Privacy Post-Dobbs: Recent Guidance from U.S. Regulators
On June 24, 2022, the United States Supreme Court issued its decision in Dobbs v. Jackson Women's Health Organization,1 opening a legal path to state laws restricting or prohibiting access to certain reproductive health services. To enforce these laws, law enforcement officials may attempt to access individuals' health information, including from technology platforms that process health information on behalf of individuals or other businesses.
In response to Dobbs, President Biden issued an Executive Order on Protecting Access to Reproductive Health Services. Among other things, the Executive Order2 called on the Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) to undertake initiatives to protect the privacy of individuals seeking reproductive health services. This advisory discusses guidance issued by HHS for entities regulated by the Health Insurance Portability and Accountability Act (HIPAA),3 as well as FTC initiatives in this area that would address privacy practices of non-HIPAA covered entities.
When Do HIPAA and the FTC Act Apply?
Understanding when health information is protected by HIPAA or the FTC Act (among other laws) is a threshold issue for organizations to determine their legal obligations and restrictions with respect to providing health-related information to the government.
HIPAA does not protect all health-related personal information, but rather protects only information that is created, received, maintained, or transmitted by "covered entities" or their "business associates." Covered entities are defined as healthcare providers (who engage in a standard transaction electronically, such as submitting a claim for reimbursement to a payor), health plans, and healthcare clearinghouses (specialized entities that process nonstandard health information). Business associates are covered entities' service providers. Because HIPAA's jurisdiction attaches based on an entity's status as a covered entity or business associate, and not to the information itself, health information could be covered by HIPAA in one scenario (e.g., where a hospital maintains a medical record), and the same information will not be covered by HIPAA in another scenario (e.g., where a medical record is input by an individual into a personal health app). Whether HIPAA applies does not turn on the degree of perceived sensitivity of the health information.
The FTC, while not responsible for enforcing HIPAA, plays a large role in regulating the privacy and data security practices of organizations that collect health information. The FTC Act is the primary federal statute used by the FTC to bring enforcement actions regarding an organization's privacy and security practices related to health information that is not covered by HIPAA. The FTC uses its authority under Section 5 of the FTC Act to bring enforcement actions where it believes an organization has: made false or misleading statements about the organization's privacy or data security procedures; engaged in a practice that caused substantial injury to consumers; or that failed to employ reasonable security measures. It also enforces, as may be relevant here, the Health Breach Notification Rule.4
Organizations that receive requests for health information from state officials or other law enforcement agencies should be aware that even if HIPAA or the FTC Act permit the disclosure of certain health information, other privacy laws—such as the Electronic Communication Privacy Act (ECPA)—may place additional restrictions on the organization's disclosure of this information. In addition, various state laws regulate health information, and HIPAA does not preempt state law that is more restrictive or protective of uses or disclosures of health information.
OCR Guidance: HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Healthcare
In the weeks following the Supreme Court's decision, HHS voiced its intent to marshal existing regulations and resources to "take action to protect access to sexual and reproductive health care, including abortion, pregnancy complications, and other related care."5 Specifically, HHS' Office for Civil Rights (OCR) concurrently issued two separate privacy-focused guidance documents. In one of the guidance documents, OCR spoke directly to individuals about HIPAA's limitations in protecting their health information, and encouraged consumers to take steps to safeguard their data when using smartphones, tablets, and other devices for personal use.6 This section focuses on the other guidance document, in which OCR advises HIPAA-regulated entities on when they may (and may not) disclose protected health information (PHI) to state officials or law enforcement entities (referred to here as the "OCR Guidance").7
HIPAA-regulated entities may only use or disclose PHI as expressly permitted by the Privacy Rule,8 unless they obtain a HIPAA authorization from the individual (i.e., a specific document identifying and providing consent for particular uses or disclosures of health information that is executed by the patient). OCR emphasized that while there are instances when PHI may be used and disclosed for purposes unrelated to healthcare, including disclosures required by law, these instances are narrowly tailored and must meet the specific requirements set forth in the Privacy Rule. OCR also underscored that while HIPAA may permit disclosures required by law, HIPAA itself does not require these disclosure—rather, it is the applicable law that compels the disclosure.
The following three instances described in the OCR Guidance advise when covered entities are permitted to disclose PHI when required by law, or to avert serious threat to health and safety, without obtaining the patient's prior authorization.
