chevron-down Created with Sketch Beta.

The Antitrust Source

The Antitrust Source | October 2024

Health Information Privacy After Dobbs

Deven McGraw and Andrew K Crawford

Summary

  • The Dobbs decision opened the door to state laws penalizing the delivery and/or receipt of abortion services (or assisting a patient in obtaining abortion services).
  • As a result of these laws, reproductive health data is more likely to be collected and utilized to pursue possible penalties related to abortion care, even in circumstances where the delivery of that care remains legal.
  • With disclosure to law enforcement and other authorities a common exception to privacy protections for reproductive health data, federal and some state lawmakers have acted to strengthen protections for this data.
  • These legal changes – especially recent enhancements to the HIPAA Privacy rule – are comprehensive, but questions remain about whether they are sufficient to protect reproductive health data.
Health Information Privacy After Dobbs
SDI Productions via Getty Images

Jump to:

Introduction

The unprecedented overturning of Roe v. Wade removed federal constitutional protections on access to abortion. Specifically, in June 2022, the Supreme Court decided Dobbs v. Jackson Women’s Health Organization, reversing decades of prior court precedent under Roe and its progeny. As a result of Dobbs, states may protect, ban, or severely limit access to abortion and other types of reproductive health care that might involve pregnancy termination, unless their enactments violate state constitutional protections or another, supervening law. Currently 22 states criminalize abortions or have placed more stringent restrictions on the procedure than were permissible pre-Dobbs.

Dobbs has also upended privacy expectations. Although abortion has long been subject to some state restrictions, before Dobbs patients may have had confidence that their health data—for instance, data associated with researching, accessing, traveling to, and receiving reproductive health care—generally stayed private. Dobbs opened the floodgates not only to greater restrictions on reproductive health care but also to increased enforcement of those restrictions, which may involve invasion of patient privacy.

Much of the data that reveals an individual has received reproductive health care is covered by the privacy, security, and breach notification regulations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Although HIPAA’s regulations provide protections for personally identifiable medical records, as well as health plan claims records (collectively known as protected health information or PHI), those rules have always included some exceptions by which law enforcement agencies could obtain access. In response to the changes in the legal landscape for reproductive health care post Dobbs, the US Department of Health and Human Services (HHS) recently finalized changes to HIPAA’s privacy regulations—known as the Privacy Rule—to limit access to data generated by the delivery of legal reproductive health care, if it is being sought by law enforcement or other persons seeking to use that data to penalize a patient or his or her medical provider for the delivery of that care (hereinafter, the “Privacy Rule Reproductive Data Protections”). How well will those protections work to protect health data and what are the gaps that remain?

State law restrictions on reproductive health care in the wake of Dobbs

In the wake of Dobbs, states have generally taken one of two opposing strategies around access to reproductive health care and privacy. The first approach, taken by nearly a quarter of states, is to ban or severely restrict abortions, either through new laws or resuming enforcement of old, pre-Roe laws. Some of these new laws permit the prosecution of people who provide, or otherwise aid in the procurement of, abortions with few to no exceptions, even in cases of abuse and incest. Some states explicitly criminalize self-managed abortions. A few states also allow private citizens to bring civil actions against abortion providers. With these laws in place, and the removal of Roe as a barrier, state-level law enforcement agencies in states opposed to abortion rights have new opportunities to seek PHI to conduct investigations and for criminal prosecutions and civil actions against people seeking, providing, or assisting with reproductive health care, including abortions.

A second approach, taken by twenty states plus the District of Columbia, has been to pass new laws that shore up access to reproductive care, and, recognizing that people may travel to seek abortions, some states limit the circumstances and manner in which in-state entities and providers may share patient information with entities from states that restrict access to care. Such state actions include governor-issued executive orders, and some states, including California and Maryland, have enacted “shield laws” that restrict the sharing of data related to reproductive health care in various forms, such as in response to an out-of-state investigation. By implementing these shield laws, states aim to protect the data of patients and providers within their jurisdiction, regardless of whether the patient is a state resident. For example, under these newer “shield laws”, state court judges could be prohibited from domesticating an out-of-state subpoena seeking location data showing that an individual visited an abortion clinic. Additionally, some state shield laws also restricted the activities of communication service providers, like social media companies, headquartered within their borders to preclude their cooperation with surveillance demands relating to reproductive health activities that occur outside the state.

