Protecting Health Information Post Roe Part 1: Steps For Women – Privacy Protection | #itsecurity | #infosec


In the wake of the Supreme Court’s ruling in Dobbs vs. Jackson Women’s Health
Organization
, much has been written about how existing
privacy laws, such as the Health Insurance Portability and
Accountability Act (“HIPAA”), are unhelpful to women
because of provisions that permit the sharing of health information
(called “protected health information” or “PHI”
under HIPAA) with state regulatory authorities seeking to enforce
abortion prohibitions. For example, HIPAA permits health care
providers to disclose health information when required by law, such
as state-mandated abortion reporting laws, or for purposes of law
enforcement, such as in response to a warrant, subpoena or
summons.

However, HIPAA has other provisions, including enumerated
patient rights, that are potentially helpful to women seeking to
protect their reproductive health information. There are also state
laws and practical strategies that women can use to protect their
privacy. In the first of this two-part blog post series, we will
highlight legal rights and practical strategies that women can use
to protect their own information. In a second installment, we will
highlight strategies that health care providers can use to protect
their patients’ information post Roe.

OCR Guidance

The Department of Health and Human Services Office for Civil
Rights (“OCR”) recently posted a guidance document (the “Guidance”)
on how HIPAA supports women’s efforts to keep their
reproductive health information private. The Guidance discusses the
scope of HIPAA’s exceptions for disclosures required by law and
law enforcement and highlights the important point that health care
providers may only disclose health information to regulatory or law
enforcement authorities when it is required by law. If a
state law does not mandate reporting, any disclosure of a
woman’s health information under that law would potentially
violate HIPAA and provide the basis for a complaint to OCR by the
affected patient.

Accounting Right

How would a patient know if her information was used or
disclosed by a health care provider in response to a government
request? HIPAA gives patients a right to an accounting of
disclosures of their PHI. An accounting is a notice that tells a
patient how her health information has been used or shared for
certain purposes. For example, if a health care provider shares
records with a public health authority for public health
surveillance activities, all records shared with the public health
authority have been “disclosed” for purposes of HIPAA. If
the patient requests an accounting, the provider must provide the
identity and address if known, of the public health authority to
which the records were disclosed, a description of the records and
the PHI disclosed, the purpose for the disclosure and when access
was provided. The accounting right will not help a patient to
prevent a disclosure, but it could at least alert a patient to the
fact that a disclosure has occurred and would allow the patient to
independently evaluate the validity of the disclosure.

Right to Request Restrictions

Patients have the right under HIPAA to request restrictions on
how a health care provider uses or discloses their PHI. For
example, a patient may request that a covered entity restrict uses
and disclosures of PHI to treatment, payment or the provider’s
healthcare operations (which are uses necessary to run the
provider’s business). A patient may also request special
privacy protections, for example, a patient can prohibit the
disclosure of PHI to family members or request the provider to use
an alternative mailing address or PO box for treatment-related
communications. Under HIPAA, providers must allow patients to
request restrictions, however, providers aren’t required to
grant requested restrictions. There is one exception: if a woman
pays for a reproductive health care visit, a prescription (or any
health care for that matter) out-of-pocket in full and requests
that the health care provider or pharmacist not share information
about that visit with her health plan, the provider and pharmacist
must agree to that restriction. This HIPAA provision doesn’t
fully insulate reproductive health information, but it narrows the
universe of authorized recipients, reduces the potential for
re-disclosure and reduces the number of places where regulatory
authorities can gather information about a woman’s reproductive
health.

All of the rights described above must be addressed in a health
care provider’s HIPAA Notice of Privacy Practices. These
notices are provided to patients on their initial visit to a health
care provider, they must be posted on the walls of a provider’s
facility and must also be available upon request and on the website
of any provider with a website. Finally, patients have the right to
complain to OCR if any of the above patient rights requests are
ignored or denied, or if a patient believes that her health
information has been used or disclosed in a way that is not
permitted under HIPAA. Patients can file a complaint with OCR OCR will follow up,
but there is no right for patients to sue for damages (called a
“private right of action”) under HIPAA.

State Law Protections

There may be additional protections available under different
types of state laws, including private rights of action for
unauthorized disclosure as data breaches or consumer protection
actions. These will likely be tested in states with abortion bans,
but let’s look at the present state of the laws in those states
with trigger bans. Of the states where abortion is currently banned
or mostly banned, or will be banned imminently under trigger laws,
only a handful include health information as “personal
information” under state data breach notification statutes,
and there are limitations to their applicability. In order to be
considered a “breach” under state data breach
notification laws, there must be unauthorized access to or
acquisition of personal information. In all of the states where
abortion is banned or will be banned imminently, the data breach
notification laws are only triggered by “acquisition” of
the personal/health information; in other words, someone actually
has to take it.

