Rachel Woods: The conversations we've had about data privacy have really made me think again and again about a, let's say, relatively new challenge for the industry. And that's in the wake of last year's Dobbs decision.

Let me get specific here. I'm talking about the fact that consumer data can be used to help identify and ultimately prosecute patients and clinicians. Let me ask the most blunt question. We've been worried about this for a while. Do we have examples of this happening in the year since the Dobbs v. Jackson decision?

Ty Aderhold: Rae, we've seen multiple examples of this happening and in those examples there's been different pieces of consumer data that has been used to prosecute these patients. Some of the pieces of data we've seen used multiple times, a big one is geographic location. That's in most of these cases. And that's geographic location of the patient traveling to a clinic or traveling to receive care. We've also seen text messages used.

We've seen internet searches used. So multiple pieces around sort of what the patient is doing and searching and what they're saying in conversations in order to help make the case on the prosecution side.

Woods: And are those same data what is concerning on the clinician side for clinicians actually trying to deliver abortion care to patients?

Aderhold: So clinicians should be protected for, let's say, conversations with their patients. So if they're using secure messaging within their EHR to have a conversation with a patient, that would be protected under HIPAA. And also there is continuing guidance coming from the Biden administration around that being protected from any potential suits or any potential discovery in one of these cases.

But that's not to say that every sort of form of communication or everything that the patient is doing in regards to their health is protected. So while the clinician would be protected in that secure messaging scenario, the patient traveling to the clinic and that location data still could help prosecute the patient in that case.

Woods: And this brings us back to a conversation that we were having last week about what kinds of data is protected and what kinds of data is not protected. The example that I think most folks probably assumed that we would've started with in this conversation is the recent ruling against Flo, which is a period tracking app.

But, Ty, when you just mentioned common data sources, you use things that I wouldn't necessarily think of, even just the geolocation that's on in my phone if I have location services on. So help us understand what are consumers actually protected from and what is not protected.

Aderhold: So they are protected when they are giving information to what is considered a protected entity under HIPAA. This would be a provider or a health plan. And so if they are providing healthcare data to those entities, they are protected.

Where this gets tricky, and this is the case with Flo, is that just because something is helping them with a healthcare decision, doesn't necessarily mean it is a protected entity under HIPAA. So in the case of Flo, this is an app that certainly is involved in healthcare, but Flo is not a healthcare organization that falls under HIPAA and therefore that data is not protected.

And that's why it's so important to understand who owns the app, where the app is coming from, and the data protections around apps that you're using.

John League: There's another example of this that's related that I think is indicative of how, I guess the word I want to use is insidious, this ability to access data is. There's recently a report that several national suicide hotlines were actually sharing information with Meta, the owner of Facebook, about who was accessing services and connecting to helplines through suicide prevention networks. Now, I don't think this was an effort by Meta to gather this information, but it's one of those things where the organization who has the website is giving all of this utilization information to another entity. And anything that happens there winds up creating a data trail.

So you might think, hey, I am connecting through my phone on a phone call to someone who is going to provide assistance to me in this very vulnerable moment. But if you tap on a website's link that has that phone number on there, you are creating a record that appears in utilization data that you have used that phone number, and that is information that gets sent on down the line.

I think the idea that we have to trade our data for access to any of those sorts of services and interactions is one of the things that we are just now beginning to trip over in the information economy here in 2023.

Woods: And it's one of the reasons why we are seeing more action. Last week we talked about action from the FTC, but Ty even mentioned in passing that we know that the executive branch is at least attempting to step in on this issue.

A few months ago, the Biden administration actually issued some guidance on how everyday users can handle their data privacy post Dobbs. Can you remind our listeners of that guidance? And for you as researchers, what does it signal as the attitude moving forwards towards oversight?

Aderhold: Sure, Rae. So there were two parts to the guidance. The first was really directed towards clinicians and providers, and it reaffirmed the rules in HIPAA as well as FERPA, which for those who aren't familiar is the Family Education Rights and Privacy Act. And that's specifically aimed at colleges and other schools that provide healthcare as well. And so it affirmed when those organizations should and should not be cooperating with law enforcement and other things and the protections that it provides to those organizations as well as the protections around patient data and those protections. So that was part one. There's nothing really new there, that was just reaffirming sort of what was already in those rules.

The second part was directed at consumers and patients, and that piece was specifically guidance around how they can protect their data from potentially leading to a prosecution. And so the guidance there was, one, avoid using apps that aren't provided from a protected entities. So we talked about those protected entities earlier, their guidance is don't use those if possible.

