In the aftermath of the US Supreme Court’s decision to strike down a nearly 50-year federal right to abortion access, social media, texts, and conversations among opponents soon shifted to forming a privacy bulwark by deleting apps tracking menstruation, sexual activity or reproductive health.
These women viewed the Dobbs v. Jackson Women’s Health decision as a severe blow to women’s constitutional and civil rights as well as a catalyst for deeper incursions into a person’s privacy and health care data.
Still just weeks removed from the ruling, it remains largely unknown how law enforcement and state health oversight authorities may attempt to access data related to reproductive health or how those efforts might affect broader data privacy policies. It will be imperative for non-governmental entities collecting this type of information—such as commercial health tech companies or not-for-profit health organizations—to increase their awareness of relevant laws and re-examine any internal and public policies about their data collection, use, and privacy.
What’s Health Data After Dobbs?
This aspect is not necessarily new, but sensitive health data collected by apps tracking things like fertility could be increasingly vulnerable to subpoena by law enforcement authorities in states with more restrictive abortion laws or if the procedure is further criminalized by state laws.
Similar situations occurred with genetic testing apps. Negative publicity about law enforcement’s access to consumer genetic testing data has prompted some of these companies to take a stricter stance against providing access to the government and to more clearly make a consumer aware if they do.
Companies gathering data through fertility tracking apps could follow a similar approach, although this option requires consistent and rigorous corporate self-regulation. Also, there are currently no federal laws or regulations addressing law enforcement’s access specifically to fertility app data.
Geolocation data is another area of potential risk. Where a person is located or has visited could be collected and sold by data brokers to “geofence” or target an individual seeking care at an abortion provider. Another scenario to consider is that a person’s web-browsing history gathered by a search engine provider could be subject to subpoena and give authorities information about an individual seeking abortion services.
There’s the potential to expand the definition of what’s considered to be sensitive, protected health data since there are restrictions applicable to members of the Digital Advertising Alliance, but these do not apply yet to data such as geolocation and essentially these rules are applied in a self-regulatory way.
Immediate Corporate Actions
Companies who aren’t already acting on ways to better protect their sensitive data could be more vulnerable to outside attacks. It also could lead to compromised systems and reputations. This means that corporate self-regulation is an excellent first step, even if the solutions aren’t comprehensive.
Google recently announced a new program to automatically delete location data for users visiting “particularly personal” places such as counseling centers, domestic violence shelters, abortion clinics, and fertility centers. Some digital period tracker apps also upped their privacy efforts. Flo, which reports having roughly 200 million users worldwide, now offers users an anonymous profile option that doesn’t require a name or e-mail address.
Broader Privacy Protections
The health data privacy issues revealed by the Dobbs ruling only adds to the Pandora’s box of other data privacy risks policymakers and companies are facing.
Federal and state lawmakers continue to address privacy gaps for other sensitive personal data. Many of these proposed and recently enacted laws, regulations and guidance will cover reproductive health data protections despite not directly targeted them. Notably, a bipartisan measure recently introduced in Congress and known as the American Data Privacy and Protection Act could, if passed, protect against some of the privacy vulnerabilities.
The adoption of robust state privacy laws is still nascent and currently limited to just five states—California, Colorado, Connecticut, Utah and Virginia. Colorado’s recently enacted privacy law requires organizations to notify individuals about any secondary uses of their personal data collected by the organization. Other states have imposed more limited regulations, such as those mandating notification requirements to help ensure the security and privacy of an individual’s data.
After the Dobbs ruling, the Biden administration issued guidance reiterating the existing privacy protections applicable to health data that could be imperiled by the decision. The Health and Human Services Department’s Office for Civil Rights further emphasized that current federal health privacy rules known as HIPAA don’t protect an individual’s health information when its stored on a personal cell phone or tablet. The agency recommended that patients choose apps that use a strong encryption by default when data is transmitted, don’t collect or store personal information, and enable technologies that limit tracking tools such as cookies.
Regulations and enforcement will continue to evolve in response to the Dobbs decision on abortion. Any company or entity collecting a user’s personal data—particularly anything potentially tied to health care—should not only continue to monitor developments, but also seek to be more proactive. Pursuing a best practices approach by considering stronger encryption measures, re-examining data privacy practices and disclosures to protect the data and reviewing as well as updating external facing privacy statements will help protect against reputational harm and reinforce trust with patients and consumers.
This article does not necessarily reflect the opinion of The Bureau of National Affairs, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Linda A. Malek is a partner and chair of Moses Singer’s Healthcare & Life Sciences practice group and leader of the Healthcare Privacy & Cybersecurity practice. She concentrates on regulatory, technology, and business matters in the health care industry.