United States: The Biden Administration's Guidance On Risks To Privacy Of Reproductive Health Information Post-Dobbs

Following the Supreme Court's ruling overturning Roe v. Wade in Dobbs v. Jackson Women's Health Organization, the Biden Administration has outlined a framework for federal executive action designed to protect access to reproductive health care. On July 8, 2022, President Biden issued an Executive Order Protecting Access to Reproductive Health Care Services (the "Executive Order") directing federal agencies, including the United States Department of Health and Human Services (HHS), Department of Justice (DOJ), and the Federal Trade Commission (FTC) to take various steps to address "this health crisis."¹

HHS and the FTC have subsequently released guidance on what is required by pre-existing regulatory frameworks. As recognized in the Executive Order, overturning Roe "has already had and will continue to have devastating implications for women's health and public health more broadly." Among those implications are the consequences for privacy, particularly the privacy of reproductive health information and other sensitive data, including protected health information (PHI), location information, search history, and online or credit card purchases under pre-existing privacy frameworks.

Businesses that deal with sensitive data should be aware of this evolving federal guidance and framework for agency action and how it may impact their data processing activities overall. For example:

• Covered entities under the Health Insurance Portability and Accountability Act (HIPAA) should evaluate their disclosure practices in light of this latest guidance from HHS to ensure that they are not unintentionally violating the Privacy Rule when attempting to comply with new state laws that are going into effect that may restrict access to reproductive healthcare.
• Businesses that collect sensitive data (including location data) should ensure that they are transparent about their data collection and sharing practices to comply with FTC privacy requirements.
• Businesses that claim to process "anonymized" information should ensure that their anonymization standard complies with FTC guidelines or else risk a potential enforcement action. The risk may especially be heightened if this "anonymized" information is used to target individuals based on their reproductive health status or health outcomes.

The Executive Order includes provisions to protect the privacy of patients and consumers, as well as their access to accurate information about reproductive health care.² In particular, the Executive Order addresses the transfer and sale of sensitive health-related data, digital surveillance related to reproductive health care services, and protection from inaccurate information, fraudulent schemes, or deceptive practices. These provisions and subsequent HHS and FTC action are discussed below.

HHS: Patient Privacy and Health Data

The Executive Order instructs HHS to "consider actions, including providing guidance under [HIPAA] . . . to strengthen the protection of sensitive information related to reproductive healthcare services." Following President Biden's Executive Order, HHS released a press release and guidance ("HHS Guidance") on its role in protecting patient privacy in light of the Dobbs decision. The first part of the HHS Guidance addressed how HIPAA and its regulations protect individuals' PHI in relation to abortion and other sexual and reproductive healthcare. The HHS Guidance makes clear that covered entities under HIPAA can use or disclose PHI, without an individual's signed authorization, only as expressly permitted or required by the HIPAA Privacy Rule.

The HHS Guidance focuses on three scenarios in which an individual's PHI may be disclosed to third parties: (1) disclosures required by law; (2) disclosures for law enforcement purposes; and (3) disclosures to avert a serious threat to health or safety. Under the first scenario (disclosures required by law), HHS noted that the HIPAA Privacy Rule permits but does not require a covered entity to disclose an individual's PHI when such disclosure is required by another law and the disclosure complies with the requirements of the other law. The agency clarified that the permission to disclose PHI "as required by law" is limited to "a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law" and that "disclosures of PHI that...exceed what is required by such law do not qualify as permissible disclosures." For example, if a state law prohibited an individual from getting an abortion after six weeks but did not expressly require hospitals to report alleged violations of the law, a hospital (as a covered entity under HIPAA) would not be permitted to disclose an alleged violation of the state abortion law under the HIPAA Privacy Rule because the disclosure would not be "required by law."

