Getty Images/iStockphoto
How Healthcare is Tackling Patient Privacy in a Post-Roe World
The Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization will require providers, regulators, and tech companies to rethink patient privacy.
The Supreme Court’s recent decision on Dobbs v. Jackson Women’s Health Organization, which struck down both Roe v. Wade and Planned Parenthood v. Casey, put a person’s right to abortion under the jurisdiction of individual states.
The decision means that access to safe abortions will be limited or banned in certain states, but legal in others. It also means that patient privacy, protected by HIPAA and a patchwork of state laws, could be at risk.
“The world has changed pretty substantially,” Lucia Savage, chief privacy and regulatory Officer at Omada Health and former chief privacy officer at HHS, told HealthITSecurity. “In the ‘70s, the last time that this was an issue, we didn't have giant databases full of people's digital exhaust.”
The rising popularity of period-tracking and other health apps, HIPAA’s limitations, and law enforcement’s increasing interest in who is obtaining abortions and where all have the potential to jeopardize patient privacy.
Against this backdrop, providers must grapple with providing quality care while weighing legal risks and safeguarding protected health information (PHI). Regulators have to clarify privacy provisions within state and federal laws and crack down on tech companies that collect sensitive data. Health app developers and tech companies will have to employ enhanced data privacy protections or stop collecting and storing sensitive data altogether to gain consumer trust and avoid enforcement actions.
Patient privacy has long been a priority for the healthcare sector, but the Dobbs decision further accentuated gaps in patient privacy efforts and introduced higher stakes and a host of new risks associated with PHI.
Providers Must Navigate HIPAA Complexities, Ethical Obligations
Amid these complexities, providers are tasked with the responsibility of providing quality care while navigating legal and ethical duties in a new way.
“Licensed medical professionals have HIPAA, ethical obligations, and state medical confidentiality laws that apply personally to them,” Savage noted. “And of course, they are going to be thinking about their Hippocratic Oath.”
Providers everywhere are facing legal confusion over what might happen if they provide abortion services to patients. Could prosecutors find providers in violation of the law if they provide an abortion to someone whose life may be at risk without it? What about cases of incest and rape? In what instances, if any, do providers have to disclose PHI about patients who obtained abortion services to law enforcement?
These questions were answered in part by the HHS Office for Civil Rights (OCR), which outlined permitted uses and disclosures of PHI in a guidance document issued days after the Supreme Court announced its decision.
The guidance dissected specific scenarios and how they might unfold under HIPAA. For example, OCR depicted a hypothetical situation in which an individual went to the hospital with complications related to miscarriage during the tenth week of pregnancy, and a hospital worker suspected the individual of taking medication to terminate their pregnancy.
In this scenario, state law prohibited abortion after six weeks but did not mandate that the hospital report individuals to law enforcement. Would the hospital worker be allowed to tell law enforcement officials about the case?
“Where state law does not expressly require such reporting, the Privacy Rule would not permit a disclosure to law enforcement under the ‘required by law’ permission,” OCR explained.
“Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.”
Interactions involving PHI requests directly from law enforcement introduce more complications. If a law enforcement official went to a reproductive healthcare clinic and requested abortion records without a court order, the HIPAA Privacy Rule would not permit the clinic to disclose PHI. If the clinic did disclose PHI, it would be considered a breach.
However, if a law enforcement official arrived at the clinic with a court order requiring the clinic to produce PHI about an individual who has obtained an abortion, the rule would “permit but not require” the clinic to disclose PHI. Additionally, the clinic would only be permitted to disclose the PHI expressly authorized by the court order.
“Providers who may be concerned about their obligations to disclose information concerning abortion or other reproductive health care should seek legal advice regarding their responsibilities under other federal and state laws,” OCR concluded, leaving some questions unanswered.
The Ball is in HHS’ Court
The permissible nature of HIPAA means that providers will have to exercise individual discretion when making decisions about whether to disclose PHI to law enforcement. The developments further underscored the gray areas of HIPAA that have already been heavily scrutinized in the past.
When HIPAA was enacted more than 25 years ago, the ways in which PHI was collected, stored, transmitted, and secured were very different from today. As new developments in technology and data storage practices emerge, providers and patients alike are learning that HIPAA is not as all-encompassing as previously thought when it comes to patient privacy protections.
The Dobbs decision prompted two US Senators to write a letter to HHS asking it to consider updates to the HIPAA Privacy Rule to defend reproductive rights and patient privacy.
Additionally, in a recent executive order, President Biden directed HHS to “consider actions” under HIPAA and other statutes to “strengthen the protection of sensitive information related to reproductive healthcare services and bolster patient-provider confidentiality.”