The chart below outlines what possible additional protections
may be available.
















State

Health Information Included in state breach notification
statute?

Private Right of Action?

Rules for Responding to Subpoenas?

Alabama

Yes

No

Subpoena must be HIPAA-compliant

Arkansas

Yes

No

Must notify patient (or patient’s attorney) by writing or
fax

Idaho

No

No

None beyond HIPAA

Kentucky

No

No

None beyond HIPAA

Louisiana

No

Yes (but since health information is not included in state
statute, irrelevant)

Subpoenaed provider must receive affidavit that subpoena is for
records of party to litigation and notice has been mailed to
affected patient 7 days before issuance

Missouri

Yes

No

None beyond HIPAA

North Dakota

Yes

No

None beyond HIPAA

Ohio

No

No

None beyond HIPAA

Oklahoma

No

No

None beyond HIPAA

South Dakota

Yes

No

None beyond HIPAA

Tennessee

No

Yes (but since health information is not included in state
statute, irrelevant)

None beyond HIPAA

Texas

Yes

Yes

Patient must be party to judicial proceeding and disclosure is
pursuant to subpoena issued under (1) TX Rules of Civil or Criminal
Procedure; or (2) Chapter 121 of the TX Civil Practice and Remedies
Code, Safety Code, or Occupational Code

Utah

No

No

None beyond HIPAA

Wyoming

Yes

No

None beyond HIPAA

Practical Measures to Take

The world has changed in the 50 years since Roe v.
Wade
. Now, we all have vast “digital footprints”
created from things such as our Internet search and surfing habits,
information we share with apps, location data collected by our
tablets and smartphones (even when we are unaware of such
collection…). There is a concern about the ability of these
digital footprints to be used against women in an attempt to
enforce criminal penalties in abortion ban states.

We cannot disappear from the digital world. But, there are some
practical measures that you can take to protect this sensitive
information.

  • Limit sharing of location data. You can turn off the location
    services on your smartphone or tablet. This will limit access to
    your activities, your location, and where you travel. On either an
    Apple or Android device, location services can be found in
    Settings/Privacy. You have the option to turn off all access to
    Location Services, or you can go through your apps and select those
    for which you want to turn off access to location data. While
    you’re doing that, you can clean up unwanted apps on your
    device, clear the history and data stored in those apps, and only
    add apps that you trust. Also, when an app or website asks
    permission to access location data, you should opt out. Unless you
    are using a navigation or traffic app, most apps and websites do
    not need your location data. Avoid “free” apps: remember,
    if you’re not paying for the “service,” you are the
    service.

Information from Apple regarding the privacy of your data on
Apple devices is available at: https://www.apple.com/privacy/control.
Information regarding the privacy of your data on Android devices
is available at: https://www.android.com/safety.

  • Consider using a burner phone. If you have to arrange for
    services or travel, use a burner phone. If you use a personal
    device, any communications you send and receive (texts, calls in
    and calls out, email) are stored and can be tracked.

  • Use a public computer for web searches. If you use a common
    search engine like Google, Yahoo!, or Bing, your search history may
    be associated with your IP address and can be obtained by law
    enforcement from the service provider. If you need to search for
    banned services, use a computer at a public library or other
    space.

  • Alternatively, use a private search engine. There are search
    engines like DuckDuckGo that do not track your search
    history.

  • Don’t forget your smart watches or fitness trackers. These
    devices also collect or store information about your location, and
    fitness trackers may also contain information about menstrual
    cycles or other health-related information.

On Friday of last week, Google announced that it will delete location
data after people visit abortion clinics, domestic violence
shelters, and other sensitive locations. According to Google, the
update will “take effect in the coming weeks.”
Additionally, the company will add a feature for users to delete
multiple menstruation logs at once on Google Fit and Fitbit apps.
The Google announcement says nothing, however, about history of
search results.

The New York Times has published an informative
article on how mere deletion of period-tracking apps may not be
sufficient (article is behind paywall).

There are other resources out there that you should review to
help reduce your digital footprint and to protect your own medical
privacy.

Guidance from the Department of Health and
Human Services

Guidance from the Federal Trade Commission on
how to protect your phone and the data on it

How to Limit Location Data Exposure –
National Security Agency

Consumer Guidance from the Federal
Communications Commission – phone and cable records

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.



Original Source link

Leave a Reply

Your email address will not be published.

nineteen − = ten