Since the Supreme Court overturned the 1973 Roe v. Wade and 1992 Planned Parenthood v. Casey decisions, many advocates have raised concerns about vulnerabilities in reproductive health data, particularly those stored online—leading HHS to release new guidance on the HIPAA Privacy Rule for providers.
Is reproductive health data vulnerable after Roe's overturn?
Following Roe's overturn late last month, many reproductive health advocates have voiced concerns about the security of private health data, including those stored in period tracking apps, text messages, online search histories, and more.
According to Modern Healthcare, this information could potentially be used to prosecute people who seek an abortion, or even medical care after a miscarriage, as well as anyone who assists them. Currently, HIPAA only ensures the privacy of health data collected by covered entities, such as health plans, health care clearinghouses, and health care providers, leaving information collected by electronic devices and third-party apps or organizations unprotected.
"All of a sudden, people are waking up to the idea that there's a lot of sensitive data being collected outside of HIPAA and asking, 'What are we going to do?'" said Deven McGraw, the former deputy director for health information privacy at HHS' Office of Civil Rights. "It's been that way for a while, but now it's in sharper relief."
Some lawmakers have also recently called into question how large tech companies use private health data collected from their users. Last month, four Democratic lawmakers sent a letter to federal regulators asking them to investigate Apple and Google for allegedly deceiving millions of users by allowing their personal data to be collected and sold to third parties.
"Individuals seeking abortions and other reproductive healthcare will become particularly vulnerable to privacy harms, including through the collection and sharing of their location data," the lawmakers wrote. "Data brokers are already selling, licensing and sharing the location information of people that visit abortion providers to anyone with a credit card."
To help individual users protect their electronic health data, the digital civil liberties group Electronic Frontier Foundation encouraged people to pay attention to "privacy settings on the services they use, turn off location services on apps that don't need them, and use encrypted messaging services."
Organizations announce new efforts to protect data privacy
Some organizations have also taken steps to ensure their users' health data, particularly concerning reproductive care, is protected and cannot be used to identify them.
For example, Google last week announced that it plans to remove location data if its search engine identifies that an individual has visited an abortion center or other medical facility.
"Some of the places people visit — including medical facilities like counseling centers, domestic violence shelters, abortion clinics, fertility centers, addiction treatment facilities, weight loss clinics, cosmetic surgery clinics, and others — can be particularly personal," said Jen Fitzpatrick, an SVP at Google. According to Fitzpatrick, the update will go into effect "in the coming weeks."
Separately, Planned Parenthood said it removed marketing trackers, which share data to third-party companies, on its search pages about abortions "[o]ut of an abundance of caution" and that no protected health information has been breached. It also noted it has a separate tool for scheduling and confirming appointments that it says is HIPAA-compliant.
Some period tracking apps have also worked to assure their users that their health data is secure and protected. For example, Flo announced that it is developing an "anonymous mode," which will allow users to remove their name, email address, and other personal identifiers from their profiles.
"Flo will always stand up for the health of women, and this includes providing our users with full control over their data," said Susanne Schumacher, Flo's data protection officer. "Flo will never share or sell user data, and only collects data when we have a legal basis to do so and when our users have given their informed consent. Any data we do collect is fully encrypted, and this will never change."
HHS issues new HIPAA privacy guidelines
HHS recently issued new guidance around the HIPAA Privacy Rule regarding how and when private health information related to abortion and other reproductive care should be disclosed by health care providers.
Currently, health care providers are allowed to disclose a patient's medical information if it is needed to prevent or mitigate a "serious and imminent threat" to health or safety. However, HHS' new guidance says a patient's plan to obtain a legal abortion does not qualify as a threat.
"Therefore, such a disclosure would be impermissible and constitute a breach of unsecured [protected health information]," HHS wrote, adding that providers are advised against telling law enforcement about a patient's intention to receive an abortion unless a state law required such reporting.
According to HHS, disclosing such information to law enforcement is "inconsistent" by ethical standards set by medical groups, including the American Medical Association and the American College of Obstetricians and Gynecologists, and would compromise the "integrity of the patient-physician relationship."
Providers may only share medical data with law enforcement if required under state law or when responding to a court order or subpoena, HHS said, adding that only required medical data, not a patient's entire medical record, may be shared.
Aside from the new provider disclosure information, the guidance also includes best practices for individuals to protect their health data on their mobile devices and in apps, which are not covered by HIPAA. Some recommendations include turning off location services and choosing browsers and search engines with privacy safeguards.
"How you access health care should not make you a target for discrimination," said HHS Secretary Xavier Becerra. "HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive health care information." In addition, Becerra encouraged individuals who believe their privacy has been violated to file a complaint with the Office of Civil Rights.
In addition to HHS' HIPAA guidance, President Joe Biden is also planning to send a letter to the Federal Trade Commission (FTC) asking the agency to protect individuals' privacy when they look for or disclose information related to reproductive care, Bloomberg reports.
In particular, the letter would ask FTC to prohibit unfair or deceptive practices related to the reporting, sharing, or selling of sensitive health information. According to a person familiar with the situation, the intent is to prevent companies from collecting and selling location data that could show where and when people are searching for or visiting abortion clinics. (Hunter, Washington Post, 6/30; Ornstein, ProPublica, 7/5; Kilpatrick, NPR, 6/30; Vakil, The Hill, 7/2; Cohen, Modern Healthcare, 6/30; AP/Modern Healthcare, 6/29; Mathews, Wall Street Journal, 6/29; Firth, MedPage Today, 6/30; Sorkin et al., New York Times, 6/30; Sink, Bloomberg, 6/29)