Home  |   Subscribe  |   Resources  |   Reprints  |   Writers' Guidelines

Winter 2023

Navigating Privacy and Compliance Post Dobbs
By Rebecca Herold
For The Record
Vol. 35 No. 1 P. 18

The Impacts on Organizations

In 1973, the US Supreme Court reached a 7-2 decision that the Due Process Clause of the 14th Amendment’s fundamental right to privacy protects a pregnant person’s right to an abortion. On June 24, 2022, in Dobbs v. Jackson Women’s Health Organization, the Court reversed that ruling by a vote of 6-3. Shockingly, this information was leaked ahead of the official decision.

As a result of this change, many US state and local laws were created restricting access to abortions and other reproductive health care activities. Many restrictions extend beyond state lines. Increasingly more people are traveling to states where abortion is still available, creating legal and privacy concerns for the doctors performing these procedures and anyone else involved. For example, people are being denied prescriptions, cancer patients are being refused treatments, and even those with arthritis and ulcers are being denied prescriptions linked to miscarriages by doctors and pharmacists, fearing their own legal ramifications linked to state abortion laws criminalizing reproductive health care activities. Health care workers and their families providing reproductive health care are being threatened and harassed, and more.

Impacts of Overturning Roe v. Wade
In 2020, maternal death rates were 62% higher in states that banned or restricted abortion than in those states where the procedure was still available.1 Since the Dobbs ruling, as of October 2, 2022, more than 20 million more women of childbearing age have lost access to abortion.2 To truly understand how this decision affects HIPAA compliance, it’s necessary to understand the ways in which the decision is more widely influencing society and, quite literally, the health and safety of individuals.

Since the recent Dobbs decision, there has also been a noticeable increase in tracking and surveillance activities regarding not only women’s health care but also data privacy and security issues that affect people of all genders. Whether it has been through apps, social media, or data related to phone use, surveillance has been utilized to target those who may be seeking abortions.

The use of “mobile geo-fencing” as a method of doing such targeting of women of childbearing age has also quickly become pervasive. A few days before I gave a webinar in late summer 2022, I went to my hair shop for a bang trim. While sitting in the barber chair I received an unsolicited message on my phone containing obvious reproductive health misinformation from one of the groups identified as using this tactic. I’d never gotten a message like that before or after; it fits the profile of the groups sending such messages to locations where young women are often located.

Even employers who provide apps that feature pregnancy tracking as part of their wellness benefits have been caught accessing the data from those apps, revealing intimate details of their employees’ personal lives.

Data brokers started selling data about women who had visited clinics soon after the Dobbs decision was leaked.3 Personal health and location data are being used to find and criminally charge those seeking abortions and the people who are helping them. There are increasing instances of coworkers, neighbors, friends, and family turning each other in. In at least one case, a warrant was even issued to obtain Facebook messages from a teenager who had sought an abortion.

New Challenges and Risks to Organizations
In addition to this creating a wide range of very real health risks, organizations based in states where options for reproductive health have been restricted have found that such restrictions can also actively hurt companies’ growth and abilities to keep employees. In response, many businesses have included travel benefits and health care procedure costs for employees to access abortions and other reproductive care services—and even restricted prescription drugs they need—elsewhere. Organizations are also monitoring women’s health activities to “catch” potential abortion seekers, while others are providing aid to those seeking abortions.

Workers are now asking, “What would my employer do if they were asked to turn over my personal data?” This question should spur an important discussion with human resources, law, IT, privacy, and cybersecurity areas about their protocols for addressing such situations, should they arise. Do they even have such protocols in place?

Other questions to ask include, “When was the last time relevant policies were updated?” and “What are the terms of use, privacy notices, and security policies of the programs and apps the company utilizes?” Organizations may be putting their employees, patients, and clients at risk through the actions of the apps vendors they are utilizing to support their business activities when the apps have data that could reveal possible reproductive health activities such as locations, health data, and even notes communicated through the apps.

HHS Guidance on HIPAA Compliance
In June 2022, the Health and Human Services (HHS) Office for Civil Rights issued guidance4 on HIPAA Privacy Rule requirements for individuals’ protected health information (PHI) relating to abortion and other sexual and reproductive health care. Here are the key points from the guidance to understand:

• Disclosures required by law. HIPAA allows, but does not require, covered entities (CEs) to disclose PHI about an individual without the individual’s authorization when such a disclosure is required by a law other than HIPAA. This permission to disclose PHI as “required by law” is limited to situations where court mandates, such as a warrant, have been issued. If a law exists that does not meet these HIPAA requirements, they are not considered to be permissible disclosures under HIPAA.