Similarly, the HHS Guidance notes that the Privacy Rule permits but does not require covered entities to disclose PHI about an individual for law enforcement purposes "pursuant to process and as otherwise required by law" (such as subpoenas or other court orders). HHS notes that, in the absence of a mandate enforceable in a court of law, the Privacy Rule's permission to disclose PHI for law enforcement purposes does not permit a disclosure to law enforcement where a hospital or other health care provider's workforce member chose to report an individual's abortion or other reproductive healthcare. For example, if a law enforcement officer went to a reproductive health clinic (as a covered entity) and requested records of abortions performed at the clinic, the clinic would not be permitted to disclose such records unless this request was accompanied with a court order.

Finally, the HHS Guidance addresses situations where the Privacy Rule permits but (again) does not require a covered entity to disclose PHI in situations where the covered entity (in good faith) believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person or persons who are reasonably able to prevent or lessen the threat. HHS notes that it would be inconsistent with professional standards of ethical conduct to make such a disclosure of PHI to law enforcement or others regarding an individual's interest, intent, or prior experience with reproductive healthcare. For example, a healthcare provider that learned that their patient intended to go to another state for an abortion would not be permitted to disclose this fact to law enforcement because the disclosure did not qualify as a "serious and imminent threat to the health or safety of a person or the public."

FTC: Consumer Privacy Protections and Prevention of Deceptive or Fraudulent Practices

The Executive Order encourages the FTC to "consider actions . . . to protect consumers' privacy when seeking information about and provision of reproductive healthcare services" and "to address deceptive or fraudulent practices related to reproductive healthcare services." Subsequently, the FTC reiterated its commitment to fully enforcing the law against the illegal use and sharing of highly sensitive data in a post on its Business Blog. The post first addresses the dynamics of the information marketplace and role of data aggregators and data brokers, noting that connected devices collect sensitive data including precise location and health information and that consumers are often unaware of what happens to this information once it has been collected. As an example of potential misuses of sensitive information related to reproductive health, the post referenced the FTC's recent settlement with Flo Health. After outlining some potential harms caused by the misuses of mobile location and health information, the FTC reiterated its commitment to "vigorously enforce the law" if they discover "illegal conduct that exploits Americans' location, health, or other sensitive data."

For companies thinking about compliance, the FTC stated that past enforcement actions should serve as a roadmap and emphasized a few key points:

• Sensitive data is protected by both federal and state laws, many of which are enforced by the Commission. In addition to Section 5 of the FTC Act, which prohibits unfair and deceptive trade practices, the FTC enforces the Safeguards Rule, the Health Breach Notification Rule, and the Children's Online Privacy Protection Rule.
• Claims that data is 'anonymous,' or 'has been anonymized' are often deceptive and, if untrue, may be a deceptive trade practice that violates the FTC Act. Significant research has shown that 'anonymized data' can often be re-identified. False anonymization claims will trigger FTC scrutiny.
• Citing recent enforcement actions against OpenX, Kurbo/Weight Watchers, and CafePress, the FTC reiterated that consumer data misuse is an area of focus for the FTC.

Companies collecting sensitive data including location and health data should take extra care in claiming that data is "anonymous" or has been "anonymized" and should look to past FTC actions for further compliance guidance. This shows that the FTC may not simply take companies at their word when it comes to anonymization and that they should especially be careful when applying this principle to sensitive data or location information.

Footnotes

1. The accompanying press release ("Fact Sheet") notes that "President Biden has made clear that the only way to secure a woman's right to choose is for Congress to restore the protections of Roe as federal law. Until then, he has committed to doing everything in his power to defend reproductive rights and protect access to safe and legal abortion."

2. Additionally, the Executive Order includes provisions outside the scope of this blog post, including those related to safeguarding access to reproductive health care services, ensuring the physical safety of patients, providers, and third parties and the security of clinics, pharmacies, and other entities assisting in the provision of reproductive healthcare services through cooperation between the DOJ and the Department of Homeland Security (DHS), and the creation of an interagency Task Force on Reproductive Health Care Access led by HHS and the White House Gender Policy Council to coordinate the Administration's efforts.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.