Reproductive Health Data Privacy – A Right To Life

Marisa Polowitz

Senior Editor

Loyola University Chicago School of Law, JD 2023

Following the Supreme Court decision to overturning Roe v. Wade on June 24, 2022, the Dobbs v. Jackson Women’s Health Organization ruling that gutted the long-established right to an abortion has been a constant focus, both inside and outside of the legal and healthcare communities. Notably, the ruling has remained a central focus within both the government, federal and state, and surrounding the tech sector. And these Dobbs-related conversations have a theme – the topic of health data privacy. But more specifically, discussions about data privacy surrounding reproductive healthcare.

The vocal groundswell of concern about reproductive health data following the Dobbs ruling was immense, and (given the lead time granted by the ruling’s leak), instantaneous. Fear surrounding the privacy and security of information relating to reproductive health and services exploded. But this concern isn’t new. People have been speaking out about this since long before the Dobbs opinion blasted American women’s right to bodily autonomy to pieces.

The HIPAA trap

For a long time, Americans would point to the Health Insurance Portability and Accountability Act (HIPAA) as evidence they could rest peacefully about how data related to their healthcare could be handled. But privacy has become an increasingly salient and nuanced issue, and a more insidious concern, in the (nearly 30) years since HIPAA was passed. While protecting a fairly broad range of information types, HIPAA only applies to a narrow set of organizations, in a narrow set of contexts, partaking in specific, healthcare-related business practices – that is how it was written and what it was designed to do.

In response to the Dobbs ruling, the Biden Administration issued an Executive Order mandating action for multiple agencies within the federal government for the protection of “Access to Reproductive Healthcare Services.” Including for the Secretary of Health and Human Services (HHS) to “consider actions to strengthen the protection of sensitive information related to reproductive healthcare services.” In April 2023, HHS announced proposed changes to the HIPAA Privacy Rule aimed at strengthening protection for reproductive care information, specifically citing its concern of individuals’ “eroding trust in the health care system” following the Supreme Court’s decision in Dobbs.

These proposed changes would restrict HIPAA Covered Entities’ (CEs) use and disclosure of some reproductive health care information. CEs would be prohibited from use or disclosure of protected health information (PHI) for criminal, civil, or administrative investigation into or proceedings against someone relating to “seeking, obtaining, providing, or facilitating” legal reproductive health care.

The HHS proposed changes to the HIPAA Privacy Rule will undoubtedly provide some shelter for those concerned about privacy when seeking reproductive services while residing in jurisdictions hostile to reproductive rights. That shelter is necessary. Following the ruling, many states where abortion is a protected right are experiencing a huge increase in numbers of people traveling to their states seeking abortions – after all, the interstate commerce clause still allows for Americans to travel freely across state lines for access to goods and services. Justice Brett Kavanaugh, author of a concurring opinion in the Dobbs ruling, explicitly stated that, in his opinion, a state attempting to bar a resident of that state from traveling outside the state for an abortion would be in violation of the constitutional right to interstate travel. But that doesn’t mean that states wouldn’t attempt to prosecute individuals for receiving services outlawed within their state, elsewhere. Nor does it mean that states won’t try to prosecute people providing those services to their state’s residents, even while in a jurisdiction where it’s legal.

In attempt to prevent situations exactly like those mentioned above, California, which aims to be an abortion “sanctuary state,” passed legislation prohibiting California-based companies from disclosing data for out of state abortion investigations. But for that to work, the company would need to clearly know what the investigation pertains to, and in some situations, what the information itself pertains to – which isn’t always clear.

With the incredibly robust addition of the recently enacted Washington privacy legislation – the My Health My Data Act – another patch has been added to the already over-patchworked state privacy landscape. The Act, which goes further than any existing consumer privacy laws in broadening the scope of “health data,” specifically aims to protect health-related data HIPAA fails to cover.

But at the end of the day, HIPAA will continue to apply to a narrow set of organizations, partaking in specific, healthcare-related business practices. And as we know, the American (and global) data privacy landscape looks starkly different, and notably more complex, than what anyone could have projected in 1996. What’s protected by HIPAA only scratches the surface of sensitive information, especially pertaining to our health and health care that is worthy of protection.

You’re on your own, folks

The Federal Trade Commission (FTC), also given marching orders in Biden’s July 2022, post-Dobbs Executive Order, launched a guide for how consumers can protect their personal data on their mobile devices. Another way to put the onus on individuals to protect themselves in a technological landscape the average person can barely comprehend.

Sure, it’s great that companies like Foursquare have made the choice to participate in initiatives designed to enhance protections around location data correlating to “Sensitive Points of Interest”. This is, undoubtedly, a huge step in the right direction for consumer privacy, and it should be celebrated. But this is just one company’s huge step. And while some companies may have consumer protection and privacy genuinely woven into their DNA, a lot do not. In large part, the ethos seems to lean towards profits over privacy. Do we want to keep letting them decide what of our information is worthy of protection and what is not?

It’s a right to life

In a post-Dobbs landscape where we lack meaningful, comprehensive, federal consumer privacy legislation, the protection of highly sensitive, non-HIPAA-covered information, data which is still very much health information, falls on the shoulders of individuals, on individual companies, and to state governments. And the burden it places on those most in need of protection and care is heavy, and for many, unachievable.

 

Maybe the confluence of too many, too varied, too disjointed pieces of the privacy puzzle will finally push lawmakers to protect our data like the inalienable right to life, liberty, and the pursuit of happiness depend on it – because it does.