Additional risks to the privacy of reproductive health information

In the wake of new, more restrictive laws, and increased focus on enforcing pre-existing restrictions, law enforcement and civil litigants may turn to entities that collect and store health information to gain access to data that could help prove that a person sought, received, aided, or provided an abortion. The risks of disclosure of reproductive health care information for law enforcement or civil litigation purposes are not hypothetical. Even prior to Dobbs, state-level criminal investigators charged individuals with pregnancy-related offenses, and sought and utilized health information (including PHI covered by the Privacy Rule) as evidence in pregnancy-related prosecutions. In 2010, a woman was arrested for attempted feticide after she fell down the stairs, went to the hospital to check on her fetus, and confessed to a nurse that she had been considering adoption or abortion—the nurse reported her statements to a doctor who called the police. In 2019, the Missouri State Health Director testified at a hearing that he tracked Planned Parenthood patients’ menstrual cycles with a spreadsheet that was compiled by the State’s main inspector to help identify patients who had undergone failed abortions after the state became concerned they were not receiving complication reports for all failed surgical abortions. The Director later denied tracking menstrual cycles but admitted that officials had the data and a spreadsheet did exist. In 2021, a woman gave birth to a healthy baby but provided her obstetrician a list of prescriptions she took during pregnancy, triggering an investigation and, months later, an armed raid of her house. She was charged with felony possession involving prescription fraud because she failed to inform her prescribing doctor that she was pregnant before refilling her lawful hydrocodone prescription—the charges were dropped but not until 2022.

The expectation is that legal action against medical providers who provide abortions, patients seeking and obtaining abortion care, and the individuals who assist them, will increase, and that health and health-related data will be sought to support these legal actions. The mere threat of potential prosecution or investigation under some of these abortion restrictions has suppressed the delivery of reproductive health care because it causes fear and uncertainty among medical professionals regarding whether the performance of certain health care procedures or administration of certain drugs that have an impact on the fetus could put the medical provider or the provider—or both—in legal jeopardy.

Changes to the Privacy Rule in response to Dobbs

Following Dobbs, President Biden issued a series of Executive Orders directing federal agencies like HHS and the Department of Justice (DOJ), as well as the Federal Trade Commission (FTC) to: safeguard access to reproductive health care services, including abortion and contraception; protect the privacy of patients and their access to accurate information; promote the safety and security of patients, providers, and clinics; and coordinate the implementation of Federal efforts to protect reproductive rights and access to health care. Consequently, in April 2024, HHS took a crucial step in protecting sensitive reproductive health data by finalizing the Privacy Rule Reproductive Data Protections.

HIPAA Background

Grasping the impact of Privacy Rule Reproductive Data Protections requires an understanding of the limitations in HIPAA’s scope and the Privacy Rule’s general approach to protecting health care system data.

The Privacy Rule does not cover all health information; instead, it governs PHI collected, used, and shared by physicians and hospitals and health plans. The Privacy Rule grew out of provisions in the original HIPAA statute that called for standardization and digitization of the claims for payment submitted by health care providers to health plans. As a result, the HIPAA privacy provisions govern only the entities involved in those types of transactions.

These health system entities—referred to in HIPAA as “covered entities”—collect vast amounts of health information in the form of medical and claims records that provide intimate details about an individual’s health. HIPAA also covers the contractors that receive sensitive data from these entities to perform services on their behalf (known as “business associates”). (This article will refer to both collectively as “regulated entities.”) HHS wrote the Privacy Rule to accommodate the transfer and sharing of PHI that customarily occurs through the delivery of and payment for health care. For example, the prior consent of a patient is not required in order for doctors and hospitals to share information with one another for treatment purposes, or to review data for quality assurance purposes. Covered entities are permitted to disclose the minimum necessary amount of PHI to public health authorities for public health purposes, or to health plans to be paid or process payments for health care services. Each permitted use and disclosure typically comes with some conditions that must be satisfied in order for lawful use or disclosure to occur under the Privacy Rule. Table A below provides examples of permitted uses and disclosures under the Privacy Rule that do not require patient consent or authorization. Uses and disclosures that are not expressly permitted by the Privacy Rule require the prior written authorization of the patient.

