On June 29, 2022, the U.S. Department of Health & Human Services’ Office for Civil Rights (“OCR”) issued two pieces of guidance clarifying the applicability of the Health Insurance Portability and Accountability Act (“HIPAA”) related to privacy of information connected to an individual’s reproductive health.

Through this guidance, HIPAA addresses both protected health information (“PHI”), which is subject to HIPAA’s rules, as well as general, personal information that is not directly protected by HIPAA.

Guidance on disclosure without authorization

The first guidance document, titled “HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care”, focuses on circumstances that could arise in states where abortion has been prohibited and in which HIPAA’s Privacy Rule permits (but does not necessarily mandate) disclosure of PHI without an individual’s authorization.

OCR confirms that disclosures for purposes not related to health care are permitted only in narrow circumstances and are nonetheless designed to protect the individual’s privacy and support their access to health care. Two such circumstances include disclosures for law enforcement purposes (under 45 CFR § 164.512(f)) and disclosures to avert a serious threat to health or safety (under 45 CFR § 164.512(j)). In this document, OCR provides interpretive guidance addressing instances in which health care providers seek to disclose – or law enforcement officials request – information about an individual’s past or anticipated abortion.

One of the examples given, for instance, explains that a breach would occur if a reproductive health care clinic disclosed PHI in response to a request by a law enforcement official when that request is not supported by a court order.

Guidance on use of mobile health technology

The second guidance document, titled “Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet”, seeks to provide general privacy tips to individuals who may have information on mobile devices pertaining to their reproductive health.

OCR admits that HIPAA’s rules “generally do not protect the privacy or security of [an individual’s] health information when it is accessed through or stored on your personal cell phones or tablets”, as the rules only apply when information is properly categorized as PHI and is created, received, maintained, or transmitted by a covered entity or its business associate(s). OCR’s intent in publishing this guidance, however, is to provide general tips on how to limit the personal information (including information identifying your location) that can be viewed by or provided to others.