The US Supreme Court’s Dobbs v. Jackson Women’s Health Org. decision has brought health privacy and femtech into the spotlight on a federal and state level.
Femtech is a term covering the technology used for such health purposes like period tracking, reproductive health, and fertility solutions. The Dobbs ruling could impact users of femtech products because information stored on them can be used to determine if someone has had an abortion. Period trackers, for example, store information that can be used by government actors for this purpose.
Members of Congress have pushed for revisions to the federal health privacy framework in response to Dobbs, but the most tangible federal response relating to femtech has been guidance from HHS on how to protect health information when using a cell phone or tablet. So, unless there are revisions federally that will protect femtech user information, regulation of femtech will fall to the states.
However, there is a chance that there will be no relevant regulation at either level.
The Federal Privacy Framework and Femtech
The regulation of an individual’s health information on a federal level relies on a patchwork system that was created before most of the modern technology that’s used to store health care information even existed.
Health information privacy in technology is federally governed by four rules through three agencies: HIPAA, through HHS; the Food, Drug, and Cosmetic Act, through the FDA; and the Federal Trade Commission Act and the Health Breach Notification Rule, through the FTC. Despite so much regulation, this enforcement scheme doesn’t fully protect the health information of individuals using femtech products.
For example, HIPAA only applies to covered entities and business associates. Covered entities are health care providers, health plans, and health care clearinghouses—and most femtech doesn’t fit into these categories. HIPAA will not stop most femtech companies from sharing information, nor require them to meet technical security standards. The law’s business associate requirements will not provide strong protection for femtech products, because these products are usually used in a personal capacity, not in conjunction with care from a covered entity.
An exception to HIPAA allows covered entities to disclose health information to government agencies and law enforcement in certain circumstances, but there’s an important push for HHS to remove or to narrow this exception. Additionally, the bipartisan American Data Privacy and Protection Act is looking at potential passage in Congress. In the meantime, state action will be the critical avenue for femtech regulation.
Rise in State Governance of Femtech
Many will look for states to act, given the lack of federal femtech governance. But it’s unclear what post-Dobbs privacy protections would look like.
Many states’ privacy protections have exceptions stating when the government can require providers to report private health information, and states already are using their authority to require providers to report abortions. Reports from information stored on femtech applications likely will become a way for certain states to discover if a person has had an abortion. The applicability to femtech applications and products will vary by state, but it will likely be an avenue that states use to enforce their abortion bans.
These exceptions are also being used to try to get information on abortions that occur in states still allowing abortions. States facing this pressure may respond by narrowly tailoring the exceptions to specifically exclude information about abortion stored on femtech products. States likely will also create legislation that outright prohibits the sharing of information involving reproductive health or abortion—or at least the sharing of an individual’s health information without informing them.
For example, the California Consumer Privacy Act of 2018 gives California consumers the right to know the personal information that businesses collect from and about them and how it’s used. California also recently enacted a law that will prevent California companies from complying with search warrants related to abortion investigations originating in other states. Several states have been following California’s lead in passing state level privacy laws or bringing new bills to the table.
As states take on a role in femtech regulation, conflicts between different state laws will likely happen. US senators voiced this concern in a letter to HHS, warning that confusion will grow “as state lawmakers continue to implement a patchwork of laws restricting access to abortion and other reproductive health care services.”
But unless the federal framework changes, the status of health information protections involving abortion and reproductive health will remain confusing and vague for femtech companies.
The Role of Technology Companies
Some technology companies and femtech product makers themselves have leaned toward taking steps to protect consumers. Google has announced that it will delete location data from abortion clinics and that it will make it easier to delete logs on period trackers. A popular period tracker called Flo will offer an anonymous profile option.
Unless government entities act, femtech companies may have the most tangible influence on how private health information is used and what level of privacy femtech products have. In lieu of any concrete government directive or oversight, privacy in femtech will become a Wild West, where private companies decide how their customers’ information is to be shared and used.
Access additional analyses from our Bloomberg Law 2023 series here, covering trends in Litigation, Transactional, ESG & Employment, Technology, and the Future of the Legal Industry.
Bloomberg Law subscribers can find related Practical Guidance documents, tools for keeping track of new laws, and in-depth reference materials on our our Privacy & Data Security Practice Center resource.
If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content, or click here to view the web version of this article.