Following the Supreme Court’s ruling overturning Roe v. Wade in Dobbs v. Jackson Women’s Health Organization, the Biden Administration has outlined a framework for federal executive action designed to protect access to reproductive health care. On July 8, 2022, President Biden issued an Executive Order Protecting Access to Reproductive Health Care Services (the “Executive Order”) directing federal agencies, including the United States Department of Health and Human Services (HHS), Department of Justice (DOJ), and the Federal Trade Commission (FTC) to take various steps to address “this health crisis.”1
HHS and the FTC have subsequently released guidance on what is required by pre-existing regulatory frameworks. As recognized in the Executive Order, overturning Roe “has already had and will continue to have devastating implications for women’s health and public health more broadly.” Among those implications are the consequences for privacy, particularly the privacy of reproductive health information and other sensitive data, including protected health information (PHI), location information, search history, and online or credit card purchases under pre-existing privacy frameworks.
Businesses that deal with sensitive data should be aware of this evolving federal guidance and framework for agency action and how it may impact their data processing activities overall. For example:
- Covered entities under the Health Insurance Portability and Accountability Act (HIPAA) should evaluate their disclosure practices in light of this latest guidance from HHS to ensure that they are not unintentionally violating the Privacy Rule when attempting to comply with new state laws that are going into effect that may restrict access to reproductive healthcare.
- Businesses that collect sensitive data (including location data) should ensure that they are transparent about their data collection and sharing practices to comply with FTC privacy requirements.
- Businesses that claim to process “anonymized” information should ensure that their anonymization standard complies with FTC guidelines or else risk a potential enforcement action. The risk may especially be heightened if this “anonymized” information is used to target individuals based on their reproductive health status or health outcomes.
The Executive Order includes provisions to protect the privacy of patients and consumers, as well as their access to accurate information about reproductive health care.2 In particular, the Executive Order addresses the transfer and sale of sensitive health-related data, digital surveillance related to reproductive health care services, and protection from inaccurate information, fraudulent schemes, or deceptive practices. These provisions and subsequent HHS and FTC action are discussed below.
HHS: Patient Privacy and Health Data
The Executive Order instructs HHS to “consider actions, including providing guidance under [HIPAA] . . . to strengthen the protection of sensitive information related to reproductive healthcare services.” Following President Biden’s Executive Order, HHS released a press release and guidance (“HHS Guidance”) on its role in protecting patient privacy in light of the Dobbs decision. The first part of the HHS Guidance addressed how HIPAA and its regulations protect individuals’ PHI in relation to abortion and other sexual and reproductive healthcare. The HHS Guidance makes clear that covered entities under HIPAA can use or disclose PHI, without an individual’s signed authorization, only as expressly permitted or required by the HIPAA Privacy Rule.
FTC: Consumer Privacy Protections and Prevention of Deceptive or Fraudulent Practices
The Executive Order encourages the FTC to “consider actions . . . to protect consumers’ privacy when seeking information about and provision of reproductive healthcare services” and “to address deceptive or fraudulent practices related to reproductive healthcare services.” Subsequently, the FTC reiterated its commitment to fully enforcing the law against the illegal use and sharing of highly sensitive data in a post on its Business Blog. The post first addresses the dynamics of the information marketplace and role of data aggregators and data brokers, noting that connected devices collect sensitive data including precise location and health information and that consumers are often unaware of what happens to this information once it has been collected. As an example of potential misuses of sensitive information related to reproductive health, the post referenced the FTC’s recent settlement with Flo Health. After outlining some potential harms caused by the misuses of mobile location and health information, the FTC reiterated its commitment to “vigorously enforce the law” if they discover “illegal conduct that exploits Americans’ location, health, or other sensitive data.”
For companies thinking about compliance, the FTC stated that past enforcement actions should serve as a roadmap and emphasized a few key points:
- Sensitive data is protected by both federal and state laws, many of which are enforced by the Commission. In addition to Section 5 of the FTC Act, which prohibits unfair and deceptive trade practices, the FTC enforces the Safeguards Rule, the Health Breach Notification Rule, and the Children’s Online Privacy Protection Rule.
- Claims that data is ‘anonymous,’ or ‘has been anonymized’ are often deceptive and, if untrue, may be a deceptive trade practice that violates the FTC Act. Significant research has shown that ‘anonymized data’ can often be re-identified. False anonymization claims will trigger FTC scrutiny.
- Citing recent enforcement actions against OpenX, Kurbo/Weight Watchers, and CafePress, the FTC reiterated that consumer data misuse is an area of focus for the FTC.
Companies collecting sensitive data including location and health data should take extra care in claiming that data is “anonymous” or has been “anonymized” and should look to past FTC actions for further compliance guidance. This shows that the FTC may not simply take companies at their word when it comes to anonymization and that they should especially be careful when applying this principle to sensitive data or location information.
1 The accompanying press release (“Fact Sheet”) notes that “President Biden has made clear that the only way to secure a woman’s right to choose is for Congress to restore the protections of Roe as federal law. Until then, he has committed to doing everything in his power to defend reproductive rights and protect access to safe and legal abortion.”
2 Additionally, the Executive Order includes provisions outside the scope of this blog post, including those related to safeguarding access to reproductive health care services, ensuring the physical safety of patients, providers, and third parties and the security of clinics, pharmacies, and other entities assisting in the provision of reproductive healthcare services through cooperation between the DOJ and the Department of Homeland Security (DHS), and the creation of an interagency Task Force on Reproductive Health Care Access led by HHS and the White House Gender Policy Council to coordinate the Administration’s efforts.