With Roe v. Wade now overturned, patients are wondering whether federal laws will shield their reproductive health data from state law enforcement, or legal action more broadly. The answer, currently, is no.
If there’s a warrant, court order, or subpoena for the release of those medical records, then a clinic is required to hand them over. And patients and providers may be made legally vulnerable by the enormous trail of health-related data we all generate through our devices every day.
As far as health records go, the most salient law is HIPAA — the Health Insurance Portability and Accountability Act. It’s possible that federal officials could try to tweak it, so that records of reproductive care or abortion receive extra protection, but legal experts say that’s unlikely to stand up in the courts in a time when many judges tend to be unfriendly to executive action.
While abortion will remain legal in many states, 22 have laws on the books that will ban the procedure or lead to severely restricted access to it, according to the Guttmacher Institute.
It’s hard to know exactly how state authorities will react to this ruling. Many anti-abortion groups oppose the criminalization of abortion patients. Experts have serious concerns about how holes in privacy laws might potentially open clinicians and patients up to legal action, but the issues discussed here are possible, not certain, consequences of Friday’s decision.
HIPAA in a post-Roe world
“People think HIPAA protects a lot more health information than it actually does,” said Kayte Spector-Bagdady, a professor of bioethics and law at the University of Michigan.
It all comes down to state law. She said the federal privacy rule contains exceptions that could allow prosecutors to compel businesses to relinquish information relevant to a criminal investigation — and the same is true for other kinds of legal action, too.
“All that [a] provider could use to push back is to say, ‘I want to see a warrant,’ or ‘I want to see a subpoena,” said Carmel Shachar, executive director of the Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics at Harvard Law School.
While many laws limiting abortions have focused on providers, legal experts say some patients could end up being vulnerable, too.
In states that ban abortion, simply the suspicion that a patient had an abortion would be enough to allow law enforcement to poke around in their medical records under the guise of identifying or locating a suspect, said Isabelle Bibet-Kalinyak, a member of Brach Eichler’s health care law practice. “They would still need to have probable cause,” she said.
There are situations in which obtaining certain kinds of sensitive health information can be made more difficult for authorities to access — adding hoops to jump through, without shielding the data entirely. “You can say, OK, well, if law enforcement wants medical records relating to reproductive health, they need to work with a federal prosecutor in order to get them,’ ” said Shachar. “Maybe that would make it so difficult that state prosecutors would be reluctant to take these cases.”
She mentioned certain states’ higher standards for release of mental health records and HIV status, for instance. But those aren’t currently in place for reproductive health care, and would remain permeable.
“I think this is a wake-up call about the limitations of HIPAA,” said Adrian Gropper, chief technology officer of the Patient Privacy Rights Foundations. Though abortion is a highly partisan issue, he sees the need for better patient privacy laws as one that both Democrats and Republicans could agree on.
For now, most health law experts see very little protection of patient privacy. Look at the history of HIPAA-related cases, Gropper said, and “you would find very few examples of enforcement actions for patient privacy breaches.”
The free-flow of data in health care and the broader economy may also be used to directly discriminate against people based on their use of reproductive health services. If an employer has a certain position on abortion, you may be denied a job if “they used some predictive algorithm” to examine data available to employers on your medical care, said Andrea Downing, president and co-founder of The Light Collective, a nonprofit that advocates for stronger health data protections.
“Anything you do in health care, in our current state of (regulation), can be used against you,” she said.
Health data beyond HIPAA
In states with abortion bans, patients have more than their official medical records to think about.
“If I was giving my sister or best friend some advice, the first thing I would say is to be very careful about what data in general you’re generating,” Shachar said. “We think about medical records, but our phones collect an amazing amount of data. It’s not a good idea to send texts about your intent to seek an abortion. It’s not a good idea to use an online payment app to buy these services. You might want to leave your phone at home as opposed to taking it to the clinic. You may not even want to search for abortion providers on your phone or computer.”
Spector-Bagdady added that a large economy of health information also operates beyond the control of HIPAA, allowing the makers of period-tracking apps and other devices to share customer information with third parties in some instances.
“Some of these (businesses) have sold or shared information that is fully identified in the past with other companies such as Facebook,” she said. She noted a lawsuit the state of California recently pursued against Glow, a company that makes menstrual cycle tracking software, for sharing reproductive health information outside the app. But the violation in that case stemmed from more rigorous data protection rules in California that are not in place in other states.
In addition, neither HIPAA, nor state consumer protection rules, prohibit the disclosure of huge amounts of health information transmitted outside medical settings — in retail stores, social media sites, online shopping accounts, text messages, and elsewhere.
“The more online you are, the greater your exposure,” said Eric Perakslis, a health privacy and cybersecurity expert at Duke University. “You have your CVS account, your online patient portal, your email where appointment reminders are sent, your SMS stream on your phone. You can see how the threat compounds. It’s very difficult for people to think through that because they compartmentalize.”
The impact of the ruling will also create greater disadvantages along racial and economic lines, because people with the fewest resources cannot always afford to get services from providers that offer stronger privacy protections, Perakslis said.
“People with less means might be using the free clinic or Planned Parenthood, whereas the wealthy and well-insured are going to the nice medical office building,” he said. “The data kind of stands out more. People with less means are more exposed.”
Crossing state lines for an abortion
One question that remains is what might happen if states try to ban their residents from going elsewhere in the U.S. to seek an abortion.
Justice Brett Kavanaugh’s concurring opinion suggested that crossing state lines should not be prohibited. “He believes there is a constitutional right to interstate travel for abortion,” said I. Glenn Cohen, a professor at Harvard Law School. Cohen wasn’t sure other conservative justices would hold the same view, though.
“There’s something that feels very alarming about a state saying you may not travel outside my borders to receive medical care,” said Shachar. “We’ve traditionally always had freedom of movement between states.” That became an issue during the pandemic, as states tried to put testing mandates into place for out-of-state travelers, but “ultimately the state didn’t really have great levers to require that.”
Of course, interstate travel, if legally protected, “may be an option for some individuals, but not if you have disability, or you’re poor or you have an abusive partner who will beat you up if they find out,” said Cohen.
Murky distinction between abortions and miscarriages
Another issue is that the same medications that are used for chemical abortions are also used to treat miscarriages, to ensure that they are safely expelled from the body.
“In the medical records, it’s going to be hard to distinguish who is seeking an abortion, and who is seeking care after happening to miscarry at home,” said Shachar.
“What alarms me about the lack of privacy of medical records is, even if you’re a provider who isn’t providing abortions, but you’re providing good care for your patients, some of whom are miscarrying, those medical records could be discoverable, and could be used in criminal cases against the provider.”
While people have have already been prosecuted for miscarriages in a number of states — in cases of drug use during pregnancy, for instance — experts warn that those sorts of cases might become more common. That’s just one of the instances in which this Supreme Court decision may reveal the holes in American health privacy laws, and may result in some patients being afraid to seek medical care.