Dobbs Decision Spurs New Health Care Privacy Concerns

When the US Supreme Court handed down its opinion in Dobbs v. Jackson Women's Health Organization, reversing Roe v. Wade and holding that the US Constitution does not confer a right to abortion, a host of new health care privacy concerns were raised. And the privacy regulatory landscape for digital health companies - already complicated - became more complex.

Across State Lines

Many employer group health plans now cover, or are considering covering, abortion services and related travel expenses for an employee traveling from a state in which abortion is illegal post-Dobbs to a state where the procedure is legal. Such programs are potentially in conflict with laws being considered in certain states that would prohibit residents from obtaining abortions in other states or could punish those who facilitate such procedures.

How should an employer respond if it receives a subpoena or investigative demand from a state attorney general requesting records regarding an employee group health plan participant who traveled to a neighboring state to obtain legal abortion services there? The Health Insurance Portability and Accountability Act (HIPAA) permits a covered entity, such as a group health plan, to disclose protected health information (PHI) for law enforcement purposes if "the information sought is relevant and material to a legitimate law enforcement inquiry." But if an attorney general seeks to prosecute an individual for obtaining an abortion in a state in which the procedure is legal, is that a legitimate law enforcement inquiry?

After Dobbs, California Governor Gavin Newsom signed an executive order declaring California's commitment to ensuring access to reproductive health care. The order also restricted California agencies from disclosing information relating to persons or entities that provide, secure, or receive support for reproductive health services legally performed in California.

There have also been new concerns raised regarding the geolocation data collected by health care mobile apps and other technology companies, which might be used to reveal whether an individual visited an abortion clinic or fertility center. Some technology companies have already responded to this concern, including implementing measures to automatically delete location history data that might indicate that an individual has obtained reproductive health services.

Digital Health Products

Digital health companies are subject to a bifurcated privacy regulatory scheme. Digital health companies that provide services directly to HIPAA-covered entities, which include most health plans, hospitals, and medical practices, will typically be "business associates" subject to HIPAA regulation. However, when digital health products are offered directly to the consumer or patient, privacy and security issues are typically governed by the Federal Trade Commission (FTC) under its broad authority to regulate unfair or deceptive acts or practices under Section 5 of the FTC Act.

Promptly after the release of the Dobbs decision, both the US Department of Health and Human Services Office for Civil Rights (OCR), which enforces HIPAA, and the FTC issued guidance that addressed reproductive health privacy. On June 29, OCR issued two guidance documents, one addressing HIPAA-covered entities and the other on safeguarding consumer information on personal devices that are not regulated under HIPAA.

In OCR's HIPAA-related guidance, the agency commented on scenarios similar to the group health plan example referenced above. OCR stated that the HIPAA privacy regulations (the Privacy Rule) do not require a covered entity to disclose PHI to law enforcement, and do not permit a covered entity or its workforce member to report an individual's abortion or other reproductive health care to law enforcement in the absence of a mandate enforceable in a court of law.

The Privacy Rule also permits a covered entity to disclose PHI to avert a serious threat to health or safety. OCR stated in its guidance that it would be inconsistent with the professional standards of ethical conduct of the American Medical Association and the American College of Obstetricians and Gynecologists for a physician to disclose information to law enforcement regarding a patient's interest in or, experience with, reproductive health care in the name of averting such a threat.

On July 11, the FTC published a blog post emphasizing its intent to fully enforce the laws against illegal use and sharing of highly sensitive data, particularly reproductive health information. The FTC specifically cited products that track women's periods, monitor their fertility, oversee their contraceptive use, or even target women considering abortion.

It seems that the Dobbs decision and health care privacy regulation are on a collision course that will undoubtedly lead to new litigation and regulatory action in 2023. This focus on reproductive health privacy also brings into sharper focus persistent regulatory concerns regarding other forms of sensitive personal information collected and maintained by technology companies.