Why HIPAA Doesn’t Always Protect Abortion Information

A journalist reports on a crowd of pro-abortion rights activists in front of the U.S. Supreme Court after the Dobbs v. Jackson Women’s Health Organization decision was announced on June 24, 2022 in Washington, D.C.

Nathan Howard | Getty Images

The decision of the Supreme Court overturned Roe v. Wade last month Concerns have been raised that data collected by technology companies and clinics could be used to prosecute people. who want to have an abortion or are experiencing a pregnancy loss.

Although the federal law known as Health Insurance Portability and Accountability Act, or HIPAAprotects patient privacy, health care providers may be forced to disclose patient data under special circumstances, such as a subpoena or court order.

There is also a lot of data that consumers create in their daily lives that would not be considered subject to HIPAA and could be used as evidence in court against people who allegedly sought abortions that violated state laws or against their providers. Lawyers point out that search history, text messages, location data, and period tracking apps could potentially be used in court and in some cases they already were.

Although some technology companies, such as Google and a menstrual tracking app Floannounced steps to better protect their users’ reproductive health data, the security of consumer data is largely dependent on the whims of the services they use, in the absence of federal digital privacy law.

However, some states, including California and Illinois, already have digital privacy laws in place that can help protect consumer data more broadly. Additional proposals at the state level are aimed, in particular, at protecting reproductive health data, such as Connecticut Reproductive Liberty Protection Act. This bill could help fill some of the gaps in HIPAA as lawmakers in Congress continue to push for national privacy protections.

Here is an overview of some of the current laws and proposals that could protect pregnancy information both online and offline.

Health Insurance Portability and Accountability Act (HIPAA)

What it does: HIPAA The Federal Patient Privacy Act, passed in 1996, prohibits health care providers and insurance companies from disclosing patient information. It is under the control of the Office of Civil Rights of the Department of Health and Human Services.

Generally, HIPAA does not allow abortion clinics or health care providers to disclose to law enforcement officials whether a person has had an abortion. If state law prohibits abortion but does not “expressly require” people to report it, an abortion clinic that discloses patient information to others would be in violation of HIPAA.

What information is not protected by HIPAA: HIPAA cannot address all privacy concerns related to reproductive rights. According to recent guidance published by HHSthe law allows an abortion clinic to disclose who performed an abortion in response to a court order or summons, which may become even more common in the post-Roe era.

HIPAA only applies to certain types of businesses and professionals. It can only regulate insurance companies, healthcare providers, clearinghouses and business partners.

HIPAA cannot protect certain patient information collected by anti-abortion organizations such as so-called crisis pregnancy centers that attempt to recruit and redirect abortion seekers. According to the agency, there are about 2,500 centers in the country. Crisis Pregnancy Center Mapproject led by scientists from the University of Georgia.

My body, my data

What would he do: My body, my data is a federal privacy proposal aimed at firms that collect reproductive health information. This will require companies to obtain user consent before collecting, storing or disclosing reproductive health data, except where the data is “strictly necessary” to provide the service or product requested by the user. It will also require companies to remove user information upon request. The Federal Trade Commission will have the power to enforce the rules.

What gaps will it fill? While HIPAA primarily covers health care providers, this bill aims to regulate technology companies and apps that collect reproductive health data.

Rep. Sarah Jacobs, D.C., co-sponsor of the bill, said Washington Post that in its current form, without such a law, “a right-wing non-profit organization [to] buy all this data from various period tracking apps “and pinpoint every user who should be pregnant right now but isn’t.”

How likely is it to pass? Jacobs appeared to admit in her interview with the Post that the bill is unlikely to become federal law, given Republican opposition to expanding abortion protection. But she says a federal bill can inspire and become a model for state action.

Health and Location Data Protection Act

What would he do: This federal billsubmitted by Sep. Elizabeth Warren, Massachusetts, and other Democrats will ban data brokers from selling location and health data in June.

The bill would give the FTC the power to enforce standards for the sale of health and location information. It will also give state attorneys general and individuals the power to file claims for alleged violations. The bill also promises $1 billion in funding for the FTC over the next decade to do its job, including enforcing this law.

What gaps will it fill? While My Body, My Data is primarily about health data collection, Warren’s bill focuses on regulating the sale of location data. The offer came after Weiss reported that data brokers such as SafeGraph sold location data of people who visited abortion clinics.

How likely is it to pass? The bill is likely to require some Republicans to have a chance of passing it, which is a difficult task given the party’s general resistance to expanding abortion protection.

State laws and proposals

Pennsylvania Pregnancy Information Protection Act

What would he do: This bill introduced in May by a Democratic MP. Mary Jo Dalywill prohibit so-called crisis pregnancy centers from disclosing the non-public health information they collect without explicit permission.

What gaps will it fill? Recent reports highlight the data risk associated with attending a crisis pregnancy center.. Some pregnant women seeking abortions do not realize that centers may not offer abortion services and instead try to discourage visitors from having abortions.

Federal lawmakers urged Google to make it more understandable to consumers that such centers, which often have websites similar to those of abortion clinics, do not offer abortions. Because these centers are often unlicensed and offer free services, they are not bound by federal health care privacy laws. Time is indicatedbased on conversations with privacy lawyers.

The Pennsylvania bill could make it difficult for these anti-abortion centers to disclose information that would otherwise fall into this unprotected area.

How effective would it be? The bill continues to allow clinics to disclose non-public health information without authorization if the clinic is required to comply with national, state or local laws, court orders, or investigations. This could potentially undermine the effectiveness of the protection.

Sanctuary State Laws and Proposals

What would they do: Bills of this type, passed or introduced in several Democratic stronghold states, would make it easier for pregnant women seeking abortions outside their own states to do so by protecting their information in so-called sanctuary states. This means that if a person in Texas is seeking a legal abortion, such as in Connecticut, it may be more difficult for Texas authorities to obtain information about the procedure.

The legislation differs slightly from state to state. Typically, these types of bills are designed to prevent certain agencies or health care providers in their states from sharing confidential reproductive health information with another state seeking to prosecute suspected abortion under its own laws.

What states do they have? Two such proposals, which have already been signed into law by Democratic governors, Connecticut Reproductive Liberty Protection Act as well as New Jersey Assembly Bill 3975 / Senate Bill 2633.

Similar bills have been introduced in California, Massachusetts as well as New York.

What gaps would they fill: As of July 7, nine states have already banned abortion, and four states may soon pass anti-abortion laws. Politico. Many people in these states may choose to receive abortion services in safe harbor states such as Connecticut while facing legal risks in their home states.

This means that this type of legislation can shield travelers from states that have banned abortion from the liability of obtaining such services in a state that has legal abortion services and enforces laws.

How effective will they be? While these laws will protect information about legal procedures that take place in states where they exist, patients who live in states with restrictive abortion laws should still be aware of where else their medical records may be kept.

“Imagine you are in Alabama, you come to Connecticut and have an abortion, and then you go to any other doctor in Alabama. Carly Zubzicki, professor of medical law at the University of Connecticut School of Law, Grant said.

In addition, some of the measures include certain exceptions that may allow the transfer of information. For example, New Jersey law allows exceptions under applicable court orders or in cases where child or elder abuse is suspected in good faith. But the latter states that reproductive health services that are legal in New Jersey should not be considered abuse.

WATCH: Bipartisan Lawmakers Discuss New Framework for Privacy Law