Post-Roe, prosecutors can seek unprotected reproductive health data
The increasing criminalization of abortion in the U.S. is exposing major gaps in the legal protection of health information, as more health data ends up in the hands of patients rather than doctors.
Why it matters: Health privacy in the post-Roe digital age is fraught as prosecutors seeking to enforce anti-abortion laws are free to go after reproductive health data in mobile apps, where it is unprotected by federal law.
- Companies buy and sell sensitive health data, which is one concern; the unregulated use of personal data to enforce abortion bans is another.
- As many as one-third of women use digital tools to track their periods, Axios' Erin Brodwin reports. That can be for reasons as simple as monitoring their cycles, planning to avoid a pregnancy or trying to conceive.
Driving the news: Virginia lawmakers recently tried to pass a law that would exempt digital menstrual health data from law enforcement access. The bill was passed by the state Senate in a bipartisan vote.
- But the administration of Gov. Glenn Youngkin (R) helped defeat the bill, per the Washington Post. A state House committee voted to table the bill after Youngkin administration official Maggie Cleary said a bill limiting search warrants could also restrict subpoena powers.
- While no specific investigations have been reported that depend on period-tracking data, the Youngkin administration's comments are the most recent to come from a state official suggesting that prosecutors might go after a person's digital footprint.
What's also happening: Meanwhile, lawmakers in states like California and Washington have introduced bills that look to protect people's electronic data, including information collected by period-tracking apps.
What they're saying: "There really aren't any real safeguards against the ways police can weaponize this data against users, when they're actively investigating a crime in a world where abortion increasingly is criminalized," Albert Fox Cahn, founder of the Surveillance Technology Oversight Project, told Axios.
- "That means those powers are being weaponized against abortion seekers in new and disturbing ways."
How it works: The Health Insurance Portability and Accountability Act (HIPAA) protects sensitive health information when it's in the hands of health insurers and doctors. But it doesn't protect health data when it's logged in a phone app, discussed in a text with a friend or written about in an email.
- That leaves people unable to protect personal health information from law enforcement online, putting the onus on individuals to minimize their digital health footprint using encryption or being cautious about what platforms they use.
Agencies like the Federal Trade Commission can, and do, go after companies for improperly disclosing sensitive data — such as the recent action FTC took against GoodRx for sharing patients' health data with Meta and Google without the users' consent.
- However, the FTC is powerless against law enforcement seeking such data.
The FTC's jurisdiction on protecting health data is limited, an agency official told Axios. Still, the official added, the agency is going after companies that deceive customers about their privacy practices or that buy and sell health data.
- Samuel Levine, director of the commission's Bureau of Consumer Protection, previously told Axios the agency will sue companies who break the FTC's rules.
- Under chair Lina Khan, the FTC is also coming up with new rules around commercial surveillance of people's data.
Between the lines: HIPAA was enacted in 1996 and did not anticipate technology like period-tracking apps and other digital tools recording individuals' health information.
- Currently, HIPAA covers health plans, health providers and health care clearinghouses, the last of which includes billing services and repricing companies.
- A health app could be subject to HIPAA regulations only if a covered entity — not the patient — had to input information into an app: "If it's coming from a HIPAA-regulated entity, then HIPAA would apply," said Dianne Bourque, a senior attorney at Mintz specializing in health care law.
- Since period-tracking apps are normally accessed directly by the patient who provides their own information, the data is exempt from HIPAA rules.
- Ultimately, Congress has the power to expand HIPAA's reach to capture other types of entities. Absent that, states have the authority to strengthen their own privacy laws.
Zoom in: Two largely symbolic bills in Congress would look to both strengthen HIPAA and protect people's reproductive or sexual health information collected by digital apps.
- The SAFER Health Act, introduced by Rep. Sara Jacobs (D-Calif.), would prohibit medical providers from disclosing personal health information related to abortions or miscarriages without a patient's consent, even if a request for information was made with a subpoena or court order.
- Jacobs also plans to reintroduce the My Body, My Data Act in the spring, which would protect personal data collected by entities not currently covered under HIPAA, including apps, cell phones and search engines.
- "The post-Roe era is very different from the pre-Roe era and we have all of this digital surveillance now," Jacobs told Axios. "Our privacy laws in all realms are just not really suited or ready for this post-Roe era."