{"id":104456,"date":"2024-06-24T15:44:06","date_gmt":"2024-06-24T19:44:06","guid":{"rendered":"https:\/\/cdt.org\/?post_type=insight&p=104456"},"modified":"2024-06-26T13:12:08","modified_gmt":"2024-06-26T17:12:08","slug":"dobbs-a-two-year-retrospective","status":"publish","type":"insight","link":"https:\/\/cdt.org\/insights\/dobbs-a-two-year-retrospective\/","title":{"rendered":"Dobbs \u2013 A Two Year Retrospective"},"content":{"rendered":"\n

Also authored by CDT Intern Ebie Quinn<\/em><\/strong><\/p>\n\n\n\n

I. Introduction<\/strong><\/p>\n\n\n\n

Two years ago, the Supreme Court decided Dobbs v. Jackson Women’s Health Organization<\/em><\/a>, reversing prior court precedent under Roe v. Wade<\/em> and its progeny that guaranteed constitutional protections for abortions. As a result of Dobbs<\/em>, individual states were given the ability to decide how, and how much, to burden abortion practices and reproductive health care in general. States have responded to Dobbs<\/em> in a variety of ways<\/a>. While some states have expanded and codified access to abortion, others have severely restricted or prohibited abortion entirely. <\/p>\n\n\n\n

States that have criminalized or otherwise restricted abortions will seek to enforce those laws. One common way to prove such allegations is by collecting data about the content of people\u2019s text messages, their purchase history, or their visits to certain doctors. For instance, in 2022, law enforcement in Nebraska attempted to use private online communications<\/a> to prosecute a mother for assisting her daughter in connection with an alleged abortion. Police involved in this investigation sent a warrant to Facebook and retrieved the contents of private messages between the mother and daughter for use in a criminal prosecution. Moreover, given the growing prevalence of medication abortion \u2014 and ability to receive reproductive health services from telemedicine \u2014 enforcement of anti-abortion laws may increasingly rely on digital and electronic information. <\/p>\n\n\n\n

The looming threat of criminal penalties has also undermined trust between patients and health care providers. Patients who worry that the information they share with doctors and hospitals may be used against them will be much less likely to be truthful and candid with their providers, which can result in lower quality and less beneficial health care. <\/p>\n\n\n\n

Medical privacy has been dramatically reshaped in the two years since Dobbs<\/em>. This post describes these changes at both the state and federal level. Moving forward, CDT believes it is essential to ensure that patients have a full expectation of privacy when it comes to health care data \u2013 as well as the broad range of seemingly unrelated data that can be used to deduce health care activities \u2013 and that companies, who can be compelled to share private information in lawsuits and investigations, minimize the collection, storage, and sharing of sensitive health data in order to enhance users\u2019 trust and privacy.<\/p>\n\n\n\n

II. State Activity <\/strong><\/p>\n\n\n\n

In the wake of Dobbs<\/em>, several states have taken measures to protect sensitive health data. Some states have enacted privacy laws, either comprehensive or health-specific. Through legislative action and governor-issued executive orders, some states have also enacted \u201cshield laws\u201d which restrict the sharing of data related to reproductive health care in various forms, such as in response to an out-of-state investigation. By implementing these shield laws, states aim to protect the data of patients and providers within their jurisdiction, regardless of whether or not the patient is a state resident. CDT\u2019s June 2024 Issue Brief, Two Years After Dobbs: An Analysis of State Laws to Protect Reproductive Healthcare Information from Interstate Investigations and Prosecutions<\/em><\/a>,<\/em> <\/strong>describes these laws in depth. <\/p>\n\n\n\n

Health Privacy Laws<\/em><\/strong><\/p>\n\n\n\n

In the two years following the Dobbs<\/em> decision, states including Washington, Connecticut, and California enacted data privacy protections that either include or specifically address sensitive health data \u2014 as well as other forms of sensitive data that may be used to determine health status and activities.<\/p>\n\n\n\n

