{"id":498,"date":"2022-07-27T14:44:11","date_gmt":"2022-07-27T18:44:11","guid":{"rendered":"https:\/\/pbacyber.com\/?p=498"},"modified":"2022-07-27T14:47:22","modified_gmt":"2022-07-27T18:47:22","slug":"updated-dhhs-ocr-guidance-on-health-information-privacy-after-dobbs","status":"publish","type":"post","link":"https:\/\/pbacyber.com\/index.php\/2022\/07\/27\/updated-dhhs-ocr-guidance-on-health-information-privacy-after-dobbs\/","title":{"rendered":"Updated DHHS OCR Guidance on Health Information Privacy After Dobbs"},"content":{"rendered":"<p>Medical providers across the United States have been scrambling to make sense of their professional responsibilities and corresponding liability risks in the wake of the Supreme Court\u2019s ruling on <a href=\"https:\/\/www.supremecourt.gov\/opinions\/21pdf\/19-1392_6j37.pdf\"><em>Dobbs v. Jackson Women\u2019s Health Organization<\/em><\/a><em>. <\/em>As was <a href=\"https:\/\/pbacyber.com\/index.php\/2022\/06\/01\/a-post-roe-future-presents-heightened-data-privacy-risks-with-femtech\/\">discussed here previously<\/a>, the decision threatens to undermine the healthcare system as a whole, jeopardizing health information privacy by reducing trust between patients and their physicians and chilling both the communication of health issues and access to essential healthcare services.<\/p>\n<p>&nbsp;<\/p>\n<p>On June 29, 2022, the Department of Health and Human Services <a href=\"https:\/\/www.hhs.gov\/ocr\/index.html\">Office for Civil Rights<\/a> (OCR) issued new guidance to clarify how obligations under the Health Insurance Portability and Accountability Act (HIPAA) interacts with, and prevails over, conflicting state laws that might circumvent, undermine, or otherwise attempt to weaken data privacy and security requirements for protected health information.<\/p>\n<p>&nbsp;<\/p>\n<p>In addition to offering <a href=\"https:\/\/www.hhs.gov\/hipaa\/for-professionals\/privacy\/guidance\/cell-phone-hipaa\/index.html\">guidance<\/a> for individuals to improve the privacy and security of health data outside of HIPAA\u2019s reach (such as health data managed by the individual on his\/her\/their smartphone), OCR issued <a href=\"https:\/\/www.hhs.gov\/hipaa\/for-professionals\/privacy\/guidance\/phi-reproductive-health\/index.html\">guidance<\/a> titled \u201cHIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care.\u201d In the guidance, OCR explained its interpretation of the HIPAA Privacy Rule and the exceptions that allow disclosures of PHI to occur without requiring the patient to first have an opportunity to consent or object if those disclosures required by law (as defined by <a href=\"https:\/\/www.law.cornell.edu\/cfr\/text\/45\/164.103\">45 CFR 164.102<\/a>); if the disclosures are made for law enforcement purposes (<a href=\"https:\/\/www.law.cornell.edu\/cfr\/text\/45\/164.512\">45 CFR 164.512(f)<\/a>); and if the disclosures are made to \u201cavert a serious threat to health or safety\u201d (<a href=\"https:\/\/www.law.cornell.edu\/cfr\/text\/45\/164.512\">45 CFR 164.512(j)<\/a>). OCR emphasized that these exceptions to the HIPAA Privacy Rule are to be construed narrowly, offered example scenarios to illustrate its points, and underscored its commitment to enforcing the HIPAA Privacy Rule against covered entities and business associates that violate the federal law. OCR\u2019s key <a href=\"https:\/\/www.hhs.gov\/hipaa\/for-professionals\/privacy\/guidance\/phi-reproductive-health\/index.html\">message<\/a> is that covered entities can lawfully use or disclose protected health information \u201cwithout an individual\u2019s signed authorization, <em>only<\/em> as expressly permitted or required by the Privacy Rule.\u201d [bold emphasis and internal citations omitted]. Moreover, the guidance underscored that the HIPAA Privacy Rule allows but does not mandate disclosures when the conditions necessary for the applicable exceptions are present. The guidance is straightforward and, by itself, should not to be the source of much controversy.<\/p>\n<p>&nbsp;<\/p>\n<p>That said, at the end, the guidance contains a critical disclaimer as follows that deserves a bit of attention:<\/p>\n<p>&nbsp;<\/p>\n<p><em>The contents of this document do not have the force and effect of law and are not meant to bind the public in any way. This document is intended only to provide clarity to the public regarding existing requirements under the law or the Departments\u2019 policies.