Table A

Permitted Uses and Disclosures under the Privacy Rule

  • Treatment
  • Payment
  • Health care operations
  • Reporting to public health authorities
  • To contractors (business associates)
  • Where required by law
  • For reporting of potential abuse and neglect
  • For health oversight purposes
  • For medical product safety surveillance
  • In response to a court order or subpoena
  • To coroners and medical examiners
  • For national security purposes
  • To avert a serious threat to health or safety
  • Although all regulated entities are required to comply with the Privacy Rule, business associates may be further limited in their use and disclosure of PHI by their agreements with covered entities, referred to in the Privacy Rule as business associate agreements

The Privacy Rule permits regulated entities to internally use or externally disclose PHI meaning the regulated entity has discretion under the Privacy Rule with respect to whether they will use and/or disclose PHI for a permitted purpose—with two exceptions: covered entities must provide a copy of medical records to patients up on their request and regulated entities must make records available to HHS pursuant to an investigation of alleged HIPAA noncompliance. Indeed, the Privacy Rule contains only a few outright prohibitions with respect to the use and disclosure of PHI—sales of PHI are prohibited, unless the patient has authorized the sale, and identifiable genetic health information cannot be used by health insurers to determine health insurance coverage or to decline to pay for care due to a genetic condition, consistent with the Genetic Information Non-Discrimination Act.

The Privacy Rule has always permitted –but does not require—regulated entities to disclose PHI to public officials for certain purposes, including law enforcement in some circumstances. Table B below provides examples of permitted disclosures for law enforcement purposes. Similarly, the Privacy Rule permits disclosures to public health officials seeking information to perform their public health functions, and to “health oversight agencies” for oversight activities, including administrative or criminal investigations. The Privacy Rule also expressly permits the reporting of suspected child abuse to relevant authorities.

Table B

Examples of Permitted Disclosures for Law Enforcement Purposes under the Privacy Rule

  • In response to a court order or an administrative request.
  • To help locate a suspect or witness to a crime (only some identifying demographic and medical information may be disclosed for this purpose).
  • If the entities believe in good faith that the information is evidence of criminal conduct occurring on facility premises or to report commission of a crime that did not occur on facility premises.
  • To avert a serious threat to health or safety to a person or the public.
  • By workforce members if they believe in good faith that the entity for whom they work has engaged in unlawful conduct or the care the entity provides is a danger to a patient.

At the time when HHS enacted the Privacy Rule it was seeking to establish clear rules for when identifiable health information could be used and disclosed to allow for the functioning of the healthcare system, while still preserving privacy rights for patients. With increased adoption by healthcare providers of electronic medical record systems, PHI is increasingly digital, which is even easier to share. Law enforcement possesses a host of tools to seek evidence for legitimate investigations, including procedures outlined in the Privacy Rule for obtaining PHI. For example, the Privacy Rule permits entities to share information with law enforcement about a crime committed on the premises of a health care facility. The Dobbs decision has now inserted tension and ambiguity into situations when law enforcement seeks PHI about reproductive health care. This tension and ambiguity are especially heightened when law enforcement seeks reproductive health PHI for treatments and procedures that are legal in the jurisdiction in which they are provided and received.

Actions to Strengthen the Privacy Rule post-Dobbs

The Privacy Rule doesn’t require data sharing with public officials, including law enforcement. However, the Privacy Rule’s permissive sharing provisions mean that the Privacy Rule does not provide much of a shield. State laws that provide greater protections for health data are not preempted by HIPAA; but absent specific state law protections for reproductive health data, PHI generated out of the delivery of lawful reproductive care could be vulnerable to being disclosed to advance legal actions taken in states with abortion bans or significant restrictions.

