On June 24, 2022, america Supreme Courtroom issued its choice in Dobbs v. Jackson Girls’s Well being Group,1 opening a authorized path to state legal guidelines proscribing or prohibiting entry to sure reproductive well being companies. To implement these legal guidelines, regulation enforcement officers could try to entry people’ well being info, together with from expertise platforms that course of well being info on behalf of people or different companies.
In response to Dobbs, President Biden issued an Government Order on Defending Entry to Reproductive Well being Providers. Amongst different issues, the Government Order2 known as on the Division of Well being and Human Providers (HHS) and the Federal Commerce Fee (FTC) to undertake initiatives to guard the privateness of people looking for reproductive well being companies. This advisory discusses steerage issued by HHS for entities regulated by the Well being Insurance coverage Portability and Accountability Act (HIPAA),3 in addition to FTC initiatives on this space that will deal with privateness practices of non-HIPAA coated entities.
When Do HIPAA and the FTC Act Apply?
Understanding when well being info is protected by HIPAA or the FTC Act (amongst different legal guidelines) is a threshold subject for organizations to find out their authorized obligations and restrictions with respect to offering health-related info to the federal government.
HIPAA does not defend all health-related private info, however quite protects solely info that’s created, obtained, maintained, or transmitted by “coated entities” or their “enterprise associates.” Lined entities are outlined as healthcare suppliers (who interact in a normal transaction electronically, similar to submitting a declare for reimbursement to a payor), well being plans, and healthcare clearinghouses (specialised entities that course of nonstandard well being info). Enterprise associates are coated entities’ service suppliers. As a result of HIPAA’s jurisdiction attaches based mostly on an entity’s standing as a coated entity or enterprise affiliate, and to not the knowledge itself, well being info might be coated by HIPAA in a single situation (e.g., the place a hospital maintains a medical report), and the identical info is not going to be coated by HIPAA in one other situation (e.g., the place a medical report is enter by a person into a private well being app). Whether or not HIPAA applies doesn’t activate the diploma of perceived sensitivity of the well being info.
The FTC, whereas not liable for implementing HIPAA, performs a big position in regulating the privateness and information safety practices of organizations that gather well being info. The FTC Act is the first federal statute utilized by the FTC to carry enforcement actions relating to a corporation’s privateness and safety practices associated to well being info that’s not coated by HIPAA. The FTC makes use of its authority underneath Part 5 of the FTC Act to carry enforcement actions the place it believes a corporation has: made false or deceptive statements in regards to the group’s privateness or information safety procedures; engaged in a observe that brought about substantial damage to customers; or that did not make use of affordable safety measures. It additionally enforces, as could also be related right here, the Well being Breach Notification Rule.4
Organizations that obtain requests for well being info from state officers or different regulation enforcement businesses must be conscious that even when HIPAA or the FTC Act allow the disclosure of sure well being info, different privateness legal guidelines—such because the Digital Communication Privateness Act (ECPA)—could place further restrictions on the group’s disclosure of this info. As well as, varied state legal guidelines regulate well being info, and HIPAA doesn’t preempt state regulation that’s extra restrictive or protecting of makes use of or disclosures of well being info.
OCR Steering: HIPAA Privateness Rule and Disclosures of Data Referring to Reproductive Healthcare
Within the weeks following the Supreme Courtroom’s choice, HHS voiced its intent to marshal current laws and assets to “take motion to guard entry to sexual and reproductive well being care, together with abortion, being pregnant issues, and different associated care.”5 Particularly, HHS’ Workplace for Civil Rights (OCR) concurrently issued two separate privacy-focused steerage paperwork. In one of many steerage paperwork, OCR spoke on to people about HIPAA’s limitations in defending their well being info, and inspired customers to take steps to safeguard their information when utilizing smartphones, tablets, and different units for private use.6 This part focuses on the opposite steerage doc, during which OCR advises HIPAA-regulated entities on when they could (and will not) disclose protected well being info (PHI) to state officers or regulation enforcement entities (referred to right here because the “OCR Steering”).7
HIPAA-regulated entities could solely use or disclose PHI as expressly permitted by the Privateness Rule,8 except they get hold of a HIPAA authorization from the person (i.e., a particular doc figuring out and offering consent for explicit makes use of or disclosures of well being info that’s executed by the affected person). OCR emphasised that whereas there are cases when PHI could also be used and disclosed for functions unrelated to healthcare, together with disclosures required by regulation, these cases are narrowly tailor-made and should meet the precise necessities set forth within the Privateness Rule. OCR additionally underscored that whereas HIPAA could allow disclosures required by regulation, HIPAA itself doesn’t require these disclosure—quite, it’s the relevant regulation that compels the disclosure.
