The Dobbs v. Jackson Women’s Health Organization reversing the 50-year precedent of Roe v. Wade and South Carolina Republican Senator Lindsey Graham introduction of a federal abortion ban bill both have sparked new legal concerns over the long-sensitive topic of health data privacy.
While the federal government has clarified that HIPAA (Health Insurance Portability and Accountability Act) supersedes all state laws regarding abortion healthcertain limitations and loopholes allow facilities to obtain – and share – private health information from those seeking reproductive and sexual health care.
“This only applies to what the law calls ‘covered entities,’ so your healthcare provider is a covered entity,” said David Orentlicher, Justice Jack and law professor Lulu Lehman at the Boyd School. of Law at UNLV and Director of the UNLV Health Law Program. .
Other covered entities include insurance companies and healthcare companies that store data for providers.
Shortly after Graham introduced a federal abortion ban bill, Nevada Democratic Senator Jacky Rosen joined 29 of her Senate colleagues and sent a letter to the US Department of Health and Human Services (HHS) calling for stricter rules to protect abortion patients.
“In particular, HHS should update the HIPAA Privacy Rule to broadly restrict regulated entities from sharing individuals’ reproductive health information without express consent, particularly for law enforcement, civil or criminal proceedings. based on the provision of abortion care,” the senators wrote.
Letter calls on HHS to focus on reproductive health compliance and enforcement activities, as well as education of patients’ rights under HIPAA, including information that can be shared without patient consent, how to file a complaint with HHS, and further educating healthcare workers about what legal compliance with HIPAA looks like.
Sites like Facebook or Google (and Google Maps, which refer people to anti-abortion clinics), period tracking and other health apps, and nonprofit religious organizations, such as Pregnancy Crisis Centers (CPC) that do not operate as health clinics, are not subject to HIPAA, and may sell personal health information to advertisers or pass it on to government authorities.
“If you post things on Facebook or do health-related Google searches, that’s not covered,” said Sharona Hoffman, professor of law and bioethics at Case Western Reserve University School of Law.
Loopholes exist in HIPAA for law enforcement given that they go through the proper legal channels, such as obtaining a subpoena, she said.
Currently, people who give birth cannot be prosecuted for leaving their state to seek abortion services in other states, but health care providers in states with stricter anti-abortion laws, including Texas, Utah, Idaho and Arizonaare subject to prosecution for performing abortions, Hoffman said.
“Information may be leaked, despite HIPAA, making them more vulnerable to providing services than they were willing to provide until now.” The Dobbs decision puts healthcare providers in a dire situation where they have to consider the patient’s well-being against their own,” she said.
Facebook collects personal information about abortion seekers and allows anti-abortion organizations, like CPCs, to use that data to target and influence people, while period-tracking apps can sell a person’s data. individual, including the date of their last menstrual period, according to a report by the charity Privacy International.
The report notes that CPCs routinely collect information about individuals from social media, including name, address, email address, ethnicity, marital status, living arrangements, education, source of income, alcohol, cigarette and drug use, medications and medical history, including sexual transmissions. illness history, pregnancy symptoms, pregnancy history, medical test information and even ultrasound photos. Because the data is pulled from social media and other sources that are not HIPAA-regulated entities, it is excluded from HIPAA’s protections.
There are at least seven CPCs in Nevada, including at least two in Las Vegas.
CPCs use geolocation technology that can tag and target anti-abortion ads to people’s phones inside reproductive health clinics, deploy online chat services that share information with major anti-abortion organizations and create apps that store vast data about an individual’s menstruation. according to the report.
HIPAA privacy protection is a 21st century development. HHS originally finalized HIPAA privacy regulations in 2001, with compliance deadline for health care providers by 2003. The HIPAA security rule that requires healthcare providers to protect healthcare data came into effect in 2005.
Prior to this, there were no laws protecting health information.
“It was pretty new and a huge deal,” Hoffman said. ” We are far behind other countries.”
Rosen did not respond to multiple interview requests about the impact tighter HIPAA regulations would have on CPCs specifically.
Last year, US Democratic Senator Catherine Cortez Masto introduced the Data Protection Law, which aims to protect consumer privacy, but would also prevent information sharing of those seeking abortion and reproductive health care. Complementary legislation has been introduced in the House. No hearings have yet been held on either bill.
While 110 House Democrats, including those in Nevada Dina Titus, Susie Lee and Steven Horsford, co-sponsors the My body, my Ac datat, no Nevada senator sponsored the accompanying invoice.
The bill was introduced shortly after the Dobbs ruling and would prevent nonprofits, commercial entities and individuals from collecting, maintaining and using personal sexual and reproductive health information without consent. writing of the individual, or if it is strictly necessary to provide a requested service.
The bill would not apply to HIPAA-covered entities or health information disclosure for publishing newsworthy information that warrants public concern.
Neither the Senate version nor the House version has been scheduled for a hearing.