Patient privacy is evolving rapidly in the post-Dobbs era, according to healthcare and life science lawyers in a webinar hosted by the American Bar Association on Wednesday.
“For now, a request from law enforcement personnel for protected health information is not valid unless it is pursuant to a process or as otherwise required by law,” said Lynn Barrett, a healthcare lawyer at Wachler & Associates.
Barrett and other panelists were discussing what the Health Insurance Portability and Accountability Act (HIPAA) actually protects as it pertains to reproductive health data following the Dobbs decision in June and how the Office for Civil Rights (OCR) is carrying out those rules. Physicians, reproductive clinics and femtech companies need to understand this intimately to mitigate liability as well as protect patients.
Barrett, who is based in Florida where abortion is restricted, explained that if a patient were to go to their doctor and say they’re pregnant but don’t plan to have the baby, the provider wouldn’t be required to disclose that information to a law enforcement officer.
“What OCR is saying is that the intention to do something cannot be reported under HIPAA,” Barrett said.
The OCR worked with the American Medical Association and other medical organizations to develop their legal position, which is, “It would be inconsistent with professional and ethical standards to disclose to law enforcement anything regarding an individual’s interest, intent or prior experience with reproductive health,” Barrett said.
An interesting situation will be the federal preemption issues that occur if a physician in Texas or Florida or another restrictive state decides to call law enforcement, Barrett said, referring to when federal law and state law conflict each other.
When it comes to medical information that’s not shared with a provider, but that’s related to a personal device, such as a cellphone or laptop, it’s even trickier. HIPAA does not protect information on personal devices.
“If law enforcement suspects that an individual has had an illegal abortion, they could go and request access to that individual’s phone, their applications that they‘re using, their femtech apps, anything like that,” said Bethany Corbin, a femtech lawyer at Nixon Gwilt Law.
As a result of increased privacy concerns, some femtech apps, such as the period tracking app Flo, have enabled an “anonymous” mode, Corbin said. Still, she would caution against users having a “false sense of security” because it’s unclear what “anonymous” means.
“That’s something we’re going to have to continue to watch to see how many apps come out with those modes, and if there’s any further regulation of that,” Corbin said.
The value of health data on the black market, just a general healthcare record is about $250, Corbin said. And if you compare that to something like a credit card, a credit card goes for about $5.60 on the black market. So the value of health data is already hugely increased from almost any other type of data you can get on the black market, Corbin said.
She also pointed out that some femtech companies have added a paid version of their free apps which adds more privacy, so customers can have a sense of security, but this is also new territory and there needs to be more regulation, Corbin said.
Another panelist, Heather Deixler, a partner at Latham and Watkins in the healthcare and life sciences practice area, said there’s a high need for a federal privacy law to protect reproductive healthcare information and the “patchwork” laws that vary state by state is very difficult to navigate.
Deixler said there’s an analogy to draw between how patient data is protected when it involves reproductive health and when it involves substance use disorder. For example, she said, when a patient is recovering from substance use disorder, their patient information is protected from law enforcement, even though what they’re doing is engaging in illegal acts of abusing substances.
“Taking that approach could be a really good way to limit this [reproductive health] information from being disclosed to law enforcement,” Deixler said.
Deixler also described how the Federal Trade Commission has reacted to privacy concerns. In one case she described, the FTC sued data broker Kochava for selling patient data that tracked when people visited a reproductive health clinic.
Also, the FTC has sued period tracking app Flo for selling data to Facebook and Google without the patient’s consent.
“They were saying they weren’t sharing data with third parties but they were,” Deixler said of Flo. “Part of what the FTC did was enforce transparency and said you need to get consent with individuals before sharing information.”
The case was a “wake up call” for people using these apps, Deixler said.
In a segment on what tech companies should be doing amid privacy issues, Deixler suggested tech companies use end-to-end encryption to protect patient data, limit the collection and sale of information that can reveal pregnancy status, stop using artificial intelligence tools that reveal pregnancy status, and vet data sharing relationships.