Their other guidance was turn off your geolocation permissions on your phone. Go into your phone, and it actually lists how to do it on iPhone and Androids. They're providing explicit instructions in how to do this, but they end by saying, even if you go through all those steps, you're still going to have some geolocation data that goes to your service provider, your telecom service provider, that could be used in a potential prosecution.

So the last line of their recommendation is, when possible, we would recommend leaving your phone at home if you are trying to avoid being tracked in these scenarios. And so that is pretty stark guidance in 2023 to say, you know what? All we can really tell you to do if you're trying to avoid being tracked and this data not get out there is just leave your cell phone at home. And what that tells me is they're putting all of the sort of impetus to avoid some of this tracking and this consumer data getting out there on the patient themselves.

Woods: Which we said explicitly last week is far from fair, even though it feels like that is the option that's available.

Let's talk about the role of the people who are listening to this podcast, which are of course the health leaders, the stakeholders from providers to payer to life sciences companies and everything in between. What do you want to see them do to help protect patient data on behalf of pregnant people, and of course also for their clinical staff?

League: I think it's on the providers to be the advocate for the patient about the data. We wouldn't cede the position of informing patients about anything that was related to their healthcare to another organization. If plans and providers are really interested in caring for these patients, they have to give them all the information that they require.

And here, that relates to how their data can be related to their healthcare. That is a bar that we have not been ready for in a lot of ways. And I think that we need, as an industry, to share that burden with the patients.

Woods: And help me square that with the kind of trend that we've seen over the last few years of patients wanting to be more active in their health using digital tools and frankly our listeners embracing that.

I'm thinking the digital education that helps somebody prepare for a surgery that they're having, an app that helps somebody manage their type 2 diabetes, right? There are all of these examples that providers and payers in particular have embraced to help improve patient outcomes. And yet we have this example where we're saying, wait a minute, that's not only perhaps not going to be helpful, but it could even be dangerous for the patients that we serve.

Aderhold: Well, Rae, I think there is a path for digital tools to still be used in reproductive care. The path would be, one, have those tools be offered by covered entities under HIPAA, so the providers themselves not through third parties. And the second is those providers or payers need to make sure that they're not sending off patient data to a place like Meta.

Woods: And explicitly knowing whether or not they are doing that, because we talked about the fact that sometimes they don't even know that.

Aderhold: Right. But if those two things are true, so it's an app or website that is directly offered by the covered entity and they're not sharing data with third party, then everything will be protected under HIPAA and can't be prosecuted or discovered under lawsuit.

And so in those specific instances, you could still see a digital tool being useful. Again, there are limitations though, and that goes back to some of this geolocation data stuff. There's no good answer there at the end of the day for some of those things other than talking to patients about it.

Woods: I wonder if what we're saying then is that the stakeholder that has the most power to step in here is actually provider organizations. And if that's true, that immediately makes me nervous because I would not call them the most tech-savvy stakeholder that we work with.

League: The requirement for them is not unique. The technology and the capabilities require them to look in different places. But if you think about how a provider determines a course of treatment for a patient, one of the things that they always have to consider is what are the side effects? What is the downstream consequence of this treatment? This is a side effect of that treatment.

And when we speak about reproductive care and we talk about digital solutions, we have to be aware that this is one of those things that presents at the same time. Now, that's not great, and that is kind of a terrible place for us to be in maybe as a society, but this is where we are. And so we have to start with seeing the reality of the situation and responding in the best way we can. And I think to your point, Rae, about what do we do? This is what providers can do.

Aderhold: The other thing I'll add here, John, is the FTC and government regulators are really the place that can have the biggest impact here in changing this. If we continue to see the FTC acting aggressively to protect consumer data in healthcare, and not just healthcare data specifically, but trying to broaden some of the protections to cover more of this consumer data, that could also have a huge impact over the course of the next year. So it's almost a wait and see and let's see how aggressive the FTC continues to be.

Woods: Is there a role of a stakeholder that maybe we wouldn't have considered prior to the Dobbs ruling that we want to see some action here? I'm thinking specifically about the role of employers.

Aderhold: Employers were a big talking point right after the Dobbs ruling. A lot of them came out to talk about funding and helping their employees travel for out-of-state abortions. But now, a year later, I don't think we've heard a ton of employers actually doing this. There's not been a ton out there, certainly nothing that I've been hearing directly.

And so this is another stakeholder that I think could have an impact. There was certainly some discussion of is this the right thing for these employers to be taking these aggressive stances? Can they back it up? So far, I don't know if we necessarily have seen them be able to back it up. But I think there is still a role to play for those stakeholders if they choose to jump into this.

The Supreme Court overturned Roe v. Wade. Here are the biggest impacts on state laws on reproductive and abortion care that health leaders must navigate.