The next three cases described within the OCR Steering advise when coated entities are permitted to reveal PHI when required by regulation, or to avert critical menace to well being and security, with out acquiring the affected person’s prior authorization.
Disclosures Required by Regulation
The HIPAA Privateness Rule permits, however does not require, coated entities to reveal PHI with out a person’s authorization when one other regulation (i) compels the coated entity to take action, (ii) the request for the PHI is enforceable in a court docket of regulation, and (iii) the disclosure of the PHI complies with the necessities of such regulation.9 OCR states it will contemplate disclosures that don’t meet all three parts or exceed the scope of the request to be impermissible and a violation of the Privateness Rule.
- A person goes to a hospital emergency division whereas experiencing issues associated to a miscarriage throughout week ten of being pregnant. A hospital workforce member suspects the person has taken remedy to finish the being pregnant. State regulation prohibits abortion after six weeks however doesn’t require the hospital to report people to regulation enforcement. The place state regulation doesn’t expressly require such reporting, the Privateness Rule would not allow a disclosure to regulation enforcement underneath the “required by regulation” permission, and HHS states that such a disclosure can be impermissible and represent a breach of unsecured PHI requiring notification to HHS and the person affected.
Disclosures for Regulation Enforcement Functions
The Privateness Rule permits, however doesn’t require, coated entities to reveal PHI for regulation enforcement functions underneath sure situations the place the request is “pursuant to course of and as in any other case required by regulation.”10 For instance, a coated entity could reply to a request from regulation enforcement made by a court-ordered warrant, subpoena, or summons by disclosing solely the requested PHI. Within the absence of a mandate enforceable in a court docket of regulation, the Privateness Rule doesn’t allow disclosure of PHI for regulation enforcement functions. Within the absence of such a mandate, the Privateness Rule doesn’t allow a coated entity (or any member of its workforce) to voluntarily disclose PHI to regulation enforcement.
- A regulation enforcement official goes to a reproductive healthcare clinic and requests data of abortions carried out on the clinic. If the request shouldn’t be accompanied by a court docket order or different mandate enforceable in a court docket of regulation, the Privateness Rule wouldn’t allow the clinic to reveal PHI in response to the request. Subsequently, such a disclosure can be impermissible and represent a breach of unsecured PHI requiring notification to HHS and the person affected.
- A regulation enforcement official presents a reproductive healthcare clinic with a court docket order requiring the clinic to supply PHI about a person who has obtained an abortion. As a result of a court docket order is enforceable in a court docket of regulation, the Privateness Rule would allow however not require the clinic to reveal the requested PHI. The clinic could disclose solely the PHI expressly approved by the court docket order.
Whereas the OCR Steering focuses on “coated entities,” enterprise associates look like topic to the identical permissions and restrictions with respect to disclosing PHI processed on behalf of a coated entity when the disclosure is “required by regulation.” HIPAA permits enterprise associates to make use of PHI as permitted or required by the enterprise affiliate settlement and underlying contract, or as required by regulation. The implication, though not addressed within the OCR Steering, is that regulation enforcement might compel a enterprise affiliate to supply well being info if the request is legitimate underneath relevant regulation. There isn’t any provision inside HIPAA that will routinely require a enterprise affiliate to defer such requests to the coated entity who in the end controls the PHI.
Disclosures to Avert a Critical Risk to Well being or Security
The Privateness Rule permits, however doesn’t require, a coated entity to reveal PHI if the coated entity believes in good religion that the use or disclosure is important to stop or reduce a critical and imminent menace to the well being and security of an individual or the general public, and the disclosure is to an individual or individuals fairly capable of stop or mitigate the menace. 11
- A pregnant particular person in a state that bans abortion informs their healthcare supplier of their intent to hunt an abortion in one other state the place abortion is authorized. The supplier needs to report this to regulation enforcement to aim to stop the abortion from happening. HHS considers this an impermissible disclosure of PHI underneath the Privateness Rule for a number of causes, together with (i) the meant authorized abortion doesn’t qualify as a “critical and imminent menace to the well being and security of an individual or the general public,” and (ii) such disclosure can be inconsistent with skilled moral requirements.
The FTC has additionally issued steerage associated to the subject of defending the privateness of people looking for reproductive companies (referred to right here because the “FTC Steering”). The steerage states that the FTC will proceed to “vigorously implement the regulation” associated to misuse of people’ location, well being, and different delicate information.12 The sturdy implication is that the FTC will probably be seeking to carry enforcement actions to guard the privateness of people looking for such companies, amongst different actions to guard location and well being information. Listed here are a number of the varieties of actions the FTC could pursue:
- Within the FTC Steering, the FTC takes the place that claims that location information is “nameless” or “has been anonymized” could also be misleading and violate the FTC Act when unfaithful. The FTC Steering factors to analysis that exhibits that “anonymized” information can usually be re-identified, particularly within the context of location information, and states that “firms that make false claims about anonymization can count on to listen to from the FTC.”