In the aftermath of the Dobbs decision, HHS initially issued guidance on June 19, 2022 suggesting that disclosures of reproductive health PHI could only occur where required by law or by court order. However, the guidance could not on its own change the more expansive permissions in the regulation; regulatory changes can only occur through processes set forth in the Administrative Procedures Act.

Consequently, on April 17, 2023, the HHS Office for Civil Rights (OCR), which oversees policy and enforcement of HIPAA privacy-related regulations, published a set of proposed modifications to the Privacy Rule intended to strengthen protections for reproductive health data. Those modifications, the Privacy Rule Reproductive Data Protections, were finalized on April 26, 2024 and went into effect on June 25, 2024. Most aspects of the Protections are subject to enforcement by December 23, 2024.

In proposing the Privacy Rule Reproductive Data Protections, OCR recognized that the Dobbs decision “makes it more likely than before that individuals’ PHI may be disclosed in ways that cause harm to the interests that HIPAA seeks to protect,” emphasizing in particular the impact of the decision on “access to lawful health care and full communication between individuals and health care providers.” Consequently, HHS chose to preserve the ability of regulated entities to still share reproductive health data to treat patients, to be paid for the delivery of reproductive health care, to facilitate public health reporting, and for all other legitimate functions of the health care system informed by patient medical records. Instead, HHS sought to directly address the problem—use of health information against a patient or their medical provider merely for the delivery of a lawful health care service.

Specifically, the Privacy Rule Reproductive Data Protections now prohibit regulated entities from using or disclosing PHI for either:

  • Criminal, civil, or administrative investigations—or the imposition of criminal, civil, or administrative liability—of any person “for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided,” or
  • the identification of a person for the above purposes.

For example, if a patient lives in a state that restricts abortion care and travels to another state to obtain a legal abortion, the reproductive health data generated from that care episode could not be used or disclosed for any of the prohibited purposes. The prohibition also prevents the use or disclosure of records related to care that is protected, required, or authorized by federal law, including the U.S. Constitution, regardless of the state where the care is provided. This would include contraceptive care, which is protected by the Constitution under Griswold v. Connecticut.

The Privacy Rule still permits PHI to be used or disclosed for the permitted purposes in the Rule so long as the use or disclosure is not to investigate or bring an action against (either criminal, civil or administrative) a person for the “mere act” of performing, receiving, or helping to facilitate a lawful service. For example, a covered entity provider could still access PHI for defense of a malpractice action or to seek reimbursement for care, or where PHI is sought by a regulator seeking to substantiate that services were delivered consistent with program requirements.

The use or disclosure prohibition applies even if the reproductive health data was not created by the regulated entity. Since 2009, billions of taxpayer dollars have been spent, and policies have been enacted, promoting the interoperability of health information, to break down the silos of patient data to enable patients to receive quality care wherever they need services and facilitate uses of data across the health care system to improve population and public health. Consequently, PHI generated from a lawful service delivered in one state could travel for legitimate purposes to a state where that care is illegal—but the regulated entities in that state would still be prohibited from using or disclosing that data for criminal, civil or administrative proceedings that relate to the mere act of seeking or receiving that care. The Privacy Rule Reproductive Data Protections create a presumption that reproductive health care was lawfully delivered unless the regulated entity receiving the request for use or disclosure of data has actual knowledge that the care delivered was not lawful, or receives sufficient factual information from the requester that “demonstrates a substantial factual basis” that the care was not lawful (for example, the entity has knowledge that the service was required to be provided by a licensed professional and the person providing the care did not have the required license).

To operationalize these prohibitions, the Privacy Rule requires regulated entities, when they receive a request for PHI “potentially related to reproductive health care,” to obtain a signed attestation that the use or disclosure is not for a prohibited purpose. This attestation requirement applies only to requests for, or access to, PHI for health oversight activities, for judicial and administrative proceedings, for law enforcement purposes, and for disclosure to or use by coroners or medical examiners. The signed attestations must be in plain English, must include specific provisions—for example, a description of the information requested, the names of individuals (or the class of individuals) whose information is being sought; the name(s) of the requesting person(s), and a clear statement that the use or disclosure is not for a prohibited purpose. The attestation cannot be combined with any other document or contain extraneous information. The attestation must also include a statement that access to information from a regulated entity in violation of this prohibition could be subject to criminal penalties.

