How strong are HIPAA protections in a post-Roe world?

PolitiFact | Some abortion rights advocates warn that the recent overturning of Roe v. Wade could put women at risk of having their personal medical records used by law enforcement.
A clinic security officer, center, attempts to keep anti-abortion activist Doug Lane, left, from a physical confrontation with sign-carrying abortion rights supporters, who are using noisemakers to drown out Lane's bullhorn outside the Jackson Women's Health Organization clinic in Jackson, Mississippi, on July 6. The clinic is the only facility that performs abortions in the state.
A clinic security officer, center, attempts to keep anti-abortion activist Doug Lane, left, from a physical confrontation with sign-carrying abortion rights supporters, who are using noisemakers to drown out Lane's bullhorn outside the Jackson Women's Health Organization clinic in Jackson, Mississippi, on July 6. The clinic is the only facility that performs abortions in the state. [ ROGELIO V. SOLIS | AP ]
Published July 14, 2022

Now that the Supreme Court has overturned Roe v. Wade, more than a dozen states are moving toward outlawing or severely restricting abortion within their borders. Some abortion rights advocates have warned that this could put women at risk of having their personal medical records used by law enforcement.

There is no guarantee that such intrusive tactics will come to pass. In fact, most states that have passed restrictive abortion laws have — for now, at least — specified that the woman who has an abortion would not be criminally prosecuted.

However, anyone in these states who performs or enables an abortion could still face criminal prosecution, as long as a prosecutor was intent on trying it. And the privacy laws currently on the books — notably the Health Insurance Portability and Accountability Act, or HIPAA — wouldn’t provide much protection for medical data if such prosecutions went ahead, a half-dozen experts in health and privacy law told PolitiFact.

“It is clear that (Health Insurance Portability and Accountability Act) is poorly protective against subpoenas and direct legal action,” said Eric Perakslis, the chief science and digital officer at Duke University’s Clinical Research Institute.

HIPAA protections and their exceptions

As a general rule, privacy protections for medical records — familiar to most Americans from the reams of paperwork they fill out at doctors’ offices — are clear and reasonably protective.

“The (Health Insurance Portability and Accountability Act) privacy rule generally protects medical information that is stored by health care providers, insurers, clearinghouses that work on billing and their business associates,” said Sharona Hoffman, a professor of law and bioethics at Case Western Reserve University.

But there’s an exception for law enforcement activities, and in the post-Roe world, this exception looms large.

That’s because a formerly legal activity — abortion — has or will soon become illegal for millions of Americans. By turning abortion into a criminal act almost overnight, law enforcement suddenly has at its disposal a major tool to pierce privacy restrictions, if it so desires. Sidestepping the Health Insurance Portability and Accountability Act would typically require a court order, subpoena or summons.

“In a state that criminalizes abortion, local prosecutors and investigators could likely use these exceptions to access medical information,” said Carmel Shachar, executive director of the Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics at Harvard Law School.

Within days of the Supreme Court’s decision to overturn Roe v. Wade, the federal Department of Health and Human Services issued new guidance about ways in which the Health Insurance Portability and Accountability Act does and does not protect medical privacy in places where abortion is illegal.

Here’s one hypothetical example cited in the Health and Human Services’ memo: “A law enforcement official presents a reproductive health care clinic with a court order requiring the clinic to produce (private health information) about an individual who has obtained an abortion. Because a court order is enforceable in a court of law, (the Health Insurance Portability and Accountability Act’s privacy rule) would permit but not require the clinic to disclose the requested (information). The clinic may disclose only the (information) expressly authorized by the court order.”

While the guidance emphasizes that the clinic is not required to share the information, the clinic would be under intense pressure to yield to law enforcement’s demands. If it refused, the clinic would leave itself open to a legal challenge and would have to spend money and time to defend its refusal in court — with no guarantee of success.

“If the request was properly served and otherwise consistent with state law, it would be difficult to challenge, although an attorney could always try to request protections for that information after the fact,” Dianne Bourque, an attorney with the law firm Mintz, told the health publication STAT.

In states with abortion bans, merely suspecting that a patient had an abortion could be enough to secure probable cause that allows law enforcement to seek a warrant for medical records, Isabelle Bibet-Kalinyak, an attorney with the Brach Eichler firm’s health care law practice, told STAT.

