use of well being care companies, to make sure compliance with current authorized improvement and business greatest practices.
Ropes & Grey will proceed to observe developments on this space. In case you have any questions, please don’t hesitate to contact the authors or your regular Ropes & Grey advisor.