• Disclosures for Law Enforcement Purposes. HIPAA allows, but does not require, CEs to disclose PHI about an individual for law enforcement purposes under specific conditions. If law enforcement demands PHI, but they do not have the necessary court-ordered mandates, or they are not asking for specific PHI items for specific individuals for a specific reason, the CE can choose not to provide the information if it determines it is not in the best interest of its patient(s) or its organization, or if it does not meet HIPAA requirements for such disclosures.

Also, CEs can respond to a law enforcement request made through such legal processes as a court order or court-ordered warrant, or a subpoena or summons by disclosing only the requested PHI provided that all of the conditions specified in the Privacy Rule for permissible law enforcement disclosures are met. For example, if law enforcement asks for information about all individuals who are receiving or requesting reproductive health care, this would generally not meet the HIPAA requirements necessary to release PHI. Such requests should be clearly limited in scope and limited to described purposes for collecting specific data about the associated individuals and locations, for those who are victims of crime, for decedents, for crimes that occurred within CE facilities, or for emergencies created by committed crimes.

• Disclosures to Avert a Serious Threat to Health or Safety. HIPAA allows, but does not require, CEs to disclose PHI if necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person or persons who are reasonably able to prevent or lessen the threat. HHS indicates it would be inconsistent with professional standards of ethical conduct to disclose PHI to law enforcement or others regarding an individual’s interest, intent, or prior experience with reproductive health care.

Organizations need to incorporate the actions described above into their own existing information disclosure policies and procedures or create new policies and procedures if they do not have them. See the full Office for Civil Rights guidance for more examples and details.

Actions to Meet the Related HIPAA Compliance Challenges
The previous considerations emphasize the importance of being prepared to answer employee questions, consider patient impacts, respond to personal data requests, and comply with HIPAA and other legal requirements. In addition to incorporating the new guidance into information disclosure policies and procedures, organizations should also be taking the following key actions to successfully meet these challenges:

• Updating or creating a policy and supporting procedures for the collection of data that is or could be related to reproductive health activities. Define “personal data” and “PHI” and/or the broader term “health data” as it applies to the organization. All workers with access to such information need to understand these definitions and handle those data accordingly.

Keep in mind that health data typically includes caregivers’ notes, audio of conversations with patients, transcripts, and telehealth videos that are within patient records. HIPAA requires CEs to protect the confidentiality of PHI. This includes such types of information about patients’ reproductive health, including information about abortions. So, this information is covered by HIPAA, and CEs, and any supporting business associates (BAs), are subsequently required to maintain the confidentiality of that information. However, in states where abortion is prohibited, hospitals may still face challenges or otherwise try to be compelled by local courts for such information that is associated with the terminology used within laws prohibiting or limiting abortions, as it may be considered illegal or controversial.

• Giving consideration to the HHS guidance, organizations are advised to omit or sparingly use politicized terms such as “abortion” within their patient notes treatment, payment, and operations activities. Consider using different terms, if possible, that do not include the terms used within the abortion restrictions laws,5 since including them could create complications if requests for records containing such specific terms could be included within warrants or other types of court orders.

• Updating or creating a policy and supporting procedures limiting data collection and retention to the minimum necessary to complete tasks and goals. This should also include procedures for deleting those data as soon as they are no longer necessary to support the original purposes for which they were collected and applicable legal requirements. The less health data that are collected and stored, the less data there are to safeguard.

• Updating or creating a policy and supporting procedures for establishing and maintaining documentation, such as within an inventory, indicating all the locations where these data are stored. Include not only locations within organization-owned computing and storage devices but also locations within contracted third parties (such as BAs) and within worker-owned devices. Organizations cannot protect PHI if they do not know where the data are located. They also cannot quickly obtain access to it to fulfill right of access requests for the associated data. This is necessary for all PHI, not just that associated with reproductive health.

• Implementing additional safeguards within health care providers. For example, a few such actions include strongly encrypting PHI in all storage locations and for all transmissions, being more vigilant in monitoring for and responding to potential HIPAA violations (particularly if they are located in states where abortion is prohibited), and ensuring strong security practices within BAs.

• Coordinating IT, privacy, and cybersecurity with human resources and other areas to identify where health data that includes reproductive health terminology, are collected, stored, and used. This could be for benefits such as wellness and fitness benefits programs; travel and lodging benefits programs; and other types of non–HIPAA-covered purposes. Ensure that such information within the human resources and other associated areas is handled in the same ways as previously described.

• Creating a centralized role to communicate with all outside entities requesting personal data. Creating such a centralized role should also be included for contracted third parties, such as BAs, with contractual directives to swiftly contact the associated organization whenever such requests are received. Having such a role will streamline and support consistency in handling these kinds of situations. Provide training to those in this role to ensure they understand the types of information that can be released and also that they have a strong understanding of the types of information that should not be publicly released. This role is often located in public relations and sometimes in legal. This role should work closely with the privacy, cybersecurity, and IT areas.