Washington: My Health, My Data Act <\/em><\/p>\n\n\n\n

In 2023, Washington State did what many other states and the federal government have not: it passed a comprehensive health privacy bill, which went into full effect on March 31, 2024. Under the My Health, My Data Act<\/a>, Washington residents have more agency and control over how their health data will be collected, used, and shared by companies. While this bill is not perfect, it\u2019s an important model for lawmakers seeking to enact meaningful privacy protections. <\/p>\n\n\n\n

The legislation responds to countless instances in which data about a person\u2019s health, including reproductive health data, has been collected, used, or shared in harmful ways. Key provisions of the bill stop companies from collecting or sharing consumer health data when that data is not necessary to provide a product or service that a customer has requested. These are strong limitations and are similar to those found in other legislative proposals, like the federal American Data Privacy and Protection Act (ADPPA) introduced in Congress in 2022, and the American Privacy Rights Act (APRA) introduced in Congress in 2024. Washington\u2019s My Health, My Data Act also has robust mechanisms for people to access and delete their health data. <\/p>\n\n\n\n

Connecticut: Online Privacy Act <\/em><\/p>\n\n\n\n

Connecticut enacted Public Act 23-56, the Online Privacy Act<\/a>, in order to strengthen protections for sensitive health data. This act introduces safeguards on the collection and storage of sensitive health data by businesses in the state. It requires that businesses allow consumers to view their personal data and have the option to delete it. The act explicitly includes information about reproductive health and gender-affirming care in its definition of \u201cConsumer Health Data.\u201d Importantly, the Online Privacy Act includes a prohibition on geofencing to track consumers and gather\/send consumer data within 1,750 feet of reproductive health facilities. Both Nevada and New York have also implemented similar geofencing prohibitions. <\/p>\n\n\n\n

California: California Consumer Privacy Act<\/em><\/p>\n\n\n\n

The California Consumer Privacy Act (CCPA)<\/a> sets baseline privacy protections for Californians, including the right to know what personal information a business collects, the right to delete that information (with some exceptions), and the right to opt out of the sale or disclosure of that information. The CCPA applies to for-profit companies in California that meet a threshold size of revenue, income, or number of customers. While it does not apply to health information captured by HIPAA (i.e. information held by HIPAA-covered entities such as medical providers and insurers), it does capture sensitive medical data that falls outside HIPAA\u2019s scope (e.g. health information gathered by your smartphone or health tracking app). These types of comprehensive regulations enhance consumers\u2019 ability to exercise control over their own data and mitigate potential data privacy risks post-Roe<\/em>. <\/p>\n\n\n\n

Shield Laws<\/strong><\/p>\n\n\n\n

Shield laws, at their core, aim to protect people\u2019s health privacy by prohibiting entities who hold or can access people\u2019s healthcare information from sharing such information in an investigation or prosecution under the anti-abortion laws of another jurisdiction. States have taken multiple approaches towards this goal, varying in application and scope: <\/p>\n\n\n\n

Government Officials <\/em><\/p>\n\n\n\n

The majority of state shield laws apply to state government officials, such as law enforcement and state courts. These laws prevent officials from assisting other states in abortion-related investigations or prosecutions made possible through Dobbs<\/em>. This means that state judges and law enforcement are prohibited from issuing or executing subpoenas and other legal process on behalf of an out-of-state investigator, or aiding extraditions that further criminal abortion prosecutions and civil litigation. These restrictions help protect health care providers and recipients from state investigations or lawsuits that may seek to target them even when the care was lawful in the state where it was provided. <\/p>\n\n\n\n

Communication Service Providers <\/em><\/p>\n\n\n\n

States like Washington and California have sought to protect private messages and other digital information by enacting broader laws that apply to electronic communications service providers These laws prohibit companies like Meta and Google from providing consumer communications and other data such as web browsing information for use in out-of-state abortion investigations or prosecution. Under this form of shield law, personal messages sent to a physician or friend, are protected from being shared in an anti-choice law enforcement action.<\/p>\n\n\n\n

