Most consumers think the Health Insurance Portability and Accountability Act (HIPAA) is a lot broader than it is.
But in a post-Dobbs world, it bears repeating: HIPAA doesn’t cover all health data, including reproductive health information collected through phones, tablets and other devices.
Although the HIPAA Privacy Rule does give people control over whether and how their data is used and disclosed for marketing purposes, it only applies to “protected health information.”
“If it’s not a health insurance company or a doctor’s office, sharing health information is not protected by HIPAA,” said Jacqueline Ayers, SVP of policy at the Planned Parenthood Federation of America, speaking at the IAPP Global Privacy Summit in Washington, DC, on Tuesday.
HIPAA doesn’t cover ovulation apps, period trackers, blood pressure apps or blood sugar tracking apps – in fact, it doesn’t cover the data shared with or collected by any type of health app unless the app was provided by a covered entity or its business associate.
Messaging services are also vulnerable.
For instance, unencrypted chat logs have already been used as the basis for prosecution against women who sought an abortion or related services, including in Nebraska.
State of flux
Now that abortion-related care is being regulated by states, the US has become a “legal minefield” for consumers and for privacy and legal experts, Ayers said.
Even if someone leaves a banned state and receives abortion-related care in a state where it is legal, there is concern that their information could be shared with law enforcement in their home state.
Although multiple state legislatures, including California, Colorado, Michigan and Maine, have passed laws that prevent reproductive health care records from being shared out of state, the majority of states aren’t thinking about protections beyond HIPAA.
As a result, “patients are very confused. and there’s a lot of misinformation right now,” she said.
Make no assumptions
And yet the onus continues to be on people to take steps to protect themselves in the absence of a consistent legal framework.
“You have to be hypervigilant about your own privacy – and there are no assumptions,” said Melanie Fontes Rainer, director of the Office for Civil Rights (OCR) at the Department of Health and Human Services.
In late June 2022, just a few days after the Supreme Court overturned Roe v. Wade, the Office for Civil Rights issued guidance to clarify what is and isn’t covered under HIPAA and to remind health care providers that they aren’t required under federal law to disclose private medical information to third parties.
The OCR also shared advice for how regular people can stay safe, including not opting into location tracking, turning off location services on Apple and Android devices, deleting ad IDs on Android and turning off personalized advertising on iOS and avoiding downloading “unnecessary or random apps.”
Separately, President Joe Biden’s administration is working on a proposal that would update HIPAA to better protect patients that need reproductive care, though details are still scant for now.
Meeting the moment
Meanwhile, businesses and people are grappling with situations that might have sounded like edge cases before Dobbs but now present real problems that need serious consideration.
Rideshare drivers, for example, are increasingly worried that they might get hit with a lawsuit for bringing someone to a reproductive health care center. Taxi and rideshare drivers that transport people to a clinic are potentially culpable and could be fined up to $10,000 in states like Oklahoma or Texas with strict anti-abortion laws in place.
Uber and Lyft have pledged to cover the legal fees in the event any of their drivers are sued under these laws. But even so, some drivers have become wary of dropping people off at reproductive health clinics, Ayers said, and they’re asking riders if they can drop them off a few blocks away.
HIPAA doesn’t touch any of this weirdness.
“The law is just not able to keep up with where we are at this moment in history,” Ayers said. “Until the laws get there, how data is treated and how privacy experts respond … will be the bellwether for what happens to people in their individual lives.”