Biden, in a July 8 executive order, urged the FTC to use its authority over corporate fraud and other practices deemed unfair to consumers. He called on the independent agency to help combat “digital surveillance” of reproductive care based on data like search engine queries or fertility app usage.
“There’s an increasing concern that extremist governors and others will try to get that data off of your phone, which is out there in the ether, to find what you’re seeking, where you’re going, and what you’re doing with regard to your healthcare,” Biden said.
The agencies are likely to run up against legal limits to going beyond regulatory efforts so far to oversee the collection and use of sensitive health data. The FTC has the option of dusting off a decade-old rule on consumer notification of health information breaches. HHS operates under the Health Insurance Portability and Accountability Act, a federal privacy law governing information held by health-care providers and insurers.
“They’re trying to work with the tools they have,” said Sheila Sokolowski, a health-focused partner at Hintze Law PLLC.
Biden also is urging HHS to work with the FTC and the US Attorney General to shield people who seek such care from inaccurate information or fraudulent schemes.
Privacy advocates have warned that law enforcement in states outlawing abortion could demand records of people’s online searches for abortion clinics or their use of period-tracking apps.
The FTC could ramp up efforts to enforce its existing rule for alerting consumers to leaks of health information, Sokolowski said.
The commission hasn’t brought any enforcement actions under the health breach notification rule since it was issued more than a decade ago. The FTC recently warned health app makers about complying with the rule, including in cases where private data is shared without permission.
The agency previously brought an enforcement action against fertility-tracking app Flo Health Inc. over data-sharing concerns, though it didn’t allege a violation of the breach notification rule.
“Protecting consumers’ health privacy remains a top priority for the FTC, and the agency is committed to taking action when companies violate the law,” a spokesperson for the commission said in a statement.
In a blog post Monday, the agency warned companies collecting sensitive data like location and health information to be mindful of the FTC Act’s prohibitions against unfair and deceptive business practices, as well as regulations like the health breach notification rule.
Companies that claim consumer data is anonymized also should be on guard for potential agency action, since such data, especially location records, can often be re-identified, says the post from Kristin Cohen, acting associate director of the FTC’s Division of Privacy & Identity Protection.
HHS Secretary Xavier Becerra said he shares Biden’s commitment to maintaining access to reproductive health care, including abortion.
“At his direction, HHS initiated concrete action to protect access to these critical health care services, as well as the privacy and legal rights of patients and providers,” Becerra said in a statement.
HHS issued guidance June 29 telling doctors and other health-care providers they cannot disclose information about a patient’s pregnancy or abortion unless state laws or a court require them to do so. The department didn’t suggest any new privacy protections.
The department also published a guide for how consumers can protect their personal health data on mobile apps. Such apps generally aren’t covered by HIPAA.
“Most app users are not HIPAA experts,” said Quentin Palfrey, president of the International Digital Accountability Council, a nonprofit that has studied health app data practices. Even though many users don’t expect sensitive data to be shared, the business model of an app may rely on sharing information such as a user’s location, Palfrey said.
“That mismatch becomes especially problematic,” after the Supreme Court’s ruling on abortion, he said.
Advocates have criticized how permissive the health privacy law is in allowing doctors to disclose health information to law enforcement. Some state laws even force providers to do so.
Digital trails related to reproductive care also might fall outside HIPAA’s narrow protections for certain kinds of companies and data, said John Davisson, senior counsel and litigation director at the nonprofit Electronic Privacy Information Center.
“So the message here is that the laws on the books at the federal level aren’t sufficient to protect privacy in a post-Roe world,” Davisson said. “More statutory authorities are needed,” including an industry-wide federal privacy law, he said.