Beyond the Health Insurance Portability and Accountability Act, medical professionals might have other tools to keep law enforcement at bay, such as state hospital licensing laws (which may contain confidentiality rules for hospital records that are separate from federal privacy protections) or state medical practice acts (which may impose separate confidentiality requirements on licensed physicians), said Stacey A. Tovino, a University of Oklahoma law professor.

Meanwhile, medical providers could also cite professional ethics codes that permit disclosure only where there is a serious and imminent threat to the health or safety of a person or the public, said Margaret Foster Riley, a University of Virginia professor who teaches health law.

However, whether these ethics codes would trump the law in court is an open question.

Variations in levels of protection

Although privacy protections can be spotty for those living in a state that criminalizes abortion, there is some variability.

In general, medical professionals who are used to working under HIPAA are “conditioned to think carefully about informational privacy,” Shachar said, although a woman could get unlucky by sharing information with pharmacists or doctors whose personal opposition to abortion might lead them to welcome interest from law enforcement.

Beyond health care providers, Shachar said, “there is a lot of health-related data that is generated outside of the hospital or physician’s office, such as texts, social media posts, data from tracking apps and geolocation data. And while some states have regulations protecting these types of data, many states do not.”

One issue that attracted significant attention recently is the question of apps that track women’s menstrual cycles. Such information is weakly protected, if at all, experts said.

“It’s almost surreal that in some states using a period app could get you into trouble,” Deven McGraw, the head of data stewardship at the biotech company Invitae and the former deputy director for health information privacy at Health and Human Services’ Office for Civil Rights, told PolitiFact and Kaiser Health News in May. “But if an abortion is a crime, it could be accessed in building a case against you.”

And period-tracking apps aren’t the only concern, legal experts said. If a woman discloses her pregnancy status in a public forum online, for instance, law enforcement could act on that information without waiting for a subpoena. And the Health Insurance Portability and Accountability Act doesn’t cover such entities as sales records from retail or online stores, social media platforms or personal texts. In its guidance, Health and Human Services specifically noted that the privacy protections don’t protect privacy of information stored “on personal cellphones or tablets.”

“Many tech companies have business models based on packaging and selling the data they have, so people should think very carefully about the technology they are using and interacting with,” Shachar said. Only a few companies, such as Apple, have robust protections, Riley said.

Without much to stop them, law enforcement could notice that “you stop buying tampons, or start buying prenatal vitamins — or even something more subtle like purchasing a large tote bag, unscented lotion and facecloths,” said Kayte Spector-Bagdady, a professor of bioethics and law at the University of Michigan.

While depersonalized data is likelier to be sold to third parties by online entities than is personalized data, even depersonalized data could provide law enforcement with leads, such as which neighborhoods or demographic categories offer the ripest opportunities for enforcing anti-abortion laws, Perakslis said.

“Aggregate data on over-the-counter pharmacy purchases for contraception and pregnancy tests can readily be linked with other nonhealth data, such as that aggregated by the ad tech industry, to drive harmful hypotheses, Perakslis said. “These types of data are the easiest to get because they are completely unregulated and freely available to license.”

Some Democratic lawmakers are working to stiffen HIPAA protections following the Supreme Court’s action, but it’s far from assured that can be accomplished anytime soon.

Advice for the wary

Experts contacted by PolitiFact unanimously believed that HIPAA and other policies offer weak protections related to pregnancy and abortion in the current environment. As a result, they urged women living in states that ban abortion to act immediately to limit what they say in person or do online to reduce their risk (or others’ risk) from law enforcement actions against abortion procedures.

“I would recommend trying to go about things as if it was 1972, not 2022,” Shachar said. “Don’t create a digital breadcrumb trail by Googling, texting people and bringing your phone to wherever you get treated. If you want to talk to your friends or clinicians, call, don’t text. If you have to use apps and the internet, consider privacy-maximizing browsers and apps.”

Specifically, Spector-Bagdady urged using paper and pencil to track periods rather than an app.

Perakslis agreed that aggressive efforts are warranted.

“I would erase myself from the internet as thoroughly as possible,” he said. “There are lots of articles, old and new, on how to do this. Get a secure web browser. Get a burner phone that you use only for health care. Delete all social media accounts or create new ones using an alias. Delete every (nonessential) app and email account.”