Medical Providers<\/em><\/p>\n\n\n\n

Some states apply their shield laws to medical professionals, organizations, and electronic health networks. These laws restrict medical providers or other entities that hold medical data from sharing that data for use in out-of-state investigations. These laws take a similar approach to the U.S. Department of Health & Human Services\u2019 recent update to the HIPAA Privacy Rule, which prohibits HIPAA-covered entities from disclosing protected health information to investigators when the healthcare is lawful under the circumstances in which it was provided. This new HIPAA Rule is discussed in more detail below.  <\/p>\n\n\n\n

Out-of-State Care <\/strong><\/em><\/p>\n\n\n\n

In the wake of the Dobbs<\/em> decision, an increasing number of patients are turning to remotely-prescribed abortion medication.<\/a> In response, some states have drafted shield laws to protect individuals within their jurisdiction who provide reproductive health care services to people who may be located outside their state. These laws recognize that telemedicine providers, and even in-person providers issuing a prescription for abortion medication like mifepristone, may not know the geographic location where their patient takes the series of pills for a self-managed abortion. The law protects such providers, and prohibits them from sharing patients\u2019 information to support an out-of-state lawsuit or investigation. It seems likely that these laws in particular will be challenged<\/a> by anti-abortion officials, with some going to the Supreme Court<\/a>.<\/p>\n\n\n\n

Gender-Affirming Care<\/em><\/p>\n\n\n\n

Finally, some states have protected information relating to gender-affirming care in their shield laws, in addition to information about reproductive health care. These provisions similarly serve to protect doctors and patients from out-of-state investigations by prohibiting disclosure of sensitive patient data related to gender-affirming care.    <\/p>\n\n\n\n

The below chart provides a summary of the 19 shield laws currently in effect; CDT has also prepared a detailed analysis of these shield laws<\/a> in each of the states in which they\u2019ve been enacted.<\/p>\n\n\n\n

