In the wake of the Supreme Court’s decision in Dobbs to return to the States the right to regulate abortion services, and hearing the distant thunder of impending changes to the HIPAA Rules (as proposed in January of 2021), President Biden issued Executive Order 14076 (Order) requiring the Secretary of Health and Human Services (HHS) to submit a report (within 30 days) outlining possible actions to protect and expand access to abortion services (and the full range of reproductive services).
It’s apparent the battle lines are drawn between the newly created States’ right to regulate abortion and the administration’s efforts to use existing federal means to provide pregnancy care in the vacuum Dobbs created.
The Order also tasks the Attorney General and Secretary of Homeland Security to assess actions to ensure the safety of data within the healthcare system managed by the players who provide reproductive and related services.
Specifically, the Order asks key players to:
- shore up defenses to sensitive health data subject to the threat of sale and digital surveillance;
- use Federal Trade Commission services to protect privacy regarding reproductive services;
- review the HIPAA Rules and consider actions, according to these rules, to strengthen protections for health data and instill consumer confidence;
- formulate actions to educate consumers on how to best protect their health data; and
- address deceptive practices, including online schemes, related to reproductive services.
Such calls to action by this administration are (1) building a network of support and protection for systems supporting reproductive services, and (2) emphasizing the importance of comprehensive HIPAA practices by businesses who handle PHI: health care providers, health plans, employers who sponsor such plans, and business associates who serve plans, each who may be directly liable under certain HIPAA regulations for the protection of PHI.
Such obligations include requirements to assess threats to PHI and business systems that house PHI (including a risk analysis with attention to cybersecurity); creation and maintenance of plans, processes, and procedures to safeguard it; and education of the workforce.