By Susannah Baruch
Concerned about privacy protections for pregnancy- and abortion-related health data in the post-Dobbs environment?
The film Preconceived, premiering at SXSW this week, shines a bright light on anti-abortion “Crisis Pregnancy Centers” (CPCs), including their disturbing take on the Health Insurance Portability and Accountability Act (HIPAA).
The film’s footage of practices inside these centers is extraordinary. As I (and many, many others) have documented elsewhere, although they hold themselves out as medical centers for pregnant women, CPCs do not provide the care they promise, troubling given our current crisis in maternal morbidity and mortality particularly among Black women and in communities of color generally.
HIPAA takes center stage near the end of the film. It seems the CPC industry is collecting health information by “performing” HIPAA while operating under no legal obligation to protect the privacy of personal or health information.
At Stanton Healthcare, a CPC in Idaho, we see a sterile-looking medical waiting room and visitors filling out medical history forms. A reasonable person would assume this is a licensed medical provider, required to comply with HIPAA and accountable for violations or sharing of personal health information.
On camera, the Director of Client Services points at what may or may not be a standard HIPAA disclosure form and announces “It’s our HIPAA. We’re completely HIPAA compliant…anything [visitors] have done here, any communications, is completely confidential.” She points to a door that has a lock.
Q (off-camera): And all of the information that they share – where is that all stored?
A: In a paper chart and we have a digital format for it
Q: And the digital format, is that…what is..?
A: It’s…It’s…I’m not going to give you the name of it, it’s through Heartbeat International but it’s a secure website…software actually.
Cue a Heartbeat International Promotional video for “Next Level, center management solution”:
Our vision has always been that we are better together, and Next Level helps us in a totally new way. The data that will be collected actually will benefit everyone! It will be open to everyone! We will have, with Next Level, our own data mine, that we can truly use to find answers to the kind of questions that will make us even more effective.
A “Recording from Heartbeat International’s Annual Conference 2022” clarifies:
We’re pulling data, pulling data, pulling data, pulling data down to the point that I’m tracking the SIM card in your phone. So, I can tell if I served you an ad, you didn’t click on it, but you came to my site down the road. Isn’t that scary? Right? We’re going to track your conversations and serve ads. Right? We do all this creepy stuff! If you’re not using big data, you’re missing this. Because we have the ability to say: ‘I want this person’ and then put a target on their back and follow them. Completely, all around the internet, whatever they’re doing.
Making vague promises of confidentiality while wearing scrubs and a stethoscope is one thing. It would be quite another to claim to be HIPAA compliant and then do precisely what HIPAA prohibits. Are there ways to counter the twisted theater of HIPAA captured in this film?
Before joining the Petrie-Flom Center as Executive Director, I worked with the Alliance, who published the Designed to Deceive report linked above and a Brief on Surveillance. In that role I interviewed nationally known HIPAA experts to understand the legal status of CPCs with regard to HIPAA. Under HIPAA, protected health information (PHI) is “‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.” For “covered entities” disclosing PHI is prohibited except when certain conditions are met. But based on our understanding of their practices and legal status, despite their names, promises, and actions, most of these places don’t provide real health care or have real health care providers, so they would not be “covered entities” under HIPAA.
The scene at Stanton Healthcare makes me wonder if something has changed. Is Stanton a HIPAA-covered entity? Are they simply using HIPAA as a buzzword while they exploit an ambiguity? And either way, what are they doing with the information they are collecting? It seems to be shared up the chain of their own networks, to “Next Level” run by Heartbeat International and Heartbeat International is using this information to track and target people.
Certainly, there are regulatory loopholes that expose health care consumers to privacy violations. I. Glenn Cohen and Carmel Shachar have written about how HIPAA protection may be inadequate to cover all health-related information, particularly in an era of big data. And Carmel Shachar and I have written about the need for attorneys to use whatever legal tools we have to force CPCs to comply with medical norms and requirements, including state laws on the unauthorized practice of medicine and state HIPAA-type laws.
I’d like to see Federal policymakers 1) provide official guidance on the circumstances when CPC may be a covered entity under HIPAA; (2) define representations of HIPAA compliance by non-covered entities as deceptive; and (3) ensure that using collected data to track, stalk, or harass people who have visited a center or website is impermissible.
Perhaps we need to fix HIPAA. Perhaps nobody anticipated unlicensed entities that pretend to be health care providers and pretend to follow HIPAA only to benefit from the confusion. Legal or regulatory change might be necessary. My hope is that in the meantime the evidence Preconceived presents—of the flouting of norms and violations of trust by crisis pregnancy centers—brings much-needed scrutiny and investigation, and new strategies for accountability.
Susannah Baruch is Executive Director of the Petrie-Flom Center.