By CDT Intern Siddhu Anandalingam
When the Supreme Court overturned Roe v. Wade last year in Dobbs v. Jackson Women’s Health Organization, access to abortion was limited or completely revoked in many states. Several states have made it clear that they can – and will – use data in their efforts to incriminate people seeking or providing this form of health care, resulting in a need for tighter protections around private information.
While abortion-seekers have some limited means to protect their own data, the responsibility of keeping health data private should not rest only with individuals. Companies need to change their commercial data practices. Although a few companies have taken constructive steps in the wake of the Dobbs decision, they have been limited and have not been nearly enough to provide adequate protections.
As we begin a new year, we need to identify and push for the adoption of more comprehensive models for protecting reproductive health data.
Prior to Dobbs, CDT, with the help of Executives for Health Innovation (EHI), created the “Consumer Privacy Framework for Health Data” (“the Framework”). The Framework’s provisions would require companies to proactively protect non-HIPAA-covered health data by placing meaningful limits on its collection, sharing, and use. In a post-Dobbs world, the provisions of the Framework would reduce the chance such information could be used against a person seeking or providing an abortion, or those aiding them. Adoption of the Framework could address several key aspects of this multifaceted issue and provide protections for those most affected by the ruling.
Dobbs unleashed states that criminalize or otherwise penalize abortions to seek data that would support prosecutions
In places that limit abortion, many types of data could be used to help prove, or at least provide supporting evidence, that someone attempted to receive or received an abortion, provided reproductive health services, or aided someone in doing so. Location data, such as a visit to an abortion clinic, search or purchase history, or information gleaned from a period tracking app are all examples of the types of data that could be used as evidence. Search history data has already been used as evidence against women who have lost a pregnancy, even when the prosecutors could not determine whether it was due to a miscarriage. In 2017, prosecutors in a Mississippi case used the fact that a woman searched for how to “buy Misopristol Abortion Pill Online” ten days before she miscarried as evidence that she bought the pills, even though they could not actually prove that she had bought (let alone used) the pills. In 2015, prosecutors in an Indiana case charged a woman with “feticide” based on evidence that she had previously visited a webpage entitled “National Abortion Federation: Abortion after Twelve Weeks.”
Period-tracking apps have undergone scrutiny due to their ability to store fertility and period cycle information: for interested parties, this data could provide evidence of someone’s perceived interest in abortion, or information contained in the app may be used as evidence of receiving an abortion. Moreover, law enforcement authorities can purchase health information from data brokers that may have received it from a variety of sources. In July 2022, Gizmodo identified 32 brokers across the U.S. selling access to the unique mobile IDs from 2.9 billion profiles of people pegged as “actively pregnant” or “shopping for maternity products.”
Current approaches to health data protection do not address the myriad data sets that could be used to infer someone’s health condition. Health data is primarily protected via the Health Insurance Portability and Accountability Act (HIPAA), yet that law covers only specific entities and does not attach to all health information. For instance, tech companies and apps often process consumers’ health data to provide them with a variety of services, such as fitness tracking and wellness assistance; that data has almost no substantive protection under U.S. law. Moreover, much of the data mentioned above, such as search and location history, do not fall within the scope of HIPAA.
The FTC also has the authority to bring enforcement actions against unfair and deceptive privacy practices, and it exercised that authority when it sued companies that reveal people’s visits to sensitive locations, including reproductive health clinics. But the FTC’s authority is limited and, at least currently, does not provide comprehensive privacy protections.
The Protections Set Forth in the CDT Framework Would Provide Substantial Benefits
CDT and EHI created the Framework to identify potential privacy protections for non-HIPAA-related health data. The collection, sharing, and use of this type of data has grown exponentially. The Framework includes several common-sense provisions requiring companies who collect health data – as well as their service providers and other third parties – to minimize the collection of health-related data and limit its sharing, use, and retention.
The Framework has a broad scope. The definition of protected health data is not simply a list of categories, but instead focuses on how data is used to make inferences, predictions, and conclusions about people’s health. This definition helps ensure that certain data types do not fall through the cracks. Further, the types of entities that are covered are not just hospitals and insurers like in HIPAA, but instead include any entity “that collects, gathers, or uses consumer health information in any form or medium for nonpersonal purposes.” This definition is designed to cover all relevant data and the entities that collect, share, and use it.
If operationalized, the Framework would help address many of the problematic and harmful data uses now incentivized by Dobbs. The Framework’s data minimization provisions help ensure that data is collected and used only for limited purposes related to the service or product a person wanted and asked for. Moreover, the data retention provisions limit the amount of, and duration that, health data can be retained. The Framework would categorically prohibit secondary uses of consumer health information, including those by data brokers.
Transparency and choice are also essential protections included in the Framework. These provisions would ensure that all data collection, sharing, and uses are disclosed to the consumer before they happen. Moreover, consumers would have to give express affirmative consent prior to any data collection, use, or sharing, including for secondary uses of data. For example, the Framework permits the use of a search engine query for “Planned Parenthood locations” to provide search results because that is a limited use for a specific service requested by the consumer. However, the Framework would limit other uses of that data, such as profiling the person or placing them in a particular category of users.
The Framework includes provisions on access, correction, deletion, and portability as well. These rights are important to ensuring people know what health data companies have about them at any given time, and if so inclined, can take action on that data by requiring the company to correct, delete, or port it.
The Framework could be enacted as part of a regulatory regime or voluntarily by companies as best practices to better protect their customers. Overall, if companies followed the Framework’s provisions, they would end up collecting, using, and retaining less data and reduce the potential risk that the data is used in abortion-related criminal or civil cases.