The Privacy Rule also provides that regulated entities are not in compliance with the new rule if they use or disclose reproductive health data in reliance on a defective attestation. An attestation is considered to be defective if it lacks a required element, contains additional information that is not a required element, or the regulated entity has actual knowledge that the attestation is false or a “reasonable” regulated entity in the same position would not believe the attestation is true that the use or disclosure is not for a prohibited purpose. HHS has created a model attestation form that regulated entities may choose to use; entities are also welcome to use their own forms.

The HIPAA Privacy Rule has always required covered entities to provide a notice of privacy practices (“NPP”) to patients (in the case of health care providers) and beneficiaries (in the case of health plans). The Privacy Rule Reproductive Data Protections now require covered entities to include a provision in their NPPs that describes and includes at least one example of the types of uses and disclosures under the new prohibition “in sufficient detail for an individual to understand [the privacy practices]”. Entities do not have to comply with this particular change to the Privacy Rule until February 16, 2026; HHS also had recently finalized changes to the NPP provisions regarding data covered by federal protections for substance abuse treatment data, and wanted to give covered entities more time to make all of the required changes and comply with distribution requirements.

HHS took further steps to help assure that the permissive provisions of the Privacy Rule could not be further leveraged for investigations or pursuit of penalties for the mere act of delivering or receiving reproductive health care services. For example, they modified the definition of “person” to make clear that it refers to a “natural person (meaning a human being who is born alive).” This is intended to assure that language in the Privacy Rule permitting reports to relevant authorities for purposes of preventing harm to a “person” could not be interpreted to permit the release of reproductive health data in violation of the Privacy Rule Reproductive Data Protections’ prohibitions. They also made clear that the prohibitions apply even to access to PHI by public health agencies or entities acting on their behalf, even when acting within the scope of their authority.

Finally, the new rule does not change the penalties that can be levied for violations of the Privacy Rule. Regulated entities can be subject to a corrective action order (which is typically imposed in settlement of an enforcement case) or civil monetary penalties of between $100—$50,000 per violation, depending on the level of culpability, with a maximum of $1.5 million annual cap for repeated violations of the same provision. But only regulated entities can be penalized under HIPAA’s civil penalty provisions; requesters of reproductive health data who are not also regulated entities are beyond the reach of the civil penalty provisions. Although most state public health departments are not HIPAA covered entities, as explained in more detail below, persons outside of HIPAA coverage can be held criminally responsible for obtaining PHI in violation of HIPAA.

Concerns about the Privacy Rule Reproductive Data Protections

In the Privacy Rule Reproductive Data Protections, HHS promulgated a targeted rule intended, on the one hand, to better protect reproductive health data from being used to investigate or bring an action against an individual or a medical provider or health plan, while, on the other, still allowing that data to be shared to provide care to the individual or to facilitate the functioning of the health care system. Nonetheless the rule will still be challenging to implement, and its protections will have some limits.

Broad definition of “reproductive health data”

A regulated entity is required to obtain an attestation that the requested PHI will not be used for a prohibited purpose before disclosing PHI that is “potentially related to” reproductive health data. The definition of reproductive health data is purposefully broad and is “health care . . . that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” Because this definition is not limited to abortion, contraception, or pregnancy-related care, and is not defined solely with respect to individuals with female reproductive organs, regulated entities have expressed concerns about inadvertently disclosing PHI that meets this definition without first requesting the attestation. Consequently, entities are considering requiring submission of attestations for all types of requests that would trigger an attestation requirement if reproductive health data were involved, regardless of whether such data is contained in the records. The breadth of the definition also makes it difficult to segment the data falling into the definition of “reproductive health data” from other data that might be lawful to share (although segmentation of sensitive data from non-sensitive data has always been a technical and policy challenge).

