By Wendy A. Bach and Nicolas Terry
Post-Dobbs, the fear is visceral. What was once personal, private, and one hoped, protected within the presumptively confidential space of the doctor-patient relationship, feels exposed. In response to all this fear, the Internet exploded – delete your period tracker; use encrypted apps; don’t take a pregnancy test. The Biden administration too, chimed in, just days after the Supreme Court’s decision, issuing guidance seeking to reassure both doctors and patients that the federal Health Privacy Rule (HIPAA) was robust and that reproductive health information would remain private. Given the history of women being prosecuted for their reproductive choices and the enormous holes in HIPAA that have long allowed prosecutors to rely on healthcare information as the basis for criminal charges, these assurances rang hollow (as detailed at length in our forthcoming article, HIPAA v. Dobbs). From a health care policy perspective, what is different now is not what might happen. All of this has been happening for decades. The only difference today is the sheer number of people affected and paying attention.
Since 1973 there have been nearly 2,000 prosecutions of women in the United States for reproductive conduct. Women have been prosecuted when they miscarried, when their infants were stillborn, and when they attempted suicide or struggled with substance use disorder while pregnant. Previously these prosecutions were largely confined to poor communities and communities of color. Post-Dobbs, prosecution suddenly looms for rich and poor, Black, brown, and white alike.
Prosecutions of this kind tend to rely, to an alarming degree, on information obtained or disclosed in a healthcare setting. Recent research describing prosecutions of about 120 women for the “crime” of fetal assault in Tennessee, for example, revealed that 90% contained detailed confidential health information including test results, diagnoses, and statements by the women to nurses and doctors.
Sadly, there is nothing either surprising or illegal about using presumptively confidential health information in punishing women. The reality is that HIPAA is akin to a badly designed faucet, allowing health care information to leak to law enforcement. While HIPAA imposes a duty of confidentiality on health care providers, it also includes a list of exceptions that in many ways swallows the rule.
In a post-Dobbs world, some of these exceptions loom large: providers may disclose health information if they are required to do so by state law, in response to a subpoena or other court orders, and in cases of suspected child abuse.
It is easy to see how these exceptions play out in a post-Dobbs world. The majority of states already require providers to report every abortion to the state. Nothing stops them from enacting legislation requiring similar reporting of every miscarriage or stillbirth. Once the state is notified, nothing stops a prosecutor or court from subpoenaing that woman’s entire medical record.
All states also require healthcare providers to disclose instances of suspected child abuse to the state, and HIPAA clearly permits these disclosures. That may seem like a reasonable and necessary requirement, but what many do not know is that the definition of “child” can in effect include a fetus. Already, several states include conduct during pregnancy in their definitions of child abuse. Post-Dobbs, an attempt to end a pregnancy could fall within those definitions, leading to possible reports to child welfare agencies in cases of miscarriage and stillbirth.
Anti-abortion advocates are already promoting dramatically expanded prohibitions and enforcement and much of their attention will be focused on shutting down the supply of abortion medications from out of state and the travel of their citizens for out-of-state abortion services. The location and other data “breadcrumbs” that will fuel these prosecutions is medical information and informational privacy increasingly will be viewed as necessary collateral damage.
Concerns about expansive uses of healthcare information are not confined to medical records. Huge swathes of reproductive health care information lack effective protection from HIPAA or any other laws. The federal Privacy Rule only applies to a relatively narrow group of what are called “covered entities,” such as doctors, hospitals, and health insurers. As a result, the data collected by, for example, wearables, fertility and period tracking apps, or search histories including “abortion clinic” or “miscarriage” exist in a HIPAA-free zone that is only thinly regulated.
In a post-Dobbs world, more women will find the technologies they rely on for their health turned against them as tools of surveillance. Many of these technologically-created data points will find themselves in the hands of data brokers who sell consumer profiles containing medical information and who will now find new markets among both prosecutors and abortion vigilantes. Among the most intrusive kinds of technological surveillance is location data, opening up the possibility of tracking women of reproductive age who, for example, cross borders between abortion-hostile and abortion-friendly states in the general area of abortion clinics.
The same day that the Biden administration tried to reassure patients about HIPAA protections, it also issued some guidance about reproductive health information stored on personal devices such as phones. The gist of this guidance was that women should turn off location services and a few other identifiers. Yet, the guidance basically admitted that most sensitive information (for example, cell phone location data) was unprotected and could well fall into the hands of data brokers or law enforcement.
In this moment, in which threats to healthcare privacy are newly and so viscerally on the minds of many, we are perhaps ready to take serious steps to build strong legal protections that support healthcare privacy for all. There are some promising options. The FTC can more aggressively enforce the Federal Trade Commission Act and deter the misuse of mobile location and health information. HIPAA’s leaky faucet is overdue for reform. We should limit some of the broader exceptions, particularly those that bow too generously to state law, state agencies, state courts, and law enforcement, and enact robust barriers, such as those contained in The Confidentiality of Alcohol and Drug Abuse Patient Records Rule (itself currently undergoing strengthening of prohibitions on the use and disclosure of Part 2 records in legal proceedings), to the unfettered use of healthcare information in prosecutions. To provide for robust privacy outside of HIPAA, Congress should immediately pass the bipartisan and bicameral American Data Privacy and Protection Act to protect all sensitive data in apps and keep them out of the hands of brokers. Finally, Congress should enact strong reproductive privacy laws such as those suggested by Senator Ron Wyden or Representative Sara Jacobs. Perhaps, in a post-Dobbs era, we can finally muster the political will necessary to separate our health care systems from our criminal systems and protect medical privacy for all.