State-by-State Survey<\/strong>*<\/p>\n\n\n\n

State<\/strong><\/td>Restricts communication service providers<\/strong><\/td>Restricts judges\u2019 actions (e.g. issuing a search warrant) <\/strong><\/td>Restricts state officials\u2019 actions<\/strong><\/td>Restricts medical professionals, health info exchanges, & e-health networks<\/strong><\/td>Protects gender-<\/strong>affirming care <\/strong><\/td><\/tr>
California<\/td>\u2714\ufe0f<\/td>\u2714\ufe0f<\/td>\u2714\ufe0f<\/td>\u2714\ufe0f<\/td>\u2714\ufe0f<\/td><\/tr>
Colorado<\/td>\u2716\ufe0f<\/td>\u2714\ufe0f<\/td>\u2714\ufe0f<\/td>\u2716\ufe0f<\/td>\u2714\ufe0f<\/td><\/tr>
Conn.<\/td>\u2716\ufe0f<\/td>\u2714\ufe0f<\/td>\u2714\ufe0f  <\/td>\u2716\ufe0f<\/td>\u2714\ufe0f  <\/td><\/tr>
Delaware <\/td>\u2716\ufe0f <\/td>\u2714\ufe0f<\/td>\u2716\ufe0f <\/td>\u2714\ufe0f<\/td>\u2716\ufe0f <\/td><\/tr>
Hawaii<\/td>\u2716\ufe0f<\/td>\u2714\ufe0f<\/td>\u2714\ufe0f<\/td>\u2714\ufe0f<\/td>\u2716\ufe0f<\/td><\/tr>
Illinois<\/td>\u2716\ufe0f<\/td>\u2714\ufe0f<\/td>\u2716\ufe0f<\/td>\u2716\ufe0f<\/td>\u2714\ufe0f<\/td><\/tr>
Maine<\/td>\u2716\ufe0f<\/td>\u2714\ufe0f<\/td>\u2714\ufe0f<\/td>\u2714\ufe0f<\/td>\u2714\ufe0f<\/td><\/tr>
Maryland<\/td>\u2716\ufe0f<\/td>\u2714\ufe0f <\/td>\u2714\ufe0f<\/td>\u2714\ufe0f<\/strong><\/td>\u2714\ufe0f*<\/strong> <\/td><\/tr>
Mass.<\/td>\u2716\ufe0f<\/td>\u2714\ufe0f<\/td>\u2714\ufe0f<\/td>\u2716\ufe0f<\/td>\u2714\ufe0f<\/td><\/tr>
Michigan<\/td>\u2716\ufe0f<\/td>\u2716\ufe0f<\/td>\u2714\ufe0f<\/td>\u2716\ufe0f<\/td>\u2716\ufe0f<\/td><\/tr>
Minn.<\/td>\u2716\ufe0f<\/td>\u2714\ufe0f<\/td>\u2714\ufe0f<\/td>\u2716\ufe0f<\/td>\u2714\ufe0f<\/td><\/tr>
NJ<\/td>\u2716\ufe0f<\/td>\u2716\ufe0f<\/td>\u2714\ufe0f<\/td>\u2714\ufe0f<\/td>\u2714\ufe0f<\/td><\/tr>
NM<\/td>\u2716\ufe0f <\/td>\u2714\ufe0f<\/td>\u2714\ufe0f<\/td>\u2714\ufe0f<\/td>\u2714\ufe0f<\/td><\/tr>
NY<\/td>\u2714\ufe0f<\/td>\u2714\ufe0f<\/td>\u2714\ufe0f<\/td>\u2714\ufe0f<\/td>\u2714\ufe0f<\/td><\/tr>
Nevada<\/td>\u2716\ufe0f<\/td>\u2716\ufe0f<\/td>\u2714\ufe0f<\/td>\u2716\ufe0f<\/td>\u2716\ufe0f<\/td><\/tr>
Oregon<\/td>\u2716\ufe0f<\/td>\u2714\ufe0f<\/td>\u2714\ufe0f<\/td>\u2716\ufe0f<\/td>\u2714\ufe0f<\/td><\/tr>
RI<\/td>\u2714\ufe0f*<\/strong><\/td>\u2714\ufe0f*<\/strong><\/td>\u2714\ufe0f<\/td>\u2716\ufe0f<\/td>\u2714\ufe0f*<\/strong><\/td><\/tr>
Vermont<\/td>\u2716\ufe0f<\/td>\u2714\ufe0f<\/td>\u2714\ufe0f<\/td>\u2716\ufe0f<\/td>\u2714\ufe0f<\/td><\/tr>
Wash.<\/td>\u2714\ufe0f<\/td>\u2714\ufe0f<\/td>\u2714\ufe0f<\/td>\u2716\ufe0f<\/td>\u2714\ufe0f<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

\u2714\ufe0f* <\/strong>= legislation that has passed the state legislature and awaits the governor\u2019s signature<\/p>\n\n\n\n

III. Federal Protections<\/strong><\/p>\n\n\n\n

In addition to the state action prompted by Dobbs<\/em>, the decision prompted renewed calls for comprehensive and health-specific privacy protections at the federal level. In the absence of legislative movement, executive agencies used their existing authority to protect the data of those seeking and providing reproductive health care. <\/p>\n\n\n\n

Key actors included the U.S. Department of Health and Human Services Office of Civil Rights (HHS OCR) and the Federal Trade Commission (FTC), which issued guidance and brought new enforcement actions against entities that failed to protect people\u2019s private health information.<\/p>\n\n\n\n

HHS Office of Civil Rights<\/em><\/strong><\/p>\n\n\n\n

Earlier this year, the Department of Health and Human Services\u2019 Office of Civil Rights took a crucial step in protecting sensitive reproductive health data with its new HIPAA Privacy Rule to Support Reproductive Health Care Privacy<\/em><\/a>, which updated the Privacy Rule it issued under the Health Information Portability and Accountability Act (HIPAA). Specifically, the rule prohibits covered entities from complying with requests and legal process\u2013like subpoenas, court orders and warrants\u2013involving reproductive health care for use in an investigation or prosecution if the care was legal in that state. Covered entities may only comply with requests for data related to reproductive health care if the request is accompanied with a signed attestation stating that the data will not be used for an investigation or prosecution of abortion-related laws. <\/p>\n\n\n\n