Limitations on reach due to HIPAA’s coverage limitations

Traditionally, and as noted above, one of the shortcomings of HIPAA’s privacy protections is that only regulated entities are required to comply with the rules. The protections do not follow the data, so if a regulated entity legitimately discloses data to an entity not regulated by HIPAA, HIPAA’s rules would not apply. As an example, if a regulated entity shares reproductive health data with a researcher who has received a waiver of consent from an Institutional Review Board (which is permitted by the Privacy Rule), and that researcher then uses or discloses this data to facilitate a prohibited purpose, the civil penalty provisions of HIPAA could not be leveraged to hold the researcher accountable (and the regulated entity would not have been required by HIPAA to have obtained an attestation prior to disclosing the data).

The criminal penalty provisions initially enacted as part of HIPAA and amended by Congress in the Health Information Technology for Economic and Clinical Health Act in 2009 may help close this gap. A “person” who knowingly and in violation of HIPAA obtains any individually identifiable health information from a covered entity relating to an individual or discloses individually identifiable health information to another person could be subject to criminal penalties, which vary by level of culpability. A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain, or malicious harm. These provisions apply to the Privacy Rule Reproductive Data Protections as well. The Department of Justice is responsible for criminal prosecutions under the Privacy Rule.

Potential Penalties for Accepting a Deficient Attestation

Regulated entities are concerned about their potential liability under the Privacy Rule for making a disclosure based on an attestation that turns out to be defective. An attestation is defective if the regulated entity has “actual knowledge” that material information in the attestation is false, or, of greater concern, a “reasonable covered entity or business associate in the same position would not believe that the attestation is true with respect to” whether the requested use or disclosure is for a purpose that is not prohibited by the new rule. What constitutes a “reasonable covered entity or business associate in the same position” requires subjective judgment, leaving regulated entities concerned about getting it wrong in the eyes of regulators. The Privacy Rule Reproductive Data Protections also require regulated entities to cease any use or disclosure if they discover information showing that any information in the facially valid attestation they relied on to make the use or disclose was materially false, and failure to do so would constitute a HIPAA violation.

Limit on Types of Requests Requiring the Attestation

Regulated entities are required to obtain attestations only when requests for PHI potentially containing reproductive health data are submitted for purposes of health oversight, for judicial and administrative proceedings, for law enforcement, and for disclosures to coroners and medical examiners. But reproductive health data could be released for other purposes—such as for treatment, or research, or any of the other permitted purposes—and the recipient, if the recipient is not a regulated entity would not be subject to the prohibition in terms of its further use and disclosure of the information. For example, a covered entity physician may disclose PHI to a medical researcher pursuant to the research provisions of the Privacy Rule, but many researchers are not regulated entities (for example, researchers working in private research institutions or for pharmaceutical companies). However, the requestor could face criminal liability under the provisions discussed previously. Nevertheless, some regulated entities have discussed requesting attestations in any circumstance where reproductive health data could potentially be used or disclosed as a way of assuring protections for this data. At the same time, regulated entities that are also covered by the federal Information Blocking Rules, promulgated by the HHS Office of the National Coordinator for Health IT pursuant to the 21st Century Cures Act, could be subject to penalties for creating obstacles to the sharing of electronic health information in circumstances where it is otherwise lawful to share. The concern of these dual-regulated entities is that they could be penalized under the Information Blocking Rules for requiring attestations for the sharing of data for purposes for which an attestation is not required.

Of note, regulated entities are still permitted to disclose reproductive health data for public health purposes, and there is no requirement for an attestation for public health requests. However, under the new provisions, it is not a legitimate public health activity if the reproductive health data is to be used for one of the prohibited purposes. But public health agencies are typically not HIPAA regulated entities; consequently, if they receive reproductive health data within the scope of their authority and then subsequently use or disclose that data for a purpose that would be prohibited if they were a regulated entity, it is not clear that the disclosing would be in violation of HIPAA for having made that disclosure.

