A pregnant women stands in a field holding her exposed belly with a hopeful look on her face.
Image credit: Angel Rondon on pexels.com

The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued a Final Rule, the HIPAA Privacy Rule to Support Reproductive Health Care Privacy, providing additional safeguards to current healthcare privacy legislation.

Though the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the Health Information Technology for Economic and Clinical Health (HITECH) Act guarded against the disclosure of protected health information (PHI) in some instances, the new final rule places reproductive healthcare among the services that receive enhanced federal privacy protections.

According to OCR director Melanie Fontes Rainer, the rule “prohibits the use of protected health information for seeking or providing lawful reproductive health care and helps maintain and improve patient-provider trust that will lead to improved health outcomes and protect patient privacy.”

A press release from the US Department of Health and Human Services stated that the new rule was needed “to address changes in the legal landscape affecting reproductive health care privacy that make it more likely than before that PHI may be used and disclosed in ways that HIPAA intended to protect.”

The measure addresses concerns about people being prosecuted for seeking, assisting, or providing an abortion in another state when they reside in a state that restricts access to abortion. There has been heightened concern over abortion rights since the Supreme Court overturned Roe v. Wade with the Dobbs v. Jackson Women’s Health Organization decision in 2022. Twenty-one states have since banned abortion by passing new laws or by reinstating old, draconian laws that were unenforceable while federal protections for abortion remained in effect.

The new rule was needed “to address changes in the legal landscape affecting reproductive health care privacy.”

The rule change also aims to assuage concerns regarding the prosecution of those seeking in vitro fertilization (IVF) services after the Alabama Supreme Court’s ruling that embryos created through IVF should be considered children. Since IVF typically involves the destruction of frozen embryos, technically, Alabamans seeking these services out-of-state could also be liable for prosecution.

Whether it’s legal to travel to another state to seek reproductive and maternal healthcare services such as abortion and IVF remains a highly contested issue that will continue to draw attention from courts, lawmakers, and policymakers.

A spattering of legal actions, including lawsuits filed and laws that bar people living in a state with an abortion ban from seeking care elsewhere, have added to the confusion over the legality of abortions that require people to cross state lines. Whether it’s legal to mail abortion medication presents another layer of complexity.

Reactions to the Final Rule on Reproductive Healthcare Privacy

According to a Health Affairs article, the 60-day comment period for the new HHS rule generated almost 26,000 comments. Commenters in support of the rule, “emphasized the importance of trusting, confidential relationships between individuals and their health care providers in delivering high-quality health care. Underscoring the importance of enhanced privacy for reproductive health information, they also expressed concerns that the increase in state legislation targeting reproductive health care has placed significant burdens on providers, resulting in higher rates of maternal morbidity and mortality.”

Whether it’s legal to travel to another state to seek reproductive and maternal healthcare services such as abortion and IVF remains a highly contested issue.

Contrarily, commenters opposed to the new rule argue that it “would infringe upon state rights, thwart law enforcement investigations, and protect those who engage in unlawful activities.” There were also some concerns about the “administrative burdens” and “costs for providers” associated with the rule.

A letter from the attorneys general of 24 states formally commended the final rule in a letter while also calling for “more robust privacy protections for reproductive care” and making recommendations to extend the measure’s provisions.

The attorneys general of 19 states submitted a letter opposing the final rule on the grounds that it seeks to overrule the Dobbs decision and, therefore, takes the authority to regulate and prohibit abortion away from the states.

Does the Final Rule Provide Protections for Acquired or Transmitted Data?

Any technology capable of detecting a pregnancy is also capable of detecting the end of a pregnancy, which…could also expose someone and their care providers to liability.

The final rule doesn’t explicitly discuss healthcare apps, wearable devices, or AI-enabled communication devices such as chatbots, but insofar as digital health products and tools constitute healthcare providers, or vendors to healthcare providers, they could also be subject to its regulations. The letter from the attorneys general supporting the final rule also pointed out that “rapid technological advances have transformed how health care providers and individuals collect and store their personal health information, including reproductive health data.” The letter heavily implies that more work needs to be done when it comes to keeping this type of data safe, as it could include sensitive reproductive health information or information that could be used to deduce facts about one’s reproductive health.

Providing additional guidance on how the final rule addresses digital health and health IT is critically needed because reproductive and maternal health innovations can expose women to risk. For instance, according to the Conversation, fertility apps, which help users track their menstrual cycle, identify fertility windows, track the stages of pregnancy, and prepare for parenthood—carry “serious privacy flaws.” Alarmingly, these privacy flaws include poorly phrased and confusing privacy messages, data sharing with inadequate deidentification, and data retention that continues long after a consumer stops using the app.

In addition to fertility apps, there are also wearable sensors and fitness devices that by tracking weight, menstrual cycles, and other bodily functions and behaviors, can also detect pregnancy. Any technology capable of detecting a pregnancy is also capable of detecting the end of a pregnancy, which, in the current reproductive climate in the United States, could also expose someone and their care providers to liability.

It is also unclear if the final rule would prohibit large tech companies from sharing location-tracking data and social media posts that may be used to incriminate someone for seeking reproductive or maternal healthcare services.

The rule does, however, require that all healthcare providers and their business providers alter their privacy notices to comply with its stipulations.

More Is Needed to Repair Reproductive Healthcare in the United States

While the new rule can be seen as a step forward in protecting women and birthing people against prosecution for having an abortion, seeking IVF services, or even for miscarrying under the suspicion that they had an abortion, the hyperpolarized environment for reproductive health remains confusing for care providers and patients alike. In addition to not being able to access abortion services, a national survey on ob-gyns’ experiences after the Dobbs decision revealed that “one in five office-based OBGYNs (20%) report they have personally felt constraints on their ability to provide care for miscarriages and other pregnancy-related medical emergencies since the Dobbs decision. In states where abortion is banned this share rises to four in ten OBGYNs.”

Criminal prosecutions for self-managed abortions preceded the overturning of Roe v. Wade. According to the Guardian, at least 61 people were criminalized for alleged self-managed abortions between 2000 and 2020; the charges included fetal harm, child abuse, felony assault, assault on an unborn child, practicing medicine without a license, and sometimes even homicide and murder. In nearly half of the cases, healthcare providers or social workers were the ones who “tipped off police to the suspected self-managed abortion,” according to the Guardian. Since the final rule is limited to lawful reproductive healthcare, it is unlikely to address such instances, which often result from desperation due to the inaccessibility of abortion and maternal mental health services in many states.

Women and birthing people are suffering the consequences of our current reproductive health landscape. While the final rule on reproductive health privacy is an important step forward for trying to rebuild the protections lost when Roe was overturned, there are important gaps—including if and how these protections play out in the digital world and if the rule can be applied to situations outside of “lawful reproductive health care”—that need to be urgently addressed.