All Things Newz
Law \ Legal

OCR Issues HIPAA Guidance Post Dobbs – Privacy Protection



To print this article, all you need is to be registered or login on Mondaq.com.

On June 29, the Department of Health and Human Services’
(HHS) Office for Civil Rights (OCR) released two new guidance
documents in response to President Biden and Secretary
Becerra’s call to HHS agencies to take actions to protect
access to sexual and reproductive health care. OCR’s guidance
addresses: (i) how federal law and regulations protect PHI relating
to sexual and reproductive health care; and (ii) the extent to
which private medical information is protected on personal cell
phones and tablets. Although the guidance does not make new law or
alter the existing HIPAA regulations in any way, it underscores
HIPAA’s fundamental premise that entities subject to HIPAA
cannot use or disclose patient protected health information (PHI)
without an individual’s signed
authorization except as expressly permitted or
required by HIPAA’s Privacy Rule.

More specifically, the guidance addresses those narrowly
tailored exceptions for disclosing PHI without an
individual’s authorization for purposes not related to health
care, and underscores that for disclosures required by law and for
disclosures for law enforcement purposes, the Privacy Rule permits
but does not require disclosure, and the law or law enforcement
request must contain or be accompanied by a court-enforceable
mandate to compel an entity to make a use or disclosure of PHI, and
the disclosure must be limited to the relevant requirements of the
law or law enforcement request. Regulated entities are also
permitted, but again not required, to disclose PHI if the entity,
in good faith, believes the use or disclosure is necessary to
prevent or lessen a serious and imminent threat to the health or
safety of a person or the public, and the disclosure is to a person
or persons who are reasonably able to prevent or lessen the threat.
This would not include, in OCR’s opinion, making such a
disclosure of PHI to law enforcement or others regarding an
individual’s interest, intent, or prior experience with
abortion or other reproductive health care.

The second guidance document from OCR explains that generally,
HIPAA does not protect the privacy and security of
individuals’ medical information when it is accessed through
or stored on personal devices, unless using an app provided by a
HIPAA-regulated entity. This would include menstrual cycle
trackers, for example, and other health information apps. Thus, in
most cases, OCR explains that HIPAA does not protect the privacy of
data individuals download or enter into mobile apps for their
personal use.

Finally, the guidance explains that while HIPAA does not protect
this information, and that the information that devices or apps
collect about individuals may be viewed or collected by other
entities or used by the device or app vendors to send specific ads,
or sold to a data broker, there are practical tips and steps
individuals can take to increase the privacy of their medical and
personal information collected and shared by a mobile device,
including best practices for selecting apps, browsers, and search
engines.

The guidance can be accessed at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html and https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/index.html

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from United States

12 Steps To Take Before And During A Data Breach

Godfrey & Kahn S.C.

Your organization, like many others, probably recognizes the severe risk that a data breach poses. No one wants their employees’ or benefit plan participants’ personal information to be stolen.

FTC To “Crack Down” On Ed Tech’s Use Of Children’s Data

Global Advertising Lawyers Alliance (GALA)

The Federal Trade Commission (FTC) unanimously approved a Policy Statement that focuses on the Children’s Online Privacy Protection Act’s (COPPA’s) application to education technologies…



Source link

Related posts

Supply Chain: How To Avoid Price Rows In Inflationary Times – International Trade & Investment

Bill Of Lading: Contents Of A Bill Of Lading; And Who Can Sue On It – Marine/ Shipping

Silenced No More Laws – Employers Should Know What Not To Say – Employment Litigation/ Tribunals