Rule Doesn’t Preempt State Laws Requiring Disclosure of Abortion Data

Some advocates for comprehensive reproductive health care have expressed concerns that HHS didn’t go far enough in protecting reproductive health data. In the HIPAA statute, Congress gave HHS broad authority to enact privacy protections for individually identifiable health information transmitted among health care providers and health plans (i.e., covered entities), and provided that these standards, largely adopted through regulation, would preempt state laws that were less stringent—i.e., provided fewer privacy protections. Should HHS have utilized these preemption provisions to go further—for example, by enacting new HIPAA privacy provisions that restricted the use or disclosure of reproductive health data for purposes of pursuing any civil, criminal or administration action for the mere act of receiving a health care service, even if that service was not lawful in the setting in which it was delivered? For reasons that are not shared in the regulatory materials, HHS instead chose to focus only on protecting the privacy of data generated out of lawfully delivered care and not to test the strength of this broad preemption authority against the plethora of abortion restrictions and new penalties in the post-Dobbs era.

HIPAA Doesn’t Apply to De-Identified Data

HIPAA covers only identifiable health information; consequently, HHS’s authority to promulgate privacy rules extends only to identifiable health information (i.e., PHI). The Privacy Rule establishes a legal standard for de-identification—no reasonable basis to believe the information can be re-identified—and two acceptable methodologies for de-identifying PHI: a safe harbor method requiring the removal of 18 categories of identifiers and no actual knowledge on the part of the disclosing entity that the data can be re-identified; or an expert or statistical methodology requiring a trained statistician, applying statistical techniques, to certify/attest that the data, in the hands of an anticipated recipient(s), would have a very low probability of being re-identified. Although there are few published instances of HIPAA de-identified data having been successfully re-identified, much has been written about the vulnerability of PHI de-identified under HHS’s safe harbor methodology, given the increasing amounts of data available for re-identification. Nonetheless, de-identified reproductive health data is not covered by the rules. Further, there is no federal prohibition against re-identifying HIPAA-deidentified data, although any de-identified data collected by a regulated entity would be subject to HIPAA’s rules, including the new prohibitions once it meets the definition of PHI. As a result, a recipient of HIPAA de-identified reproductive health data who is not covered by HIPAA and who re-identifies the data—and subsequently uses it for a purpose that otherwise would have been prohibited by the new rules—likely cannot be found to have violated HIPAA, either civilly or criminally. The vulnerability of PHI to re-identification leaves a hole in the protections otherwise extended by this new rule.

Prospects of Legal Challenge

The State of Texas has already filed a legal challenge to block the Privacy Rule Reproductive Data Protections, and it is likely there will be more. While it is too soon to know how many and which challenges may or may not have merit, several rationales could be advanced as possible challenges. For example, states with laws that penalize individuals for seeking or facilitating abortion care outside of the state could challenge the law as posing a barrier to enforcement of their duly enacted laws. However, this rationale runs against the long-recognized federal right to travel between states under the Privileges and Immunities Clause of the U.S. Constitution.

Another core consideration underlying many potential legal challenges to the Privacy Rule Reproductive Data Protections is standing. Specifically, who has suffered an injury such that they would have standing to challenge the Protections? Any potential litigant seeking to challenge the rule would need to show that elements of injury, causation, and redressability existed at the outset of the lawsuit, and continue to exist, for each claim and for each form of relief sought. Depending on the specifics of each case, it may be difficult for states to establish all the elements of standing to successfully challenge the rule.

Additionally, the Supreme Court’s recent decision in Loper Bright Enterprises v. Raimondo overturning the Chevron doctrine and possibly the Court’s 2022 decision in West Virginia v. EPA addressing the Major Questions Doctrine may add to the likelihood of legal challenges. Specifically, in the absence of Chevron deference, agency actions, especially those that address divisive issues like abortion, may prove to be priority targets for litigants seeking to challenge executive agency rulemaking under a theory that agency rules exceed Congress’ statutory direction to a federal agency. The Privacy Rule Reproductive Data Protections may be vulnerable to such a challenge. Although an Administrative Procedure Act challenge to the original HIPAA regulations was rejected in 2003 by the 4th Circuit in S.C. Med. Ass’n v. Thompson, a more recent District Court case rejecting previous HHS amendments to HIPAA that relied on the original grant of HIPAA rulemaking authority from 1996 reasoned, in dicta, that the original grant of authority was now “too old” for HHS to rely on in making further amendments to HIPAA.