• Considering data protection and privacy state and international laws. This includes state laws such as the California Consumer Privacy Act and California Privacy Rights Act, Virginia Consumer Data Protection Act, Connecticut Data Privacy Act, and others, as well as those that are anticipated to be enacted in the coming year. Organizations should also consider data protection laws and regulations outside of the United States when putting employee benefits in place for reproductive health services, wellness services, and related services that require travel and lodging in other locations. Perform an evaluation of impacts of the European Union’s General Data Protection Regulation and other international regulations that exist where employees, contractors, interns, or others are located who will receive these benefits. It will require a review of the personal data that will be collected.

• Providing ongoing education, in the form of courses and awareness communications, to all staff with responsibilities for and/or access to all types of health data. Also, providing additional training to staff covering HIPAA compliance to ensure that information about abortions and other reproductive treatment, payment, and operations are appropriately protected. The education should be specific to this issue. Most organizations do not provide education that covers specific work activities such as these; they instead do the minimum necessary to, in their view, “check the training box.” This mindset is not only bad leadership but also a wasted opportunity.

If organizations are taking the time to give HIPAA security and privacy education, it multiplies the value of that investment to make it effective to relate specifically to the organization’s own work activities to not only meet the minimum requirement but also go beyond and actually provide education to prevent privacy breaches and compliance infractions. This is why education is required by HIPAA and other regulations to begin with; to have an educated and aware workforce who will then perform their work responsibilities in ways that prevent breaches and security incidents from happening in the first place. Regulators, auditors, boards, and experts would, and have, viewed the typical “checkmark” basic training as inadequate and unacceptable to meet HIPAA requirements. Not providing effective training specific to work responsibilities could also be viewed as a negligent business practice in lawsuits that could result from breaches and incidents.

This is not an exhaustive list. However, performing these actions will address the major issues involved with addressing the impacts of the Dobbs decision on HIPAA compliance while also revealing the additional actions that are necessary.

Take Actions Now to Avoid Noncompliance and Patient Harms
These key practices are strong starting points for businesses to ensure that they are mitigating risks, meeting associated compliance requirements, and providing benefits their employees find valuable and, in some locations, necessary.

Organizations that may be concerned about their obligations to disclose information concerning abortion or other reproductive health care should seek legal advice regarding their responsibilities under other federal and state laws.

As organizations are considering the details and specific data items, they need to also determine personal data beyond health care situations. For example, to determine whether how they are providing such new benefits for travel and lodging to other states for reproductive health services could be considered as being covered by those other legal requirements. And, very importantly, they need to determine if they have employee and other workers’ personal data within databases where student, patient, customer, consumer, and others’ personal data are also located, which could potentially be covered by a wide range of other legal requirements.

Organizations will need to evaluate the impacts of all the legal requirements for each of the associated locations where they have employees, contractors, interns, or others who will receive these benefits. It will require a review of the personal data that will be collected.

For more on this topic, you can view a related ISACA webinar at https://store.isaca.org/s/community-event?id=a334w000004yNgQAAU&blaid=3484607.

— Rebecca Herold is CEO of Privacy & Security Brainiacs SaaS Services, which she founded with her son Noah, and CEO of The Privacy Professor Consultancy she founded in 2004. None of the information within this article should be considered as legal opinion; only the lawyers representing their clients can provide that type of formal guidance.

 

References
1. Declercq E, Barnard-Mayers R, Zephyrin L, Johnson K. The U.S. maternal health divide: the limited maternal health services and worse outcomes of states proposing new abortion restrictions. Commonwealth Fund website. https://www.commonwealthfund.org/publications/issue-briefs/2022/dec/us-maternal-health-divide-limited-services-worse-outcomes. Published December 14, 2022.

2. Kirstein M, Dreweke J, Jones RK, Philbin J. 100 days post-Roe: at least 66 clinics across 15 US states have stopped offering abortion care. Guttmacher Institute website. https://www.guttmacher.org/2022/10/100-days-post-roe-least-66-clinics-across-15-us-states-have-stopped-offering-abortion-care. Published October 6, 2022.

3. Mitra D. Data brokers are collecting and selling data on pregnant women. TechStory website. https://techstory.in/data-brokers-are-collecting-and-selling-data-on-pregnant-women/. Published July 31, 2022.

4. HIPAA privacy rule and disclosures of information relating to reproductive health care. Health and Human Services website. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html. Updated June 29, 2022.

5. Treisman R. States with the toughest abortion laws have the weakest maternal supports, data shows. National Public Radio website. https://www.npr.org/2022/08/18/1111344810/abortion-ban-states-social-safety-net-health-outcomes#. Published August 18, 2022.