The regulatory process is naturally slow, especially compared to the pace at which states are enacting bans or limitations on abortion care. Providers should keep an eye out for new guidance and regulations from HHS OCR while recognizing that updating a foundational health data privacy law will likely take a long time. In the meantime, providers and health systems should exercise caution and employ security and privacy measures to safeguard PHI.
“Any covered entity that has medical professionals in it has to look at the totality of its environment,” Savage emphasized.
“It has to look at HIPAA, it has to look at the state or states in which it's providing services, and it has to look at the licenses of the people that are working for it and how the states where those licenses are issued impact people's job requirements and what they can and can't do within their jobs.”
Providers may also want to encourage patients to minimize their digital footprint and avoid submitting sensitive medical information to untrusted third-party health apps.
“I think that this is a really important sentinel moment for organizations to be thinking about their security, because no matter what happens, the care you provide is going to be in your records. Are those records secure from people who want to cause your patients trouble?” Savage also noted.
Dobbs Decision Highlights Health App Privacy Concerns
Sensitive data held by providers and the organizations they work for is not the only information at risk post-Roe. The SCOTUS decision also highlighted the fragility of data privacy and security associated with tech companies and health apps.
“Protected health information” specifically applies to data possessed by HIPAA-covered entities. But there are troves of sensitive health data that do not fall under HIPAA’s purview. The rising popularity of third-party health apps that collect sensitive information outside of HIPAA is cause for concern, especially now that data relating to reproductive health could be used against individuals seeking abortions.
In a study published in JMIR mHealth and uHealth, researchers revealed that 87 percent of the 23 most popular women’s health apps shared user data with third parties, but only half actually requested consent from their users.
Additionally, 30 percent of the reviewed apps did not have a privacy policy available within the app. Nearly half of the 23 apps analyzed provided their services in more than one language, but their privacy policies were only available in English.
“Privacy policies and the type of language used in them pre-Dobbs decision may not have been clear, or individuals didn’t really read them,” Dori Cain, a partner at Faegre Drinker, said in an interview with HealthITSecurity.
“Now, we are seeing individuals calling out certain practices. It will really put a spotlight on these mobile apps.”
In addition to popular reproductive health apps, investigators have taken a renewed interest in big tech companies like Apple and Google, as well as data brokers that may have access to sensitive location and health information.
Tensions surrounding the improper collection and use of personal data triggered concern from lawmakers long before the Supreme Court’s decision, but Dobbs further raised the risk level associated with health data held by non-HIPAA-covered entities and highlighted the lack of privacy controls in many apps.
Lawmakers, FTC Probe Health Apps, Data Brokers, Tech Companies
Shortly after the decision was released in June, the FTC expressed its intentions to enforce against illegal consumer location and health data privacy practices in a blog post by Kristen Cohen, acting associate director of the FTC’s division of privacy and identity protection.
The post emphasized that the FTC “does not tolerate companies that over-collect, indefinitely retain, or misuse consumer data.”
“The Commission is committed to using the full scope of its legal authorities to protect consumers’ privacy,” the blog post stated.
“We will vigorously enforce the law if we uncover illegal conduct that exploits Americans’ location, health, or other sensitive data. The FTC’s past enforcement actions provide a roadmap for firms seeking to comply with the law.”
Cain, who advises healthcare clients on incident response, cybersecurity, privacy, and compliance, predicted that the FTC would crack down on the data privacy of mobile apps in the coming months.
“You have a push for federal privacy law, a push to get HIPAA revised, and a push to get the FTC more involved, especially on the mobile application side,” Cain said in an interview with HealthITSecurity.
“For these entities collecting information, understanding what laws are applicable to them is going to be a big deal. It will really dictate how they can collect this information and what they can do with it.”
The FTC has already initiated allegations against a data marketing and analytics company, Kochava, over its location data privacy practices. The FTC alleged that the Kochava Collective, a mobile data marketplace that provides data feeds and audience targeting to marketers, could be used to identify individuals and track them to sensitive locations, including reproductive health clinics.
Kochava has since filed a lawsuit against the FTC, arguing that the commission’s allegations implied a misunderstanding of the company’s services. Kochava said that it does in fact collect latitude and longitude, IP addresses, and Mobile Advertising Identifiers (MAIDs) associated with consumer devices. However, the company does not receive the data elements until days after, nor does it link a specific location to the latitude and longitude, or identify the consumer associated with the MAID, the lawsuit stated.
Still, the complaint against Kochava and subsequent lawsuit exemplified the FTC’s commitment to going after what it deems to be improper data privacy practices.
