HIPAA’s new privacy rule, tracking technologies and social media
Last week, we referred to receiving emails exhorting us to sign up for an online medical platform, but didn’t name it. Now we will, because it’s part of an ongoing lawsuit regarding medical privacy, social media and smartphones, of course. It’s MyChart.
MyChart and a New York hospital system are now embroiled in litigation in New York. Plaintiffs’ allegations: The hospital system, through internet tracking technologies (aka MyChart), improperly disclosed their private health information to Facebook for monetary gain. The hospital system is being sued for HIPAA and Wiretap Act violations. A federal trial court has refused to grant the hospital’s motion to dismiss.
The lesson: You can perceive benefits to using MyChart and similar platforms—you can access doctors’ notes from a recent visit or the results of a lab test—but sometimes privacy becomes paramount. If you need to keep medical information private, don’t access online platforms.
Overview of HIPAA’s revised privacy rule
HIPAA has always required group health plans, medical providers and business associates to keep private patients’ personal health information. After Dobbs v. Jackson Women’s Health Organization, which reversed Roe v. Wade, some viewed HIPAA’s privacy provisions as insufficient to protect women’s reproductive health-care choices.
To close these so-called loopholes, the Department of Health and Human Services issued final regulations in April 2024 to update HIPAA’s privacy provisions as they apply to reproductive health care.
Group health plans and other HIPAA-covered entities must pay attention to the regs’ new prohibitions on disclosing employees’ PHI. HIPAA-covered entities are prohibited from disclosing patients’ protected health information for either:
- Conducting a criminal, civil or administrative investigation into or imposing criminal, civil or administrative liability on any person for seeking, obtaining, providing or facilitating reproductive health care, when the health care is lawful under the circumstances in which it is provided
- Identifying any person for the purpose of conducting an investigation or imposing liability.
These two prohibitions apply if HIPAA-covered entities reasonably determine that one or more of the following conditions exists:
- The reproductive health care is lawful under the law of the state in which it’s provided.
- The reproductive health care is protected, required or authorized by federal law, including the Constitution, regardless of the state in which the health care is provided (e.g., contraceptive health care).
- The reproductive health care is provided by a person other than the HIPAA-covered entity that receives the request for PHI, and the person providing the care presumes the health care provided is legal.
Under this beefed-up privacy rule, HIPAA-covered entities’ disclosures for law enforcement purposes are limited to instances when they reasonably suspect a patient of obtaining reproductive health-care services—lawful or otherwise—if:
- The disclosure isn’t subject to the above prohibition.
- The disclosure is required by law.
- The disclosure meets all applicable conditions of HIPAA’s privacy-rule permission to use or disclose PHI, as required by law.
To tie this together, the PHI requestor must sign an attestation and present it to a group health plan or other HIPAA-covered entity. The HHS has a model attestation you can access here.
The predictable lawsuit
Texas is suing to invalidate this rule and the original HIPAA privacy regulations, which date to 2000, as those regs relate to limiting disclosures to state investigators.
Crux of Texas’ argument: The HIPAA-covered entity determines if the reproductive health care it furnished was lawful, and not the state officials tasked with enforcing the law.
Does Texas have a legal leg to stand on? Maybe; it’s too early to tell.