Senators want stricter rules to protect privacy of patients seeking abortion services

The Dobbs v. Jackson Women’s Health Organization ruling overturning the nearly 50-year precedent of Roe v. Wade and South Carolina Republican Sen. Lindsey Graham’s introduction of a federal abortion ban bill  both ushered in new legal concerns about the long-sensitive subject of health data privacy. 

While the federal government clarified that Health Insurance Portability and Accountability Act (HIPAA) trumps any state laws regarding abortion health, some limitations and loopholes allow facilities to obtain – and share – private health information from those seeking reproductive and sexual health care.

“It only applies to what the statute calls ‘covered entities,’ so your health care provider is a covered entity,” said David Orentlicher, Judge Jack and Lulu Lehman law professor at UNLV’s Boyd School of Law and director of the UNLV Health Law Program.

Other covered entities include insurance companies and health care companies that store data for providers.

Shortly after Graham introduced a federal abortion ban bill, Nevada Democratic Sen. Jacky Rosen joined 29 of her Senate colleagues and sent a letter to the U.S. Department of Health and Human Services (HHS) urging stricter rules to protect abortion patients.

“In particular, HHS should update the HIPAA Privacy Rule to broadly restrict regulated entities from sharing individuals’ reproductive health information without explicit consent, particularly for law enforcement, civil, or criminal proceedings premised on the provision of abortion care,” the senators wrote.

The letter calls on HHS to focus on compliance and enforcement activity for reproductive health, as well as education of patients’ rights under HIPAA, including what information can be shared without a patient’s consent, how to file complaints with HHS, and more thorough education of health care personnel of what legal compliance with HIPAA looks like.

Sites like Facebook or Google (and Google Maps, which routinely routes people to anti-abortion clinics), period tracking and other health apps, and religious nonprofits, such as Crisis Pregnancy Centers (CPC) that do not operate as health clinics, are all not subjected to HIPAA and can sell any personal health information to advertisers or turn them over to government authorities.

“If you post things on Facebook or do Google searches related to health, that is not covered,” said Sharona Hoffman, a professor of law & bioethics at Case Western Reserve University School of Law.

Loopholes exist in HIPAA for law enforcement given that they go through the proper legal channels like getting a subpoena, she said.

Currently, people who give birth can not be prosecuted for leaving their state to seek abortion services in other states, but health care providers in states with stricter anti-abortion laws, including Texas, Utah, Idaho and Arizona, are subjected to prosecution for performing abortions, Hoffman said. 

“Information can be disclosed, despite HIPAA, making them more vulnerable to providing services that up until now they’ve been willing to provide. The Dobbs decision puts healthcare providers in a terrible place where they have to consider the welfare of the patient against their own,” she said.

Facebook collects personal information about abortion seekers and allows anti-abortion organizations, like CPCs, to use that data to target and influence people, while period tracking apps can sell an individual’s data, including when they menstruated last, according to a report by the charity Privacy International.

The report notes that CPCs regularly collect peoples’ information from social media, including name, address, email address, ethnicity, marital status, living arrangement, education, income source, alcohol, cigarette, and drug intake, medications and medical history including sexually transmitted disease history, pregnancy symptoms, pregnancy history, medical testing information, and even ultrasound photos. Because the data is mined from social media and other sources that aren’t HIPAA regulated entities, it is excluded from HIPAA protections. 

There are at least seven CPCs in Nevada, with at least two in Las Vegas.

CPCs use geo-fencing technology which can tag and target anti-abortion ads to the phones of people inside reproductive health clinics, deploy online chat services that share information with major anti-abortion organizations, and create apps that store vast data about an individual’s menstrual cycles while spreading doubt about the effectiveness of birth control and using targeted social media ads that promote health misinformation, according to the report.

HIPAA privacy protection is a 21st century development. The HHS initially finalized HIPAA privacy regulations in 2001, with a compliance date for health care providers by 2003. The HIPAA security rule that requires health providers to protect health data went into effect in 2005.

Before that, there was no law protecting health information.

“That was fairly new and a huge deal,” Hoffman said. “We are way behind other countries.”

Rosen did not respond to multiple requests for an interview on the impact stricter HIPAA regulations would have on CPCs specifically.

Last year, Democratic U.S. Sen. Catherine Cortez Masto introduced the DATA Privacy Act, which aims to protect a consumer privacy but would also protect the information of those seeking abortion and reproductive health care from being shared. Companion legislation has been introduced in the House. No hearings have been held on either bill as yet.

While 110 House Democrats, including Nevada’s Dina Titus, Susie Lee and Steven Horsford,  co-sponsored the My Body, My Data Act, neither Nevada senator sponsored the  companion bill.

The bill was introduced shortly after the Dobbs ruling and would limit nonprofit organizations, commercial entities and individuals from collecting, retaining and using personal reproductive and sexual health information without written consent of the individual, or is strictly necessary to provide a requested service.

The bill would not apply to entities covered by HIPAA or the disclosure of health information for the publication of newsworthy information that warrants public concern.

Neither the Senate nor the House version has been scheduled for a hearing.