- The FTC Steering means that the FTC would contemplate sure assortment, use, and sharing of knowledge that identifies individuals who go to abortion clinics to be an unfair observe. The FTC Steering cites a Massachusetts case alleging that the observe of promoting such information for focused promoting would violate state client safety legal guidelines.
- By way of different actions the FTC might take to guard the privateness of individuals looking for details about reproductive companies, the company lately obtained a letter from U.S. Rep. Anna Eshoo, D-California, and Sen. Ron Wyden, D-Oregon urging investigations and actions in opposition to digital personal community suppliers. The letter notes that people are being “more and more informed that putting in a VPN is a crucial step for safeguarding themselves when looking for info on abortion.” VPN suppliers that make claims in regards to the privateness protecting nature of their companies is also within the crosshairs of the FTC.
- Lastly, the FTC has undertaken quite a few initiatives to advertise information minimization. It has introduced enforcement actions underneath the Youngsters’s On-line Privateness Safety Act (COPPA) alleging that an indefinite information retention interval violated the statute’s information minimization necessities. Chair Lina Khan introduced her intention to deal with the substantive privateness protections in COPPA (versus the discover and consent provisions), together with information minimization. Given the FTC’s deal with delicate location and well being information within the weblog put up, the FTC could deal with firms that gather and retain such information expansively.
Wilson Sonsini will proceed to observe privacy-related steerage issued by federal and state businesses within the wake of Dobbs. Please seek the advice of your Wilson Sonsini lawyer with any questions or the privateness and cybersecurity observe for additional info.
 Dobbs v. Jackson Girls’s Well being Org., 142 S. Ct. 2228 (2022).
 Exec. Order No. 14,076, 87 Fed. Reg. 42,053 (July 8, 2022).
 Pub. L. 104-191, as amended by the Well being Data Know-how for Financial and Medical Well being Act (HITECH Act) underneath Title XIII of the American Restoration and Reinvestment Act of 2009 (Pub. L. 111–5), and together with the Privateness, Safety, Breach Notification, and Enforcement Guidelines at 45 CFR Half 160 and Half 164.
 The Well being Breach Notification Rule is a rule promulgated by the FTC that applies to entities that preserve, provide, or present services or products associated to non-public well being data. The Well being Breach Notification Rule doesn’t apply to HIPAA-covered entities, or to another entity to the extent that entity engages in actions as a enterprise affiliate underneath HIPAA.
 U.S. Dep’t of Well being & Hum. Servs., Off. for Civ. Rts., HHS Points Steering to Shield Affected person Privateness in Wake of Supreme Courtroom Determination on Roe (June 29, 2022), https://www.hhs.gov/about/information/2022/06/29/hhs-issues-guidance-to-protect-patient-privacy-in-wake-of-supreme-court-decision-on-roe.html.
 U.S. Dep’t of Well being & Hum. Servs., Off. for Civ. Rts., Defending the Privateness and Safety of Your Well being Data When Utilizing Your Private Cell Cellphone or Pill (June 29, 2022), https://www.hhs.gov/hipaa/for-professionals/privateness/steerage/cell-phone-hipaa/index.html.
 U.S. Dep’t of Well being & Hum. Servs., Off. for Civ. Rts., HIPAA Privateness Rule and Disclosures of Data Referring to Reproductive Well being Care (June 29, 2022), https://www.hhs.gov/hipaa/for-professionals/privateness/steerage/phi-reproductive-health/index.html.
 45 C.F.R. Half 160 and Half 164, Subparts A and E. The Privateness Rule is the a part of HIPAA that establishes necessities for the use, disclosure, and safety of PHI by coated entities and, by extension, their enterprise associates.
 45 C.F.R. § 164.512(a); see 45 C.F.R. §§ 164.103, 164.512(e), (f).
 45 C.F.R. § 164.512(f)(1).
 45 C.F.R. § 164.512(j).
 Fed. Commerce Comm’n, Location, Well being, and Different Delicate Data: FTC Dedicated to Absolutely Imposing the Regulation In opposition to Unlawful Use and Sharing of Extremely Delicate Knowledge (July 11, 2022), https://www.ftc.gov/business-guidance/weblog/2022/07/location-health-other-sensitive-information-ftc-committed-fully-enforcing-law-against-illegal-use.