The Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, which overturned Roe v. Wade and Planned Parenthood v. Casey, raises new issues regarding the privacy of reproductive health data. That’s because popular mobile apps and other services that collect data about users’ location, health, sexual behavior, and menstrual cycles could be used to harvest information to prosecute women who obtain abortion services in states that penalize the termination of a pregnancy.

Following the Dobbs decision, President Biden issued an Executive Order entitled “Protecting Access to Reproductive Health Care Services.” The Executive Order calls for the Federal Trade Commission “to protect consumers’ privacy when seeking information about and [the] provision of reproductive healthcare services,” and Department of Health & Human Services to provide guidance under HIPAA and other relevant statutes “to strengthen the protection of sensitive information related to reproductive healthcare services and bolster patient-provider confidentiality.” This post explores the guidance that the FTC and HHS issued to organizations that fall under their jurisdiction in response to that directive.

FTC’s Blog Post on Location, Health, and Other Sensitive Information 

In keeping with a recent trend of using its blog to issue significant policy pronouncements, the FTC responded to the Executive Order by issuing a blog post.

The FTC’s blog post emphasizes that the misuse of sensitive data such as location and health data, including reproductive health data, exposes consumers to significant harms. Those harms, explains the FTC, can include phishing scams, identity theft, physical and emotional injury, and “discrimination, stigma, [and] mental anguish.”

The post thus “reminds” companies that deal with these kinds of information of several points that they should keep in mind when collecting this type of information.

• First, sensitive data is protected by several federal and state laws, including many laws enforced by the FTC. These laws include Section 5 of the FTC Act, the Safeguards Rule, the Health Breach Notification Rule, and the Children’s Online Privacy Protection Rule.
• Second, the FTC warns companies not to make misleading claims that they “anonymize” or “aggregate” sensitive data to try to placate customers who might otherwise have concerns about their privacy. To that end, the FTC notes that supposedly “anonymized” data can often be re-identified, pointing to one study that showed it was possible to identify uniquely 95% of 1.5 million individuals based on “anonymous” location data using just four location points with timestamps. The fact that anonymized data can often be re-identified, according to the FTC, can render companies’ claims that they anonymize or aggregate data deceptive, such that those claims would violate Section 5 of the FTC Act. Companies that make these sorts of deceptive claims about anonymization, the FTC’s post states ominously, “can expect to hear from the FTC.”
• Finally, the Commission points to several recent cases it has brought against companies that misuse customers’ data, including OpenX for collecting children’s location data without parental consent, Kurbo/Weight Watchers for indefinitely retaining sensitive consumer data, and CafePress for improperly collecting and retaining consumer data.

HHS’s Guidance on Disclosures Relating to Reproductive Health Care

HHS, in response to the Executive Order, issued its own guidance on disclosures of patient information relating to reproductive health care. That guidance reminds covered entities and business associates that they can disclose PHI without an individual’s signed authorization, “only as expressly permitted or required by the [HIPAA] Privacy Rule.” (emphasis in the original). It also explains that the Privacy Rule permits, but does not require, a covered entity or business associate to disclose an individual’s PHI without the individual’s authorization (i) when the disclosure is required by another law, (ii) for law enforcement purposes under certain conditions, or (iii) to avert a serious threat to the health or safety of the individual or the public.

To illustrate the application of those principles in the context of information concerning reproductive health care, the HHS guidance provides several examples to illustrate how the Privacy Rule would interact with state laws that prohibit abortion.

• Where a state law prohibits abortion, but does not expressly require that a hospital report an individual for terminating her pregnancy, the guidance explains that the Privacy Rule would not permit disclosure of the individual’s PHI to law enforcement under the “required by law” provision, because no disclosure is actually required by the law.
• The Privacy Rule permits but does not require the disclosure of PHI for law enforcement purposes “pursuant to process and as otherwise required by law.” Thus, the guidance explains, if a law enforcement official requests records of abortions, but the request is not supported by a court order or other mandate enforceable in a court of law, the Privacy Rule would not permit the disclosure.
• As for disclosures permitted “to avert a serious threat to the health or safety of the individual or the public,” the HHS guidance provides the example of a woman informing her health care provider, in a state that bans abortion, about her intent to seek an abortion in another state where abortion is legal. In that example, the guidance explains, the Privacy Rule would not permit the disclosure of the woman’s PHI to law enforcement “to avert a serious threat to the health or safety of the individual or the public,” because the woman’s statement about her desire to get a legal abortion or other care tied to pregnancy loss does not constitute such a threat. The guidance observes, moreover, that the disclosure of such PHI would generally increase the risk of harm to the individual and detrimentally affect the patient-physician relationship, and would therefore conflict with professional ethical standards.

* * * *

As the FTC and HHS guidance show, the Dobbs decision has created new and challenging scenarios for organizations that handle sensitive information that relates to reproductive health care.