<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>While guidance (whether a policy statement or interpretive rule) technically is considered \u201cnonbinding,\u201d it is generally not wise to deviate from the practices advised in agency guidance. Doing so could invite both individual complaints alleging violations and agency enforcement actions. For this reason, guidance has been described <a href=\"https:\/\/www.acus.gov\/recommendation\/agency-guidance-through-policy-statements\">by some<\/a> as having \u201cquasi-binding character.\u201d Governance by guidance\u2014as opposed to agencies\u2019 use of formal rulemaking under, e.g., the <a href=\"https:\/\/www.govinfo.gov\/content\/pkg\/USCODE-2011-title5\/pdf\/USCODE-2011-title5-partI-chap5-subchapII.pdf\">Administrative Procedure Act<\/a>\u2014has long been the subject of debate by law scholars. Critics have argued that guidance is \u201ccoercive\u201d and undermines accountability, but supporters have countered that guidance enables agencies to provide clarity on the current interpretation of existing rules without requiring the agency to unnecessarily deplete agency resources for formal rulemaking involving notice and comment. As explained by <a href=\"https:\/\/www.everycrsreport.com\/files\/2021-04-19_LSB10591_9477746a9161f3ee6f2d127a70eb84cdcec6e4df.pdf\">a 2021 CRS Report<\/a>, ultimately Congress has powers to rescind agency guidance, require an agency to follow its own guidance and impose procedural requirements for issuing guidance to keep agencies \u201cin check.\u201d<\/p>\n<p>&nbsp;<\/p>\n<p>Disputes over access to protected health information must be anticipated by attorneys representing healthcare providers and healthcare providing organizations. The recent OCR guidance highlights what HIPAA requires, which should help with institutional decisions on how best to preserve health information privacy given local sociopolitical circumstances and how best to resist or respond to requests by law enforcement or others for health information. Nevertheless, it remains to be seen whether courts adjudicating disputes will find that the HIPAA Privacy Rule successfully shields patients\u2019 protected health information from disclosure to law enforcement even in such states where forced birth laws have taken effect to target licensed healthcare professionals for providing medical services pursuant to prevailing standards of care.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>Jennifer K. Wagner, J.D., Ph.D., is a solo practicing attorney and also is Assistant Professor of Law, Policy and Engineering at the Pennsylvania State University. She has been a member of the PBA Cybersecurity &amp; Data Privacy Committee since 2018, is a former contributing editor of the Genomics Law Report and has published scholarly articles in prominent legal and scientific journals, including the Journal of Law &amp; Biosciences; Journal of Law, Medicine, &amp; Ethics; Albany Law Journal of Science &amp; Technology; Virginia Sports and Entertainment Law Journal; North Carolina Journal of Law and Technology; Science; Nature Communications; Nature Medicine; American Journal of Human Genetics; Human Genetics and Genomics Advances; Genetics in Medicine; and PLOS Genetics. She served as a AAAS Congressional Fellow in a U.S. Senator\u2019s office in 2014-2015, and her work has been cited by the Supreme Court of the United States. You may follow her on Twitter as @DNAlawyer. Views expressed are her own.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Medical providers across the United States have been scrambling to make sense of their professional responsibilities and corresponding liability risks in the wake of the Supreme Court\u2019s ruling on Dobbs v. Jackson Women\u2019s Health Organization. As was discussed here previously, the decision threatens to undermine the healthcare system as a whole, jeopardizing health information privacy <br \/><a class=\"read-more-button\" href=\"https:\/\/pbacyber.com\/index.php\/2022\/07\/27\/updated-dhhs-ocr-guidance-on-health-information-privacy-after-dobbs\/\">Read More &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6,4],"tags":[],"_links":{"self":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/498"}],"collection":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/comments?post=498"}],"version-history":[{"count":3,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/498\/revisions"}],"predecessor-version":[{"id":504,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/498\/revisions\/504"}],"wp:attachment":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/media?parent=498"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/categories?post=498"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/tags?post=498"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}