Sign in

Supreme Court ruling leads to new OCR guidance for patient privacy and PHI

By: Lisa Marlin

July 10, 2022

What now? It’s a question health care providers and the public continue to ask following the Supreme Court’s reversal in late June of Roe vs. Wade. Regardless of what side of the opinion one stands on, it is important to know its impact on patient privacy, and also a provider’s responsibilities around data protection.

What about patient privacy?

To help answer this, the Office for Civil Rights (OCR) in the U.S. Department of Health and Human Services (HHS) issued new guidance, the HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care, which can be found here. It is intended to help clarify how federal law and regulations protect individuals’ protected health information relating to sexual and reproductive healthcare.

The HHS agency reminded providers that they aren’t required to disclose private medical information to third parties. Furthermore, the OCR offered insight on maintaining data security while using health-information apps on cell phones and tablets. The OCR’s new guidance is meant to inform and protect patients seeking reproductive healthcare, as well as their providers.

What can be disclosed?

The guidance states that access to comprehensive reproductive health care services is essential to individual health and well-being, and that HIPAA’s Privacy Rule supports such access by giving individuals confidence that their protected health information (PHI), including information relating to health care, will be kept private.

The Privacy Rule establishes requirements with respect to the use, disclosure, and protection of PHI by covered entities (health plans, health care clearinghouses, and most health care providers) and, to some extent, by their business associates. These regulated entities can use or disclose PHI, without an individual’s signed authorization, only as expressly permitted or required by the Privacy Rule.

However, the Privacy Rule permissions for disclosing PHI without an individual’s authorization for purposes not related to health care, such as disclosures to law enforcement officials, are narrowly tailored to protect the individual’s privacy and support their access to health services. This guidance addresses these types of permitted disclosures and their limitations.

What does all this mean?

It’s important to familiarize yourself with how the ruling affects patient privacy and PHI and reading through the OCR’s new guidance is a good step. But also reach out to the HIPAA experts at PrivaPlan. We’re here to answer questions and assist you in staying HIPAA compliant in all areas of patient data.