Disclosures Required by Law
The HIPAA Privacy Rule permits, but does not require, covered entities to disclose PHI without an individual's authorization when another law (i) compels the covered entity to do so, (ii) the request for the PHI is enforceable in a court of law, and (iii) the disclosure of the PHI complies with the requirements of such law.9 OCR states it would consider disclosures that do not meet all three elements or exceed the scope of the request to be impermissible and a violation of the Privacy Rule.
HHS Example
Disclosures for Law Enforcement Purposes
The Privacy Rule permits, but does not require, covered entities to disclose PHI for law enforcement purposes under certain conditions where the request is "pursuant to process and as otherwise required by law."10 For example, a covered entity may respond to a request from law enforcement made through a court-ordered warrant, subpoena, or summons by disclosing only the requested PHI. In the absence of a mandate enforceable in a court of law, the Privacy Rule does not permit disclosure of PHI for law enforcement purposes. In the absence of such a mandate, the Privacy Rule does not permit a covered entity (or any member of its workforce) to voluntarily disclose PHI to law enforcement.
HHS Examples
While the OCR Guidance focuses on "covered entities," business associates appear to be subject to the same permissions and restrictions with respect to disclosing PHI processed on behalf of a covered entity when the disclosure is "required by law." HIPAA permits business associates to use PHI as permitted or required by the business associate agreement and underlying contract, or as required by law. The implication, although not addressed in the OCR Guidance, is that law enforcement could compel a business associate to produce health information if the request is valid under applicable law. There is no provision within HIPAA that would automatically require a business associate to defer such requests to the covered entity who ultimately controls the PHI.
Disclosures to Avert a Serious Threat to Health or Safety
The Privacy Rule permits, but does not require, a covered entity to disclose PHI if the covered entity believes in good faith that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public, and the disclosure is to a person or persons reasonably able to prevent or mitigate the threat. 11
HHS Example
FTC Actions
The FTC has also issued guidance related to the topic of protecting the privacy of individuals seeking reproductive services (referred to here as the "FTC Guidance"). The guidance states that the FTC will continue to "vigorously enforce the law" related to misuse of individuals' location, health, and other sensitive data.12 The strong implication is that the FTC will be looking to bring enforcement actions to protect the privacy of individuals seeking such services, among other actions to protect location and health data. Here are some of the types of actions the FTC may pursue:
Please consult your Wilson Sonsini attorney with any questions or the privacy and cybersecurity practice for further information.
[1] Dobbs v. Jackson Women's Health Org., 142 S. Ct. 2228 (2022).
[2] Exec. Order No. 14,076, 87 Fed. Reg. 42,053 (July 8, 2022).
[3] Pub. L. 104-191, as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) under Title XIII of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111–5), and including the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
[4] The Health Breach Notification Rule is a rule promulgated by the FTC that applies to entities that maintain, offer, or provide products or services related to personal health records. The Health Breach Notification Rule does not apply to HIPAA-covered entities, or to any other entity to the extent that entity engages in activities as a business associate under HIPAA.
[5] U.S. Dep’t of Health & Hum. Servs., Off. for Civ. Rts., HHS Issues Guidance to Protect Patient Privacy in Wake of Supreme Court Decision on Roe (June 29, 2022), https://www.hhs.gov/about/news/2022/06/29/hhs-issues-guidance-to-protect-patient-privacy-in-wake-of-supreme-court-decision-on-roe.html.
[6] U.S. Dep’t of Health & Hum. Servs., Off. for Civ. Rts., Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet (June 29, 2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/index.html.
[7] U.S. Dep’t of Health & Hum. Servs., Off. for Civ. Rts., HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care (June 29, 2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html.
[8] 45 C.F.R. Part 160 and Part 164, Subparts A and E. The Privacy Rule is the part of HIPAA that establishes requirements for the use, disclosure, and protection of PHI by covered entities and, by extension, their business associates.
[9] 45 C.F.R. § 164.512(a); see 45 C.F.R. §§ 164.103, 164.512(e), (f).
[10] 45 C.F.R. § 164.512(f)(1).
[12] Fed. Trade Comm’n, Location, Health, and Other Sensitive Information: FTC Committed to Fully Enforcing the Law Against Illegal Use and Sharing of Highly Sensitive Data (July 11, 2022), https://www.ftc.gov/business-guidance/blog/2022/07/location-health-other-sensitive-information-ftc-committed-fully-enforcing-law-against-illegal-use.