“Ya the 1 pill stops the hormones and then u gotta wait 24 HR 2 take the other.”
This is a Facebook message that Jessica Burgess sent her then 17 year-old daughter, Celeste Burgess, in May 2022 to guide her through the process of using abortion medications to terminate her pregnancy. Police began investigating the pair after Celeste reported having a stillbirth. Police obtained a search warrant from Facebook for the messages between the two and used that as evidence to eventually convict them both of felony charges related to the disposal of the fetal remains.
A few weeks after Celeste terminated her pregnancy, the Supreme Court issued their opinion in Dobbs v. Jackson Women’s Health Organization which held that the Constitution does not confer a right to abortion. The decision changed the legal landscape of abortion and ushered in an era of reproductive health care criminalization. As of August 2024, fourteen states have total abortion bans and eight states ban abortion at some time before eighteen weeks gestation. Some states have also threatened to prosecute pregnant individuals who travel out of state for abortion care. The growing criminalization of abortion has raised new concerns over the sharing of sensitive information through social media platforms and its connection to the weaponization of pregnant patients’ medical data, as exemplified by the case of Jessica and Celeste. In this context, it is important that pregnant individuals are aware of the current threats to reproductive health privacy and the entities that are not subject to certain medical privacy laws like HIPAA.
Health Insurance Portability and Accountability Act (HIPAA) & Privacy Rule
The 1996 Health Insurance Portability and Accountability Act (HIPAA) aimed to increase the efficiency of health care delivery systems and safeguard patient information. In response to patients’ unwillingness to trust health care providers with their full medical histories or other information if they could not be assured that their PHI would remain confidential, HIPAA required the creation of the Privacy Rule, which sought to protect patients’ protected health information (PHI) from being used or disclosed without their consent.
HIPAA only applies to covered entities, which are those that bill or receive payment for health care services in the normal course of business. Examples of covered entities include health care providers, health plans, and health care clearinghouses and their business associates. HIPAA also contains permitted uses and disclosures of PHI for certain activities, including disclosures for: (1) law enforcement purposes, (2) judicial or administrative proceedings, (3) serious threats to health or safety (4) workers’ compensation purposes, and (5) public health activities, among others. In some cases, these carve outs can be interpreted or applied to allow medical records to be used against people t†providing or obtaining lawful reproductive health care.
2024 HIPAA Privacy Rule to Support Reproductive Health Care Privacy
In an effort to minimize the risk of the abovementioned harmful interpretations and applications, the Department of Health and Human Services released an update to the Privacy Rule on April 26, 2024.The 2024 HIPAA Rule to Protect Reproductive Health Care Privacy prevents “the use or disclosure of PHI related to Reproductive Health Care if the use or disclosure if for the purpose of conducting a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on a person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care.” PHI relating to reproductive health care also cannot be used to identify any person for the purpose of conducting an investigation or imposing liability. However, even in the wake of the new rule, threats to reproductive health care still remain, as not all entities that collect reproductive health information are subject to HIPAA.
Crisis Pregnancy Centers
According to the American College of Obstetricians and Gynecologists, a crisis pregnancy center (CPC) is a facility that presents itself as a full-service reproductive health care clinic but has the goal of dissuading people from certain types of reproductive health care, including abortion. Instead, CPCs are more likely to provide their clients with diapers, pregnancy testing (sometimes the same pregnancy tests found at retail pharmacies), counseling on adoption, adoption referrals, and ultrasounds, among other services. CPCs generally position themselves in close proximity to abortion clinics and outnumber abortion clinics nationally 3:1. Most CPCs do not employ licensed physicians; clinic staff who lack appropriate training are the ones who interpret ultrasound results. The proximity to abortion clinics, the language on their websites supporting “choice,” and the provision of pregnancy testing or ultrasounds can be misleading to clients, creating the illusion they are receiving medical care that is subject to privacy protections.
CPCs, however, are generally not considered covered entities under HIPAAand thus are not subject to HIPAA privacy standards for the use or disclosure of PHI. This is because CPCs do not bill or receive electronic payment for health care services (through insurance or otherwise) in the regular course of business. CPCs instead rely on federal and state funding and donations from private religious organizations, as well as other revenue through the sale of “Choose Life” license plates, through the Department of Motor Vehicles to stay in business. As a result, pregnant individuals who visit these centers leave their PHI which could include the confirmation of a pregnancy vulnerable to disclosure for law enforcement or other purposes.
In May 2024, the Campaign for Accountability released a statement detailing an alleged use of real patients’ PHI (including full names, addresses, due date, last menstrual period, and whether they were given an ultrasound or pregnancy test) in training videos that were viewed by an unknown number of staff and volunteers.
Mobile Applications and Location Data
With the rise of smartphones, many people who menstruate now rely on mobile applications to help track periods or ovulation for fertility purposes, as well as to set reminders to take oral contraceptives. Like CPCs, companies that own and operate mobile applications are not subject to HIPAA and can disclose medical information indicating that a user had an abortion or is pregnant. The data collected by and stored within these applications is not private, and one study of health-related smartphone applications found that 79% of these applications shared data with third parties. Various lawsuits have alleged that Flo, a period and fertility tracking app with millions of active users, shared user data with marketing and analytics firms, including Facebook and Google. Applications like Flo pose a unique danger to users’ reproductive health data privacy because they employ click-wrap agreements, which most users agree to without fully reading the terms.
Mobile devices themselves and the location data they collect also represent important threats to reproductive health data privacy . In 2022, a data broker offered up for sale the location data of those who visited abortion clinics, including information about where they came from before visiting the clinic and how long they stayed at the clinic. Users of mobile devices and their applications are not always aware of how their reproductive health data could be weaponized and used to criminalize them for their pregnancy outcomes.
Increased Abortion Surveillance and Prosecutions* (see footnote)
Another threat to reproductive health care data privacy post-Dobbs is the increased surveillance of abortions, even if they are lawfully provided. Post-Dobbs, lawmakers have begun thinking of creative ways to increase the pre-existing surveillance on abortion procedures and those who receive them. In 2023, the Ensuring Accurate and Complete Abortion Data Reporting Act was introduced and seeks to fix “incomplete data regarding abortions and survivors of abortion attempts.” The bill, which is not likely to pass, would require reports on every abortion that include: maternal age, gestational age, maternal race, maternal ethnicity, abortion method, marital status, previous pregnancies of the mother, including the number of previous live births, the number of previous induced abortions, and the number of previous spontaneous abortions, and maternal residence (County and State). The collection of this data does not violate HIPAA because it would be classified as a permitted disclosure for public health purposes. While the data submitted in these reports would not have patient identifiers like name, it would not be a challenge to identify patients with the amount of extensive information to be collected from these proposed reporting requirements. The intersection between data privacy and reproductive health care is now more important than ever. Reproductive rights cannot be protected without a renewed focus on data privacy.
* = While it is important to note that there are valid public health purposes for collecting abortion related data, the scope of this Blog is limited to the potential privacy risks to abortion patients.