Millions of women use reproductive health applications (or “apps”) to track menstrual cycles, ovulation, and pregnancy. These apps provide women that use the rhythm method for birth control and women seeking to become pregnant access to more accurate information about their reproductive systems. To accurately track a user’s reproductive cycles, many health apps need the users to share highly sensitive and personal health data. This sensitive data is generally stored and may include dates of ovulation, conception, pregnancy start, and pregnancy end, if applicable. Needless to say, reproductive health app developers manage and maintain a data platform that contains some of the most sensitive and private information about their customers.
The highly sensitive and private customer information contained in reproductive health apps has been thrust to the forefront of the evolving landscape of abortion laws in the United States. The U.S. Supreme Court (“SCOTUS”) decision to overturn Roe v. Wade authorizes states to limit, restrict, and criminalize abortion. As many as half of all U.S. states have some form of an abortion ban in effect, or one that is expected to take effect in the near future, due to the SCOTUS decision. These abortion ban laws are frequently referred to as “trigger laws.” State laws that criminalize abortion could have an immediate impact on how reproductive health apps implement and enforce personal health data security measures (i.e., privacy policies and procedures).
In addition, reproductive health app developers should consider enhancing their patient privacy protocols in light of certain state abortion laws that place enforcement of such laws in the hands of private citizens as described below:
- A Texas law bans abortion as soon as cardiac activity is detectable — typically around six weeks. This abortion law affords Texas citizens a private right of action to enforce the ban. The Texas law explicitly offers a reward of at least $10,000 for anyone who successfully sues an abortion provider, a person who obtains abortion services, and/or an individual that assists a person in obtaining abortion services.
- A new Oklahoma law completely bans abortion in Oklahoma. The statute makes it unlawful for providers to perform abortions in Oklahoma, with very limited exceptions, and makes it unlawful for anyone to help a pregnant person obtain an abortion. Similar to the Texas law, the Oklahoma law puts enforcement in the hands of certain private citizens and offers a monetary reward to any person who successfully sues an abortion provider or any individual who assists a pregnant person in accessing abortion services.
Because reproductive health apps store personal health data related to periods, ovulation, conception, and pregnancy, these apps have access to data showing that a pregnancy has ended. This type of information is particularly sensitive in light of the trigger laws and other state abortion-related laws.
It is important to note that reproductive health apps are generally not subject to the Health Information Portability and Accountability Act of 1996, and its implementing regulations (“HIPAA”) or the Health Information Technology for Clinical Health (“HITECH”) Act. Although the information entered by customers into the app likely meets the definition of “protected health information” under HIPAA, reproductive health apps are not “Covered Entities” (as defined under HIPAA) since only (i) health plans; (ii) healthcare clearinghouses; and (iii) healthcare providers that engage in standard transactions are “Covered Entities” under HIPAA. Companies that offer reproductive health apps may be considered “Business Associates” (as defined under HIPAA) only if the company is providing services on behalf of a Covered Entity or other Business Associate that involves the creation, receipt, maintenance, or transmission of electronic Protected Health Information (as defined under HIPAA).
Companies offering reproductive health apps are unlikely to have any obligation to limit the use or disclosure of customer data in accordance with HIPAA. However, state privacy laws governing personal data, such as the California Privacy Rights Act, Colorado Privacy Act, Utah Consumer Privacy Act, and Virginia Consumer Data Protection Act, and most recently, Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring, will apply where the given company meets the thresholds of applicability established by such laws. Under the majority of these new state consumer privacy laws, covered businesses, including companies offering reproductive health apps, will be required to obtain consumer consent in order to process sensitive data. Under the Utah Consumer Privacy Act, however, companies offering reproductive health apps are subject to more relaxed requirements for processing “sensitive data” and may process consumer sensitive data on an “opt out” rather than “opt in” or prior consent basis.
Following the SCOTUS ruling, the Department of Health and Human Services’ Office for Civil Rights released new patient-privacy guidelines that explicitly outline the federal protections for “protected health information,” as defined under HIPAA. The guidelines emphasize the restrictions HIPAA places on the disclosure of protected health information and reinforces the limited circumstances where organizations subject to HIPAA are required by law or ordered by a court to disclose such information. However, these guidelines do not create additional protections for protected health information – therefore, HIPAA would not prevent enforcement of a state law that requires the reporting of abortion services to law enforcement personnel.
Given the ubiquity of purchasing datasets from technology companies and the structure of new state anti-abortion laws, it is conceivable that an individual could purchase these datasets and use the information to pursue legal action against an individual or an abortion provider. It is equally conceivable that law enforcement could obtain these datasets, via subpoena, court order, or otherwise, and use the datasets to investigate suspected violations of abortion laws. While these outcomes may seem remote, this is a rapidly evolving area of the law where outcomes remain uncertain. Therefore, reproductive health app companies should understand their privacy policies and review them in light of new state abortion laws to further protect customer data privacy and security. Reproductive health app developers may also want to take measures to increase the security and integrity of their data platforms, including undertaking security risk assessments, reviewing policies and protocols, and identifying any risks associated with permissible commercial transactions involving sensitive customer data. All such measures would reassure reproductive health app users that their sensitive information is appropriately protected and secured as much as possible.
Matt WetzelPartnerLife Sciences & Healthcare
Anne M. BrendelAssociate