Outside the FTC, lawmakers have been making similar moves to ensure privacy and security post-Roe. Days before the Dobbs decision, US Senators introduced the Health and Location Data Protection Act, which would ban data brokers from selling location and health data. The act would also give the FTC, state attorneys general, and any injured persons the ability to sue data brokers that violate the bill’s provisions and put $1 billion in funding into the hands of the FTC over the next decade to enforce the law.
In early June, 40 Congressional Democrats wrote a letter to Google asking it to stop collecting and retaining location information in anticipation of the ruling.
The lawmakers cited a multitude of concerns, including the fear that “Google’s current practice of collecting and retaining extensive records of cell phone location data will allow it to become a tool for far-right extremists looking to crack down on people seeking reproductive health care.”
In July, the House Committee on Oversight and Reform sent letters to five data brokers and five health apps as part of an investigation into their reproductive health data privacy practices.
In its letters to health apps, the committee cited growing concerns surrounding data privacy and the potential consequences of poor health app data privacy practices, which could put people at risk of “intrusive government surveillance,” along with “harassment, intimidation, and even violence.”
Companies Feel the Heat From Regulators, Adapt Privacy Practices
In response to questions and concerns from lawmakers, some tech companies, data brokers, and health apps have expressed their intentions to change their data privacy practices.
In July, Google announced plans to heighten its data privacy practices and committed to deleting location history when users visit abortion clinics, domestic violence shelters, fertility centers, weight loss clinics, addiction treatment centers, and other facilities.
Two data brokers that received letters from the House Committee on Oversight and Reform, SafeGraph and Placer.ai, agreed to permanently stop selling the location data of people who visit abortion clinics.
Flo, a leading reproductive health app, introduced an “anonymous mode” in which users could utilize the app without providing any personally identifiable information.
Even with these measures in place, health app developers and big tech companies still have a lot of work to do to protect sensitive health data.
“One of the biggest challenges post-Roe is that the range of people who want access to sensitive health and medical information has expanded significantly,” Natalie Campbell, director, community organizing and public advocacy at the Internet Society, told HealthITSecurity.
“Health app designers and companies should be aware that if you build it, they will come. That is, if you are collecting and holding on to sensitive information that can reveal a user’s location, search history, behavior, etc., people will want it.”
For the same reasons that Google agreed to stop collecting location data on people visiting abortion clinics, health app developers should exercise caution when collecting and storing sensitive data.
“With state anti-abortion laws coming into effect, law enforcement can get subpoenas to access this type of information and use it as evidence to prosecute people charged with getting an abortion or aiding and abetting people to get an abortion,” Campbell stated.
Providers have a clear obligation to protect patient privacy under HIPAA and for ethical reasons. But app developers and tech companies also have an obligation to protect consumers under the FTC Act and other statutes. An additional incentive is the fact that in post-Roe America, consumers are much more aware of data privacy risks and are now demanding transparency from tech companies.
“To protect themselves and their users, health app designers and companies should proactively use strong encryption to protect both data in transit and at rest, by default, and end-to-end encryption for messaging features,” Campbell advised.
“User-controlled encryption for data stored on a device can also help users protect their data from access by third parties.”
Campbell also suggested that developers adhere to privacy best practices by minimizing what sensitive data is collected and stored, empowering users to learn what information is shared with third parties, and pushing back on law enforcement requests to access sensitive information.
The AMA has numerous resources surrounding privacy best practices, including a guidance document that presents a case for “privacy by design” in app development.
Providers also play a role, as exemplified by Pew research that showed that 90 percent of survey respondents preferred health apps pre-approved by their physicians.
“Accordingly, there is an opportunity for physicians to place patient privacy at the center of this discussion and for app makers to distinguish their products from the competition by ensuring their products prioritize privacy,” the AMA’s guidance stated.
Looking forward, providers, regulators, and tech companies all have their fair share of challenges when it comes to ensuring patient privacy in light of the Dobbs decision. As providers await federal guidance, they must continue to look out for their patients and provide quality care. As tech companies face increasing demands for transparency from consumers and regulators, they must enhance their data privacy practices to ease concerns.
Data privacy has been a top-of-mind issue for healthcare organizations, lawmakers, and big tech companies for years. But now, the stakes are even higher, and the need to prioritize health data privacy has never been so pertinent.
Dig Deeper on Health data access & privacy
-
Understanding the Nuances of the Healthcare Cybersecurity Regulatory Landscape
-
How Digital Health Companies Navigate the Patchwork of State Data Privacy Laws
-
Senators Seek Answers From Amazon Over Collection of Patient Data
-
FTC Warns Amazon About Improper Health Data Sharing Following One Medical Acquisition