Biden Administration’s Guidance on Privacy Risks of Post-Dobbs Reproductive Health Information – Privacy Shield
Following the Supreme Court ruling overturning Roe v. Wade in Dobbs v. Jackson Women’s Health Organization, the Biden administration has outlined a framework for federal executive action designed to protect access to reproductive health care. On July 8, 2022, President Biden issued an Executive Order Protecting Access to Reproductive Health Care Services (the “Executive Order”) directing federal agencies, including the U.S. Department of Health and Human Services (HHS) , the Department of Justice (DOJ), and the Federal Trade Commission (FTC) to take various actions to address “this health crisis.”1
HHS and the FTC subsequently issued guidance on what is required by pre-existing regulatory frameworks. As recognized in the Executive Order, the cancellation deer “has already had and will continue to have devastating implications for women’s health and public health more broadly.” Among these implications are the consequences for privacy, in particular the confidentiality of reproductive health information and other sensitive data, including protected health information (PHI), location information, search history and online or credit card purchases under pre-existing privacy frameworks.
Companies that process sensitive data should be aware of these evolving federal guidelines and agency policy framework and how it may impact their data processing activities generally. For instance:
- Entities covered by the Health Insurance Portability and Accountability Act (HIPAA) should assess their disclosure practices in light of these latest HHS guidelines to ensure they are not unintentionally violating the privacy rule when attempting to Comply with new state laws that come into effect. that can restrict access to reproductive health care.
- Companies that collect sensitive data (including location data) must ensure that they are transparent about their data collection and sharing practices in order to comply with FTC privacy requirements.
- Companies that claim to process “anonymized” information must ensure that their anonymization standard complies with FTC guidelines or risk possible legal action. The risk may be particularly heightened if this “anonymized” information is used to target individuals based on their reproductive health status or health outcomes.
The executive order includes provisions to protect the privacy of patients and consumers, as well as their access to accurate reproductive health care information.2 In particular, the decree addresses the transfer and sale of sensitive health-related data, digital surveillance related to reproductive health care services, and protection against inaccurate information, fraudulent schemes or deceptive practices. These provisions and subsequent HHS and FTC actions are described below.
HHS: Patient Privacy and Health Data
The executive order directs HHS “to consider actions, including providing guidance under [HIPAA] . . . to strengthen the protection of sensitive information related to reproductive health services. Following President Biden’s executive order, HHS issued a press release and guidance (“HHS Guidance”) on its role in protecting patient privacy in light of the Dobbs decision. The first part of the HHS Guidance discussed how HIPAA and its regulations protect individuals’ PHI with respect to abortion and other sexual and reproductive health care. permitted or required by the HIPAA Privacy Rule.
The HHS Guidance focuses on three scenarios in which an individual’s PHI may be disclosed to third parties: (1) disclosures required by law; (2) disclosures for law enforcement purposes; and (3) disclosures to avoid a serious threat to health or safety. In the first scenario (disclosures required by law), HHS noted that the HIPAA Privacy Rule allows but does not require a covered entity to disclose an individual’s PSI when such disclosure is required by another law and the disclosure complies with the requirements of the other law. The agency clarified that authorization to disclose PHI “as required by law” is limited to “a warrant contained in law that requires an entity to use or disclose PHI and is enforceable in court.” and that “disclosures of PSR that…exceed what is required by this law are not considered permissible disclosures.” For example, if a state law prohibited a person from having an abortion after six weeks , but did not expressly require hospitals to report alleged violations of the law, a hospital (as a HIPAA-covered entity) would not be permitted to disclose an alleged violation of the abortion law of the state under the HIPAA Privacy Rule because the disclosure would not be “required by law”.
