A journalist reports near a crowd of abortion rights activists outside the U.S. Supreme Court after the Court announced a decision in Dobbs v. Jackson Women’s Health Organization on June 24, 2022 in Washington, DC.
Nathan Howard | Getty Images
The Supreme Court’s decision to overturn Roe v. Wade last month raised concerns that data collected by technology companies and clinics could be used to criminally prosecute people who seek abortions or have pregnancy losses.
Although the federal law known as the Health Insurance Portability and Accountability Act, or HIPAA, protects patient privacy, health care providers can still be forced to release patient data under special circumstances, such as a subpoena or court order.
There is also a lot of data that consumers generate in their daily lives that would not be considered subject to HIPAA and could be used as evidence in court against people who allegedly sought abortions in violation of state laws. or against their suppliers. Legal experts note that search history, text messages, location data and period-tracking apps could potentially be used in court, and in some cases already have been.
While some tech companies, such as Google and menstrual cycle tracking app Flo, have announced steps to better protect their users’ reproductive health data, the security of users’ data remains largely dependent on the services they use in the absence of a federal digital privacy law.
However, some states, including California and Illinois, already have digital privacy laws that can help protect user data more generally. Additional state-level proposals aim to protect reproductive health data in particular, such as Connecticut’s Protection of Reproductive Freedom Act. This bill could help fill some gaps in HIPAA as lawmakers in Congress continue to push for national privacy protections.
Here’s an overview of some current laws and proposals that could protect pregnant people’s information both on and off the Internet.
Health Insurance Portability and Accountability Act (HIPAA)
What it does: HIPAA is a federal patient privacy law passed in 1996 that prohibits health care providers and insurers from disclosing patient information. It is overseen by the Office for Civil Rights at the Department of Health and Human Services.
In general, HIPAA does not allow abortion clinics or health care providers to disclose to law enforcement officials whether a person has had an abortion. If state law prohibits abortion but does not “expressly require” people to report it, an abortion clinic that reports patient information to others would be in violation of HIPAA.
What information is not protected by HIPAA: HIPAA cannot resolve all privacy issues related to reproductive rights. According to recent guidance released by HHS, the law allows an abortion clinic to disclose who performed an abortion in response to a court order or subpoena, which could become even more common in the post- Roe era.
HIPAA only applies to certain types of businesses and professionals. It can only regulate health insurers, healthcare providers, data exchange centers and business partners.
HIPAA cannot protect some of the patient information collected by anti-abortion organizations, such as so-called crisis pregnancy centers, that try to attract and refer abortion seekers. There are about 2,500 centers across the country, according to the Crisis Pregnancy Center Map, a project led by academics at the University of Georgia.
Law on my body, my data
What it will do: The My Body My Data Act is a federal privacy proposal aimed at companies that collect reproductive health information. It would require companies to obtain a consumer’s consent before collecting, storing or disclosing reproductive health data, unless the data is “strictly necessary” to provide a service or product that the consumer has requested. It would also require companies to delete users’ information upon request. The Federal Trade Commission would have the power to enforce the regulations.
What gaps will it fill: While HIPAA mainly covers healthcare providers, this bill focuses on regulating technology companies and apps that collect reproductive health data.
Rep. Sarah Jacobs, D-Calif., a co-sponsor of the bill, told The Washington Post that as it stands without such a law, it is possible “a right-wing nonprofit [to] buy all this data from the various cycle tracking apps” and name every user “who should be pregnant right now but isn’t.”
What is the probability that it will pass? Jacobs appeared to acknowledge in his interview with the Post that the bill is unlikely to become federal law, given Republican opposition to expanding abortion protections. But, she said, the federal bill could inspire and be a model for action at the state level.
Health and Location Data Protection Act
What it will do: That federal bill, introduced by Sen. Elizabeth Warren, D-Mass., and other Democrats in June, would ban data brokers from selling location and health care data.
The bill would give the Federal Trade Commission the power to enforce standards around the sale of health and location information. It would also give attorneys general and individuals the power to prosecute alleged wrongdoing. The bill also promises $1 billion in funding to the FTC over the next decade to carry out its work, including enforcing this law.
What gaps will it fill: While the My Body, My Data Act primarily deals with the collection of health data, Warren’s bill focuses on regulating the sale of location data. The proposal came after Vice reported that data brokers like SafeGraph were selling location data on people visiting abortion clinics.
What is the probability that it will pass? The bill will likely need some Republicans on board to have a chance at passage, a tall order given the party’s general opposition to expanding abortion protections.
State laws and proposals
Pennsylvania Pregnant Information Protection Act
What it will do: That bill, introduced in May by Democratic Rep. Mary Jo Daley, would bar so-called crisis pregnancy centers from disclosing nonpublic health information they’ve collected without express permission.
What gaps will it fill: Recent reports have highlighted the data risks associated with visiting a crisis pregnancy center. Some pregnant people seeking abortions do not realize that the centers may not offer abortion services and instead try to dissuade visitors from terminating their pregnancies.
Federal lawmakers urged Google to make clear to users that such centers, which often have websites designed to look like those of abortion clinics, do not offer abortions. Because these centers are often not licensed medical providers and offer free services, they are not bound by federal health care privacy laws, Time reported, based on conversations with privacy attorneys.
The Pennsylvania bill could make it harder for these anti-abortion centers to disclose information that would otherwise fall into this unprotected zone.
How effective would it be? The bill still allows clinics to disclose nonpublic health information without a warrant if the clinic is required to comply with national, state or local laws or a court order or investigation. This can potentially undermine the effectiveness of defenses.
State asylum laws and proposals
What they would do: These types of bills, passed or introduced in several Democratic stronghold states, would make it easier for pregnant people seeking abortions outside their home states to do so while protecting their information within so-called sanctuary states. This means that if a person in Texas seeks a legal abortion in Connecticut, for example, it may be more difficult for Texas authorities to obtain information about that procedure.
Legislation varies slightly from country to country. Generally, these types of bills seek to prevent certain agencies or providers in their states from having to turn over sensitive reproductive health information to another state that wants to prosecute an alleged abortion under its own laws.
Which countries have them: Two such proposals already signed into law by Democratic governors are the Connecticut Reproductive Freedom Protection Act and New Jersey Assembly Bill 3975/Senate Bill 2633.
Similar bills have been introduced in California, Massachusetts and New York.
What gaps would they fill: As of July 7, nine states had already banned abortions, and four states may soon pass abortion laws, according to Politico. Many people in these states can choose to obtain abortion services in safe harbor states like Connecticut while still facing legal risks in their home states.
This means that this type of legislation can protect travelers from countries that have banned abortion from liability for obtaining such services in a country that has legal abortion services and protective laws.
How effective would they be? Although these laws will protect information about legal proceedings that occur in the states where they exist, patients who live in states with restrictive abortion laws will still need to be aware of where else their medical records may be stored.
“Imagine you’re in Alabama, you come to Connecticut and you get an abortion, and then you go to any other doctor in Alabama. We’re increasingly in a world where your medical record can just follow you back to Alabama,” Carly Zubzycki, a professor of health law at the University of Connecticut School of Law, told the Verge.
In addition, some of the measures include certain exceptions that could allow the transmission of information. For example, New Jersey law allows exceptions for valid court orders or where child or adult abuse is suspected in good faith. But the latest case says that reproductive health services, which are legal in New Jersey, should not be considered abuse.
WATCH: Bipartisan lawmakers debate new framework for privacy legislation