(Originally published by Stanford Health Policy on June 30, 2022)
Michelle Mello writes that the overturning of Roe v. Wade — ending federal protection over a woman’s right to an abortion — could also expose her personal health data in court.
The Supreme Court ruling eliminating the constitutional right to an abortion could also result in women’s personal reproductive health data being used against them, warns Stanford Health Policy’s Michelle Mello.
The Dobbs v. Jackson Women’s Health Organization ruling could, for example, lead to a woman’s health data in clinician emails, electronic medical records, and online period-tracking platforms being used to incriminate her or her health-care providers, Mello said.
“Ultimately, broader information privacy laws are needed to fully protect patients and clinicians and facilities providing abortion services,” writes Mello, a professor of health policy and law in this JAMA Health Forum article with colleague Kayte Spector-Bagdady, a bioethicist from the University of Michigan. “As states splinter on abortion rights after the Dobbs Supreme Court decision, the stakes for providing robust federal protection for reproductive health information have never been higher.”
Eight states banned abortions on the same day the Dobbs ruling came down, and 13 states that had “trigger bans” that, if Roe v. Wade were struck down, would automatically prohibit abortion within 30 days. Other states are considering reactivating pre-Roe abortion bans and legislators in some states intend to introduce new legislation to curb or ban the medical procedure.”
Three Potential Scenarios
The authors note these new abortion restrictions may clash with privacy protections for health information, laying out three scenarios that could impact millions of women. And, they note, “despite popular misconceptions about the breadth of the Privacy Rule of the Health Information Portability and Accountability Act (HIPAA) and other information privacy laws, current federal law provides little protection against these scenarios.”
The first scenario is that a patient’s private health information may be sought in connection with a law-enforcement proceeding or civil lawsuit for obtaining an illegal abortion. HIPAA privacy regulations and Fourth Amendment rights against unreasonable searches and seizures won’t help physicians and hospitals resist such investigative demands, the authors write. And though physician-patient communications are ordinarily considered privileged information, the scope of that privilege varies greatly from state to state. “In many cases medical record information has been successfully used to substantiate a criminal charge,” the authors write.
“Ultimately, broader information privacy laws are needed to fully protect patients and clinicians and facilities providing abortion services.” – Michelle Mello
The second privacy concern is the potential use of health-care facility records to incriminate an institution or its clinicians for providing abortion services. Relevant records could include electronic health records, employee emails or paging information and mandatory reports to state agencies. Clinicians may not realize that if they are using an institutional email address or server, their institution likely has direct access to information and communications stored there, which can be used to search for violations. State Freedom of Information Act (FOIA) laws also allow citizens to request public records from employees of government hospitals and clinics.
“Additionally, state mandatory reporting laws for child abuse might be interpreted to cover abortions — particularly if life is defined as beginning at fertilization,” the authors note.
The third scenario is that information generated from a woman’s online activity could be used to show she sought an abortion or helped someone to do so. Many women use websites and apps that are not HIPAA-regulated or protected by patient-physician privilege, such as period-tracking apps used by millions of women that collect information on the timing of menstruation and sexual activity.
“There are many instances of internet service providers sharing user data with law enforcement, and prosecutors obtaining and using cellphone data in criminal prosecutions,” write Mello and Spector-Bagdady, adding commercially collected data are also frequently sold to or shared with third parties.
“Thus, pregnant persons may unwittingly create incriminating documentation that has scant legal protection and is useful for enforcing abortion restrictions,” they said.
The immediate problem, Mello notes, is in the states that have already banned abortion or passed restrictive laws.
“There could be a problem with states trying to reach outside their borders to prosecute people, but that could well be unconstitutional,” Mello said.
Some states’ laws sweep abortion pills into the definition of illegal abortions, she said, and there are legal obstacles to supplying the pills across state lines.
“There is a lot of energy going into figuring out a workaround right now, but it’s too soon to call,” Mello said.
So how can clinicians and health-care facilities protect their patients and themselves?
When counseling patients of childbearing age about reproductive health issues, clinicians should caution their patients about putting too much medical data online and refer them to expert organizations that will help them minimize their digital footprint.
When documenting reproductive health encounters, the authors said, clinicians should ask themselves: “What information needs to be in the medical record to assure safe, good-quality care, buttress our claim for reimbursement, or comply with clear legal directives?” For example, does information about why a patient may have experienced a miscarriage need to be recorded?
Patients and clinicians should be aware that email and texting may be seen by others, so conversations among staff about reproductive health issues may best be conducted by phone or in person.
Finally, if abortion-related patient information is sought by state law enforcement officials, a facility’s attorney should be consulted about asserting physician-patient privilege and determining whether the disclosure is mandated by law.