'All Options Are on the Table,' HHS Privacy Official Doubles Down on Data Protection
The HHS’s Office of Civil Rights is focusing on guidance and stakeholder coordination to enforce reproductive health data post Roe v. Wade.
The Office of Civil Rights within the U.S. Department of Health and Human Services is working alongside doctors, insurance agencies and other covered providers to strengthen patient privacy in the aftermath of the overturning of Roe v. Wade.
Speaking with Nextgov, OCR Director Melanie Fontes Rainer discussed the agency’s ongoing work to ensure reproductive health data is protected, as concerns mount over that data potentially being used by law enforcement to prosecute individuals seeking an abortion.
Reiterating HHS Secretary Xavier Bercerra’s earlier comments following the new abortion ruling, Fontes Rainer said that “all options are on the table” surrounding how the federal government aims to protect patient data privacy.
“The Office for Civil Rights is continuing to engage with providers and our colleagues across the department to better understand the challenges in this moment and the needs,” she said. “It's a critical time for our nation's federal civil rights and privacy laws, because…we have people in these states and doctors in these states and providers that, for these federal civil rights and privacy laws, give a voice, and allow the federal government to try to help.”
Fontes Rainer noted that existing regulations, namely the Health Insurance Portability and Accountability Act, support protecting sensitive health data disclosure from law enforcement and other third party entities. However, HIPAA rules do not cover all areas where that data can be stored.
“HIPAA rules generally did not protect privacy or security of individuals’ health information when it's accessed or stored on personal cell phones and tablets,” she said. In light of this loophole, Fontes Rainer pointed to recent guidance her office wrote surrounding applicable HIPAA protections to reproductive information and data stored on mobile devices.
This gap in protection is critical; many users store health data, such as menstrual cycle information, in digital apps. Most mobile device apps also store location and geographical data as well as search histories.
“I think those are really important points,” she said.
Fontes Rainer added that in addition to talking to stakeholders in the healthcare space, the OCR is also working with other federal regulatory agencies, specifically with the Office of the National Coordinator, congressional and local lawmakers, and trade associations to understand the new privacy threat landscape to healthcare information and subsequently strengthen protections.
“I think we're all in this sort of new reality where there's a lot of confusion. People are scared,” she said. “And so yes, of course we're having conversations with folks across the country, you know, stakeholders period, but specifically law enforcement as well.”
According to Fontes Rainer, her office is examining what more is needed to provide the “strongest path forward to protecting access to healthcare and health information privacy.”
Some specific initiatives her office and other regulatory agencies can take include more guidance documents related to common federal law questions and potential new policy options. Prior to the recent Supreme Court rulings that have enabled legal limitations to abortion access, the OCR worked to communicate with local law enforcement bodies on how reproductive data can be used within existing legal parameters.
“This is a[n] issue where it is cross cutting and it makes a lot of sense to make sure folks are communicating and coordinating,” Fontes Rainer said. “I think it's always helpful to communicate what we're seeing on the ground and to be consistent in how we think about privacy, so that we're not making things harder for providers, or covered entities or patients.”
As the protected health data landscape grows to encompass not only reproductive health care information but other sensitive protected health information, Fontes Rainer said that her office will focus on federal civil rights laws independent of individual state data privacy and health care laws.
“My job—our job—at HHS, is to protect protected health information and how can we make sure that HIPAA today and HIPAA tomorrow continue to be the full force of protecting that privacy no matter what is happening in a legal landscape or what is happening in the courts,” she said.