In sum, there are a lot of unknowns when it comes to weighing the merits of potential challenges to the new HIPAA rule. Recent Supreme Court actions have dramatically impacted agency litigation and action and until there is further case law in the post-Chevron era, it is difficult to predict whether HHS authority to promulgate this rule would be upheld, or whether a different Administration would spend the resources to vigorously defend HHS’ actions. Moreover, additional federalism and standing questions are likely to persist until they have worked their way through the courts. And of course, changing political winds in either the Administration or Congress could result in overturning or paring back these rules.

Health Data Privacy Threats Outside of HIPAA

Health data enjoy fewer privacy protections when held by entities outside of the scope of HIPAA. This article has focused on the threats of new and existing state laws banning or restricting abortion care on the privacy of health information governed by HIPAA and actions being taken by HHS to change the Privacy Rule to try to mitigate those threats. However, vast amounts of individuals’ health data (indeed in some instances the same records) exist and are held by entities beyond HIPAA’s limited scope and jurisdiction.

Search queries, browsing history, the contents of communications, and a person’s location data can all reveal private health-related information, despite not typically being thought of as sources of “medical” or health-related data. These types of data can reveal sensitive information about a person’s health and healthcare choices, regardless of whether the company collecting it provides health-related services. People’s online searches and browsing history have already been used in abortion-related prosecutions, and investigative reporters have shown that location data can be purchased revealing where visitors to an abortion clinic went immediately before and after their visits, which can be highly revealing of a person’s identity—those locations are likely either their workplace or home.

In our digitally connected world, given the growing prevalence of medication abortion—and ability to receive reproductive health services from telemedicine—enforcement of anti-abortion laws may increasingly rely on digital and electronic information. Moreover, the popularity of health tracking apps and IoT (internet of things) devices create ever-growing stores of health data that can be very insightful, revealing health conditions, including reproductive status, care, and treatments. For example, a connected scale tracks weight gain and loss over time, and a connected refrigerator can detect items added to its shelves that were purchased at the grocery store.

At the federal level, the FTC has authority to regulate and protect health data not covered by HIPAA. The FTC has and continues to utilize existing rulemaking and enforcement authorities to address health privacy concerns for non-HIPAA covered entities. For example, on May 30, 2024, the FTC published the final version of changes to the Health Breach Notification Rule (HBNR), which sets forth the protocol in the case of a breach of health data. Specifically, the HBNR requires vendors of personal health records (PHR) and related entities that are not covered by HIPAA to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data. It also requires third party service providers to vendors of PHRs and PHR related entities to notify such vendors and PHR related entities following the discovery of a breach. Since the FTC enacted its initial HBNR in 2009, the number of health tracking apps has dramatically increased, and Dobbs has created new health privacy risks, motivating the FTC to expand the HBNR to cover newer types of data collection. The final rule requires entities that manage personal health records (but are not subject to HIPAA) to notify the FTC, the consumer, and in some cases the media following a breach of personally identifiable health data. The update of the rule clarifies its applicability to health apps and strengthens the notification mechanisms in this space.

Although to date Congress has failed to enact comprehensive federal privacy protections for health data that sits outside of HIPAA, states including Washington, Connecticut, and California have enacted data privacy protections that either include or specifically address sensitive health data—as well as other forms of sensitive data that may be used to determine health status and activities.

Conclusion

Health information privacy has always been critical to assuring that individuals can receive care for potentially stigmatizing health conditions. The Dobbs decision amplified concerns about the use of health information against individuals (or persons who assist them, including medical providers) and is likely to have far reaching consequences for the delivery of health care for certain conditions or populations. Time will tell whether current efforts by federal and some state regulators to shore up the privacy of reproductive health information will have the desired effect of extending greater protections for this information and, consequently, for access to care.

    Authors