White House proposes stronger abortion data privacy protections
The Biden administration on Wednesday announced a suite of proposals that would shore up protections for sensitive health data related to reproductive health care, a move meant to protect people seeking legal abortions from criminal prosecution by more restrictive states.
The actions include a newly proposed Health and Human Services rule to strengthen existing privacy protections under the Health Insurance Portability and Accountability Act by prohibiting doctors and healthcare providers from disclosing information related to reproductive health care for the purposes of investigating, prosecuting or suing an individual for a legal abortion.
The proposed rule, which is now subject to a 60-day comment period, comes ahead of a meeting of the vice president’s Task Force on Reproductive Health Actions. Since the Supreme Court’s reversal of the constitutional right to abortion last summer, reproductive health advocates have warned about the dangers of law enforcement weaponizing sensitive health data to prosecute women seeking abortions and other reproductive care.
Most of this type of health data is stored electronically, leaving its protection up to the nation’s patchwork of data privacy laws. While current HIPAA laws place some safeguards on health data, they do not place restrictions on making health data available to law enforcement. The new rule would codify guidance from the Biden administration last summer that, with some exceptions, they are not required to disclose health information to law enforcement.
The new rule strengthens protections already in HIPAA and creates a uniform interpretation for states on how those patient data privacy protections should be applied to reproductive health data, said Jordan Wrigley, a researcher for health and wellness at the Future of Privacy Forum. That can be significant in cases in which individuals from states where abortion is restricted receive or perform reproductive healthcare in other states, she says.
The new HHS rule requires regulated entities to get a written attestation that a request for reproductive health information does not fall under prohibited uses, such as law enforcement purposes. Failure to do so can come with legal penalties, Wrigley explained.
Other experts emphasized how the rule could bring clarity to differing state interpretations of health data protections.
“The proposed HHS rules would bring much-needed clarity to healthcare facilities that are otherwise stuck navigating a thicket of changing and conflicting state rules after Dobbs,” Cobun Zweifel-Keegan, managing director of the International Association of Privacy Professionals, wrote in a comment to CyberScoop.
In addition to the proposed rule, HHS is also issuing guidance making it clear that patients have the right to request that their electronic health records not be disclosed.
The Department of Education is also issuing guidance to officials at 20,000 schools to consider health privacy in their obligations under Family Educational Rights and Privacy Act, which requires federally funded schools to obtain written consent from students or parents before sharing education records, including student health records.
The move by the White House received praise from Democrats who have urged the administration to do more to protect reproductive health data.
“When we go to the doctor, we shouldn’t second guess or question whether our personal health information will be kept confidential and secure – especially in the post-Roe era,” said Rep. Jacobs, D-Calif. “I will continue to monitor this rulemaking process and keep working to protect reproductive health care access and privacy.”
Jacobs alongside Rep. Anna Eshoo, D-Calif., co-sponsored the Secure Access for Essential Reproductive (SAFER) Health Act, which would ensure the reproductive health care data could not be used against patients in court.
“I’ve been sounding the alarm on what I call ‘uterus surveillance’ since day one, and I’m glad to see HHS taking important steps to strengthen patient privacy,” said Sen. Ron Wyden, D-Ore. “I’ll be watching closely to ensure Republican prosecutors and judges don’t try to undermine this new HHS rule as its implemented, and I’ll continue to fight like hell to make sure pregnant women everywhere have ironclad privacy protections.”
Concerns over escalating attacks on reproductive health access were enflamed last week by a ruling by a Texas federal judge suspending the FDA’s approval of the abortion drug mifepristone.
Official health records are far from the only means that law enforcement has of acquiring sensitive health data. Companies including Facebook, Google and telehealth companies also collect data related to reproductive health care. The FTC has committed to cracking down on companies that abuse sensitive health information and last summer sued a data broker for selling information that could be tied to abortion clinic visits.
Private messages have also been used in the prosecution of abortion-related cases. In one high-profile instance, Nebraska authorities used a search warrant to obtain Facebook messages to investigate a young woman and her mother for the death of a fetus. However, the warrant did not mention abortion, according to Facebook, leading to concerns to advocates that specific protections for abortion-related information may not deter law enforcement from gathering sensitive data.
States including California and New York have passed their own laws protecting abortion-related data.
Updated April 12, 2023: To include additional comments.