Millions of women use reproductive health apps (or “apps”) to track menstrual cycles, ovulation and pregnancy. These apps provide women using the rhythm method of birth control and women looking to become pregnant with access to more accurate information about their reproductive system. To accurately track a user’s reproductive cycles, many health apps require users to share highly sensitive and personal health data. This sensitive data is usually stored and may include dates of ovulation, conception, start and end of pregnancy, if applicable. Needless to say, reproductive health app developers manage and maintain a data platform that contains some of the most sensitive and private information about their clients.
The highly sensitive and private customer information contained in reproductive health apps has come to the forefront of the changing landscape of abortion laws in the United States. The Supreme Court of the United States (“SCOTUS”) decision to spill Roe vs. Wade authorizes states to limit, restrict and criminalize abortion. Up to half of all US states have some form of abortion ban in effect, or one that is expected to come into effect in the near future, due to the SCOTUS decision. These laws prohibiting abortion are often called “trigger laws”. State laws that criminalize abortion could have an immediate impact on how reproductive health apps implement and enforce personal health data security measures (that’s to sayprivacy policies and procedures).
Additionally, developers of reproductive health apps should consider enhancing their patient privacy protocols in light of some national abortion laws that place the enforcement of these laws in the hands of private citizens, as described below :
- A Texas law prohibits abortion as soon as heart activity is detectable – usually about six weeks. This abortion law provides citizens of Texas with a private right of action to enforce the ban. Texas law explicitly offers a reward of at least $10,000 to anyone who successfully sues an abortion provider, a person who obtains abortion services, and/or a person who assists a person to obtain services of abortion.
- A new Oklahoma law completely bans abortion in Oklahoma. The law prohibits providers from performing abortions in Oklahoma, with very limited exceptions, and prohibits anyone from assisting a pregnant person to have an abortion. Similar to Texas law, Oklahoma law puts enforcement in the hands of certain private citizens and offers a monetary reward to anyone who successfully sues an abortion provider or anyone who helps a pregnant person. to access abortion services.
Because reproductive health apps store personal health data related to menstruation, ovulation, conception, and pregnancy, these apps have access to data indicating that a pregnancy has ended. This type of information is particularly sensitive in light of trigger laws and other state laws related to abortion.
It is important to note that reproductive health apps are generally not subject to the Health Information Portability and Accountability Act of 1996 and its regulations (“HIPAA”) or the health information technology for clinical health (“HITECH”). Although information entered by customers into the app likely meets the definition of “protected health information” under HIPAA, reproductive health apps do not perform standard transactions (i.e. ie, submit insurance claims) and, therefore, such applications are not “covered entities” (as defined by HIPAA) governed by HIPAA. Reproductive health apps may be considered “business associates” (as defined in HIPAA) only if the app performs services on behalf of a covered entity or other business associate that involves creating, receiving, maintaining, or transmitting electronic protected health information (as defined by HIPAA). Thus, unless a reproductive health app conducts standard transactions or qualifies as a business associate under HIPAA, it is unlikely to have an obligation to limit the use or disclosure of customer data in accordance with HIPAA. However, state privacy laws governing personal data will apply, such as the California Privacy Rights Act, Colorado Privacy Act, Utah Consumer Privacy Act and Virginia Consumer Data Protection Act, and more recently, the law of Connecticut regarding personal data privacy and online surveillance.
Following the SCOTUS decision, the Department of Health and Human Services’ Office of Civil Rights released new patient privacy guidelines that explicitly outline federal protections for “protected health information,” as defined by HIPAA. The guidelines emphasize HIPAA’s restrictions on the disclosure of protected health information and reinforce the limited circumstances under which organizations subject to HIPAA are permitted to provide such information. However, these guidelines do not create additional protections for protected health information – therefore, a state law that requires the reporting of abortion services to law enforcement personnel would be enforceable and disclosure by a covered entity or commercial associate of protected health information related to the patient’s abortion would not be restricted by HIPAA. Reproductive health app providers should be aware that state laws specifically requiring healthcare providers to disclose patient information related to abortion services could be used by app managers laws to investigate possible violations of national abortion laws.
Given the ubiquity of purchasing datasets from tech companies and the structure of new state anti-abortion laws, it is conceivable that an individual could purchase these datasets and use the information to take legal action against an individual or an abortion provider. It is also conceivable that law enforcement could obtain these datasets, via subpoena, court order, or otherwise, and use the datasets to investigate alleged violations of abortion laws. While these results may seem remote, this is a rapidly evolving area of law where the results remain uncertain. Therefore, reproductive health app companies should understand their privacy policies and review them in light of new national abortion laws, including considering voluntarily complying with HIPAA and HITECH to better protect privacy and privacy. customer data security. Reproductive health app developers may also want to take steps to increase the security and integrity of their data platforms, including conducting security risk assessments, reviewing policies and protocols, and identifying risks associated with authorized business transactions involving sensitive customer data. All of these measures would reassure users of reproductive health apps that their sensitive information is appropriately protected and secured as much as possible.
