Two Medical-Legal Experts Look at Patient Privacy Challenges Post-Roe

A host of patient privacy concerns, especially around clinical documentation issues, has arisen, in light of the Dobbs V. Jackson Women’s Health Organization decision that the Supreme Court handed down on June 24. With the legal situation now dependent on the specific state involved, some patients, and their clinicians, are concerned that patient information could be used against those patients, and their providers, in certain situations. In that regard, a team of healthcare policy leaders authored an article published in the JAMA Health Forum online on June 30, guiding readers through some of the concerns and considerations involved.

In “Protecting the Privacy of Reproductive Health Information After the Fall of Roe v. Wade,” Kayte Spector-Badady, J.D., and Michelle M. Mello, J.D., Ph.D., M.Phil, write that “The Supreme Court’s decision in Dobbs v Jackson’s Women’s Health Organization, eliminating federal protection for abortion rights recognized since 1973 in Roe v. Wade, will trigger the adoption and enforcement of numerous state laws banning or restricting abortion. The most pressing concerns for physicians and health care facilities are how to minimize these laws’ adverse effects on patients and provide quality reproductive health care within legal limits. Yet, another vital issue also merits attention: How can clinicians and facilities protect their patients—and themselves—from having reproductive health information used to incriminate them?”

According to her faculty profile, Spector-Badady is a professor in, and associate director at, the Center for Bioethics and Social Sciences in Medicine and an Assistant Professor of Obstetrics and Gynecology at the University of Michigan Medical School. At U-M she is also the Chair of the Research Ethics Committee, the ethicist on the Michigan Medicine Human Data and Biospecimen Release Committee, and a clinical ethicist. She teaches the Responsible Conduct of Research as well as Research Ethics and the Law. And according to her faculty profile, Mello is “a leading empirical health law scholar whose research is focused on understanding the effects of law and regulation on health care delivery and population health outcomes. She holds a joint appointment at the Stanford University School of Medicine in the Department of Medicine.” Further, “Mello is the author of more than 200 articles on medical liability, public health law, pharmaceuticals and vaccines, biomedical research ethics and governance, health information privacy, and other topics.”

Indeed, Spector-Badady and Mello write, “New abortion restrictions may clash with privacy protections for health information in 3 ways. And despite popular misconceptions about the breadth of the Privacy Rule of the Health Information Portability and Accountability Act (HIPAA) and other information privacy laws, current federal law provides little protection against these scenarios.”

The article’s authors see three main issues. “First,” they write, “using a patient’s medical records to support legal action against those seeking, obtaining, or abetting an abortion may be possible. HIPAA protects individually identifiable health information in electronic records controlled by a ‘covered entity’ (a clinician or facility, health plan, or health care clearinghouse) against disclosure without the patient’s authorization, but it contains notable exceptions. These include reporting child abuse or neglect to an ‘appropriate government authority’; responding to a court order, subpoena, or discovery request for information relating to a lawsuit; and giving information to law enforcement officials ‘as required by law.’ Thus, HIPAA does not bar compliance with child abuse or neglect reporting requirements, nor will it shield entities that defy investigative demands for information for law enforcement or other legal purposes.” Indeed, they write, a search warrant requires only “probably cause,” and could elicit such information.

Second, the article’s authors note that hospital and health system records could potentially be used “to incriminate an institution or its clinicians for providing abortion services. Relevant records could include electronic health records, employee emails or paging information, and mandatory reports to state agencies.” HIPAA will not protect patient care organizations in situations such as, for instance, if a state board of medical licensing investigates “whether a physician provided illegal abortions.”

And, they note, “A third concerning scenario is that information generated from a person’s online activity could be used to show that they sought an abortion or helped someone do so. Much reproductive health information is collected and shared through websites and apps that are not HIPAA-regulated or protected by physician-patient privilege, such as period tracking apps (used by millions of US women) that collect information on timing of menstruation and sexual activity5 and on reproductive health information construed from shopping data. There are many instances of internet service providers sharing user data with law enforcement6 and prosecutors obtaining and using cell phone data in criminal prosecutions. Commercially collected data are also frequently sold to or shared with third parties. Even putatively deidentified data often contain sufficient information to reidentify individuals or facilities when triangulated with other data.”

What advice can the authors, both healthcare attorneys, offer? First, they note that, “[W]hen counseling patients of childbearing age about reproductive health issues, clinicians should explain the risks of generating pregnancy-related information online. For tips on minimizing their digital footprint, patients can be referred to expert organizations. Clinicians also should not presume that more clinical documentation is always better for managing medicolegal risk. Recording less information may be more protective and prevent information from being used in unwanted ways—for example, not speculating about whether a miscarriage was spontaneous when a patient presents in the emergency department with vaginal bleeding.” They also urge clinicians to think very carefully about how and when they use email and send text messages, avoiding “word choices that could be construed as evidence of illegal activity,” and consulting legal counsel if state law enforcement officials seek any kind of abortion-related information or documents from them, and actively asserting physician-patient privilege whenever necessary, with physicians better positioned to assert it than patients.

“Ultimately,” they write, “broader information privacy laws are needed to fully protect patients and clinicians and facilities providing abortion services. California recently expanded protections for commercially collected personal information and has been enforcing protections related to reproductive health data. Comprehensive federal digital privacy legislation is reportedly inching closer to bipartisan agreement in the Congress. As states splinter on abortion rights after the Dobbs Supreme Court decision, the stakes for providing robust federal protection for reproductive health information have never been higher.”