In June, the U.S. Supreme Court Dobbs decision overturned Roe v. Wade’s constitutional abortion protections. The decision has led to a renewed focus nationally and in California on health information privacy surrounding reproductive health care.
Andrea Frey and Kerry Sakimoto of the Hooper, Lundy & Bookman law firm recently discussed with the Connecting for Better Health coalition the implications and considerations for reproductive health data sharing in light of the Dobbs decision. Frey and Sakimoto specialize in health care law and regularly advise clients in the digital health space, particularly around privacy issues at the state and federal levels. They noted that they were not providing legal advice in their presentation.
Frey said that the ruling in Dobbs v. Jackson on June 4 has led to questions about whether existing state and federal laws sufficiently protect patients, health care providers, health plans, and companies that collect and maintain health information.
In the wake of the decision, states have enacted a patchwork of new laws that range from prohibiting abortion altogether to enacting restrictions such as limiting abortions after six weeks of pregnancy. Meanwhile, states, including California and Massachusetts, have put in place or are seeking measures to enhance access to abortion and reproductive health services.
But some states, Frey said, are considering laws that prohibit residents from obtaining abortions in other states, such as California, and punishing those who participate in or “aid and abet” in the procedure. As a result, she said, some state prosecutors and law enforcement agencies may seek patient information to help prove civil and criminal violations of anti-abortion laws.
“It’s really critical that both patients and their providers understand when reproductive health information is protected from disclosures to law enforcement agencies and when it’s not,” Frey said.
Federal and state laws currently offer some protections for patients.
The best-known federal protection is HIPAA, which establishes comprehensive standards for protecting Protected Health Information (PHI).
Sakimoto described certain instances when HIPAA permits that disclosure of PHI, including disclosures required by law, disclosures for law enforcement purposes, and disclosures to avert a serious threat to health or safety.
HIPAA also has limitations in the post-Dobbs era, Sakimoto said, such as if an entity covered under the federal law could face penalties under state law for not complying with a warrant. HIPAA’s restrictions also may not apply to certain technology companies or Direct-to-Consumer (DTC) mobile health applications such as menstrual tracking and fertility tracking apps and potentially search engines such as Google.
“HIPAA and other federal laws continue to serve really important roles, but there are still pretty big and significant gaps here in their ability to fully protect the privacy and confidentiality of reproductive rights,” Sakimoto said.
California also has protections for reproductive health information at the state level.
The Confidentiality of Medical Information Act (CMIA), the primary law addressing the privacy of medical information in California, applies to any business organized for the purpose of maintaining medical information, such as mobile health app companies, Frey said.
In addition to the CMIA, California provides a constitutional right to privacy that extends to a patient’s medical and psychiatric history.
Recent legislative measures include AB 2091, which would enhance protections under the CMIA for medical records related to abortion care that are requested by law enforcement and out-of-state parties seeking to enforce abortion bans. AB 1242 would prohibit certain California-based technology corporations from providing records or information for the investigation or enforcement of another state’s abortion laws.
“These new legislative measures are really important, but they do also raise some pretty complex legal questions given the direct conflict between California law and other states’ anti-abortion laws,” Frey said. “It also puts a lot of providers and companies in the uncomfortable position of having to choose between complying with California law on the one hand and another state’s mandate to disclose information on the other.”
Frey and Sakimoto offer several potential legislative and regulatory measures to help clarify these discrepancies and enhance reproductive health information protections.
These measures include:
-Amending HIPAA’s Privacy Rule and Information Blocking Rule to protect reproductive health information specifically
-Creating legislative limits to the allowable collection, use, and disclosure of reproductive health information
-Requiring individual opt-out for any sharing of reproductive health information
-Providing technical assistance and compliance guidance
-Providing business and workforce compliance review and training
-Enacting access control and segmenting records containing reproductive health information
-Informing or having individuals consent to have their reproductive health information collected, and documented