Similarly, the HHS Guidance notes that the Privacy Rule permits, but does not require Covered Entities, to disclose an individual’s PSI for law enforcement purposes “as due process and as otherwise required by law.” law” (such as subpoenas or other court orders). HHS notes that in the absence of a warrant enforceable in court, the confidentiality rule’s authorization to disclose PSI for law enforcement purposes does not permit disclosure to law enforcement when ‘a hospital or other health care provider staff member has chosen to report an individual’s abortion or other reproductive health care. For example, if a law enforcement officer visited a reproductive health clinic (as a covered entity) and requested records of abortions performed at the clinic, the clinic would not be permitted to disclose those abortions. records unless such request is accompanied by a court order.
Finally, the HHS guidelines address situations where the confidentiality rule permits but (again) does not require a Covered Entity to disclose PSI in situations where the Covered Entity (in good faith) believes that the use or the disclosure is necessary to prevent or mitigate a serious and imminent threat to the health or safety of any person or the public, and the disclosure is made to a person or persons who are reasonably capable of preventing or mitigating the threatens. HHS notes that it would be inconsistent with professional standards of ethical conduct to release such information to law enforcement or others regarding an individual’s interest, intent, or prior experience in reproductive health care. For example, a health care provider who learns that his patient intended to travel to another state for an abortion would not be permitted to disclose that fact to law enforcement, as disclosure is not considered as a “serious and imminent threat to the health or safety of any person or the public.” »
FTC: Protecting Consumer Privacy and Preventing Deceptive or Fraudulent Practices
The executive order encourages the FTC to “consider actions…to protect the privacy of consumers when seeking information about reproductive health services and the provision of those services” and “to combat deceptive or fraudulent practices.” related to reproductive health services”. Subsequently, the FTC reiterated its commitment to fully enforce the law against the unlawful use and sharing of highly sensitive data in a post on its corporate blog. The post first discusses information market dynamics and the role of data aggregators and data brokers, noting that connected devices collect sensitive data, including precise location and health information, and that consumers are often unaware of what happens to this information once it has been collected. As an example of potential misuse of sensitive information related to reproductive health, the post referenced the FTC’s recent settlement with Flo Health. After outlining some potential harms caused by misuses of mobile location and health information, the FTC reiterated its commitment to “vigorously enforce the law” if they discover “illegal conduct that exploits location, health or other sensitive data of Americans”.
For businesses considering compliance, the FTC said past enforcement actions should serve as a roadmap and highlighted a few key points:
- Sensitive data is protected by federal and state laws, many of which are enforced by the Commission. In addition to Section 5 of the FTC Act, which prohibits unfair and deceptive marketing practices, the FTC enforces the Safeguard Rule, Health Injury Notification Rule, and Online Privacy Shield Rule. children.
- Claims that data is “anonymous” or “has been anonymized” are often misleading and, if untrue, may constitute a deceptive marketing practice that violates FTC law. Significant research has shown that “anonymized data” can often be re-identified. False claims of anonymization will trigger scrutiny from the FTC.
- Citing recent enforcement actions against OpenX, Kurbo/Weight Watchers, and CafePress, the FTC reiterated that the misuse of consumer data is an area of concern for the FTC.
Companies that collect sensitive data, including location and health data, should take extra care in claiming that the data is “anonymous” or has been “anonymized” and should look to past FTC actions to get additional compliance guidance. This shows that the FTC cannot simply take companies at their word on anonymization and that they must be especially careful when applying this principle to sensitive data or location information.
1. The attached press release (“Fact Sheet”) notes that “President Biden has made it clear that the only way to guarantee a woman’s right to choose is for Congress to restore Roe’s protections by as federal law. Until then, it has pledged to do everything in its power to uphold reproductive rights and protect access to safe and legal abortion.”
2. In addition, the decree includes provisions outside the scope of this blog post, including those related to protecting access to reproductive health care services, physical security of patients, providers and third parties and the safety of clinics, pharmacies, and other entities assisting in the provision of reproductive health services through cooperation between the DOJ and the Department of Homeland Security (DHS), and the creation of an interagency working group on access to reproductive health care led by HHS and the White House Gender Policy Council to coordinate the Administration’s efforts.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.