What is protected health information?
Legally, there are several categories of health information with different amounts of protection under the law. Individually identifiable health information(IIHI), as defined by HIPAA, is information that 1) is produced by a health care provider or similar entity, 2) relates to physical or mental health, and 3) either directly identifies an individual or could reasonably be used to do so (P.L. 104-191, 110 STAT. 2023). Protected health information (PHI) is a subset of IIHI that does not include employment records or records covered by the Family Educational Rights and Privacy Act (45 CFR 160.103), and is protected by HIPAA.
Personal health records (PHR) are records that have multiple sources and which are largely maintained by consumers. Unlike PHI, these records are not produced by health care providers, health insurers, or health care clearinghouses. For example, a third-party application in which consumers track their menstrual cycles would qualify as a PHR. Although HIPAA does not protect PHRs, the Federal Trade Commission (FTC) does regulate the transmission of this type of data (Linebaugh & Liu, 2022).
When can information about someone's reproductive health be shared with members of law enforcement?
89 FR 32976, which goes into effect June 25, specifies that health information cannot be shared by a HIPAA-covered entity for the purpose of conducting a criminal, civil, or administrative investigation into lawful reproductive health care. Moreover, the rule requires that covered entities treat reproductive health care as lawful unless and until the requesting party has provided significant factual evidence to the contrary.
The above regulation applies only to HIPAA-protected information. Keep in mind, however, that reproductive health information can end up in the hands of businesses that are not health organizations or their associates. While the FTC has stated that it is "committed" to enforcing health privacy regulations for situations that are not covered by HIPAA (Location, Health, and Other Sensitive Information, 2022), there is no singular privacy standard in these cases.
What steps can someone take to protect their reproductive health information?
The Office of the National Coordinator for Health Information Technology has a fact sheet that walks through basic security practices, such as creating strong passwords, reading terms of service for mobile apps carefully, and limiting the amount of health information that you post on social media.
Additionally, lawyers on the topic of reproductive health information in particular advise consumers not to give their mobile devices to law enforcement. Law enforcement officials can bypass a warrant if they receive the implicit consent of the consumer (Klibanoff, 2022). Disabling location sharing permissions on apps that do not require location data ensures consumers are not being tracked.