In issuing this rule, HHS OCR sought to respond to increasing mistrust in the medical system post-Dobbs<\/em>, as patients fear their medical data might be shared without their knowledge, and even used against them in court. The HHS OCR rule helps to create an ecosystem in which patients can safely seek out reproductive health care and share information with their doctor confident that their data will be kept private.<\/p>\n\n\n\n

This rule also seeks to empower providers of reproductive health care. Previously, the HIPAA Privacy Rule operated on a permissions basis, in which providers had discretion when responding to requests by law enforcement for patient data related to reproductive care. However, the uncertainty of the discretionary model put the burden on doctors and providers, who often felt pressured to comply with requests from law enforcement, to discern and fulfill their affirmative obligations. In shifting the model from permissions to prohibitions, HHS OCR simplifies the decision making process for health care providers, empowering them to protect their patients. <\/p>\n\n\n\n

In addition to the new final HIPAA rule, HHS OCR has taken additional actions to keep health data private. In December 2022, HHS OCR released a Bulletin<\/a> highlighting the important privacy obligations under HIPAA that health providers (like doctors\u2019 offices and hospitals) must follow when using apps and websites. OCR\u2019s bulletin is designed to address an ongoing problem where data shared by patients with their health providers is also being inappropriately shared with advertisers. There are ample news accounts of health providers\u2019 services, like patient portals, containing tracking technologies, such as cookies or \u201cbeacons,\u201d that can collect and share people\u2019s health information with unrelated third parties to be used for purposes such as targeted advertising. This bulletin has been subject to legal challenges and in June of 2024, a federal judge in Texas found portions of the guidance unlawful<\/a>. At the time of writing, it is unclear how OCR plans to proceed in the wake of this ruling.<\/p>\n\n\n\n

HHS OCR has also partnered with the U.S. Food and Drug Administration and the Federal Trade Commission to release a Mobile Health App Interactive Tool<\/a>. This interactive tool is designed to assist mobile health app developers in identifying which federal laws and regulations may apply to their apps. Checking this tool early in the development of consumer-facing products, well before any digital health app is released, can ensure apps are in compliance with applicable privacy laws.<\/p>\n\n\n\n

Federal Trade Commission<\/em><\/strong><\/p>\n\n\n\n

The Federal Trade Commission (FTC) is also using existing authority to address privacy concerns after the Dobbs<\/em> decision. The FTC has used its authority in several ways to protect health data, including through rulemaking and through its enforcement actions against particular companies.<\/p>\n\n\n\n

Rulemaking<\/em><\/p>\n\n\n\n

On May 30, 2024, the FTC published the final version of the Health Breach Notification Rule<\/a> (HBNR), which sets forth the protocol in the case of a breach of health data. Since the FTC enacted its initial HBNR in 2009, the number of health tracking apps has dramatically increased and Dobbs<\/em> has created new health privacy risks, making it critical for the FTC to clarify that HBNR applies to this novel form of data collection. The final rule requires entities that manage personal health records (but are not subject to HIPAA) to notify the FTC, the consumer, and in some cases the media following a breach of personally identifiable health data. The update of the rule clarifies its applicability to health apps, and strengthens the notification mechanisms in this space. <\/p>\n\n\n\n

Enforcement <\/em><\/p>\n\n\n\n

Additionally, the FTC has initiated a range of enforcement actions, including against GoodRx, Easy Healthcare, and Kochava. This increase in consumer protection enforcement sends a message similar to that of the updated HBNR: if companies plan to handle data related to reproductive health in a post-Dobbs<\/em> world, they must proceed with caution. <\/p>\n\n\n\n