- Hello, and welcome to this CLE, titled "Post-Dobbs Privacy and Security, Understanding Legal Protections for Reproductive Health Data". I'm Bethany Corbin, femtech practice lead and senior council at Nixon Gwilt Law, where I work extensively with healthcare innovation companies, including women's health companies that are seeking to disrupt standard care delivery and care coordination models. I'm excited to talk to you today about privacy and security considerations for healthcare startup companies and healthcare organizations that routinely handle reproductive health data in the post Roe versus Wade era. Today's presentation is going to cover three key topics. First, I'll provide an overview of the reproductive health landscape from the legal perspective. This will include a short discussion of Roe versus Wade and the subsequent Dobbs versus Jackson decision that removed federal protection for abortions. I'll also describe the current but rapidly changing state law landscape for abortions and reproductive health. Second, I'll describe the general privacy landscape that is applicable to the healthcare industry and explain which laws apply to reproductive health data in traditional provider settings and which laws apply to reproductive health data that's entered into female health technology or femtech applications or apps and products. Finally, I'll explain how these privacy and security laws impact women's health data in a post Roe world along with the legal considerations that individuals who identify as female should take into consideration when they're using femtech products, discussing their reproductive healthcare with their providers, or just communicating about reproductive health decisions electronically. So with this roadmap in mind, let's jump in. I want to start first by describing the reproductive health landscape that existed prior to June, 2022, as it really sets the stage for the discussion of women's health privacy today. Abortion has been a relatively contentious topic in the United States and I want to state that this CLE is not intended to present a political opinion on reproductive health. Rather, the purpose of this CLE is really to present the legal underpinnings for access to reproductive healthcare, and to help the audience understand how this changing landscape gives rise to unique privacy and security considerations that women's health companies, along with the technology companies that are processing that data have to grapple with. So to that end, it's helpful to understand the context in which abortion protections and abortion restrictions arose. Up through the mid-1800's, abortion was legal in the United States and was actually a relatively common part of life that occurred during the colonial period. Under common law, women were permitted to obtain abortions until what is called quickening, and that refers to fetal movement in the uterus, and it typically happens around 22 to 24 weeks of pregnancy. Surgical procedures for abortion were rare during that time, but medical literature and newspapers regularly referred to medications and to herbs that could induce abortions. And while abortions post quickening were actually illegal, they were only considered misdemeanors which gave rise to the inference that these laws were not intended to protect the fetus over the pregnant mother. Prosecutions for abortions were also rare during this period as the pregnant mother was the only one who could confirm whether there was fetal movement at the time of an abortion. In the mid-1800's, however, a coalition of male doctors actually began to organize and the American Medical Association or AMA was formed in 1847. The AMA argued that male doctors actually had superior knowledge over female healers and midwives, who were the ones that were primarily responsible for performing abortions at that point in time. And therefore, right, that the male doctors should be considered the authority on abortion. By the early 1900's, every state had outlawed abortion with limited exceptions for danger to the mother's life. Throughout the subsequent decades, abortion was criminalized at all stages of pregnancy. While this did not stop abortions from occurring, it did have the effect of pushing them to the underground or the "black market". And this was where women were not able to obtain safe and effective treatment, but they were still able to obtain abortions within that black market that was usually unregulated, oftentimes unsanitary, and really unsafe. And so the Guttmacher Institute actually estimates that the number of illegal abortions that occurred between 1950 and 1960 was about 200,000 to 1.2 million per year. In the 1960s, however, illegal abortions actually became a public health crisis because thousands of women were dying every year from these unsafe black market abortions. States like Hawaii, California and New York thus began to change their laws and to actually legalize abortion. And by 1973, 30 states still prohibited abortion at all stages. On January 22nd, 1973, the US Supreme Court issued a landmark decision in what many people are familiar with, which is Roe versus Wade. And in Roe versus Wade, the court struck down a Texas statute that had banned abortion. In Roe versus Wade, a young woman sought to terminate an unwanted pregnancy in Texas in 1969, but abortion was only legal in Texas for the sole purpose of saving a woman's life. After trying very unsuccessfully to obtain an illegal abortion, the plaintiff challenged Texas's anti-abortion law in the case that became known as Roe versus Wade. In a seven to two decision, the Supreme Court actually did strike down the Texas law that banned abortion, and it essentially afforded constitutional protection to abortion procedures nationwide. Justice Harry Blackmun writing for the majority held that a woman's right to obtain an abortion was implicit in the right to privacy, which was guaranteed by the 14th Amendment. In legalizing the procedure, the court divided pregnancies into three trimesters and noted that women had the sole decision to end a pregnancy during that first trimester. During the second trimester, the government would be permitted to regulate but not ban abortion in order to protect the mother's health. And then states were allowed to prohibit abortion in the third trimester to protect fetuses that could survive on their own outside of the womb, except when the mother's health was in danger. In 1992, then, the Supreme Court again upheld this core decision of Roe versus Wade in the case of Planned Parenthood of Southeastern Pennsylvania versus Casey. The Pennsylvania legislature had amended its Abortion Control Act in 1988 and 1989, including requiring informed consent, a 24 hour waiting period prior to undergoing the abortion procedure, parental consent for minors, notification of a woman's husband that she planned to have an abortion and provider reporting requirements for completed abortions. Planned Parenthood of Southeastern Pennsylvania sued the state of Pennsylvania and claimed that these requirements were unconstitutional and that they violated the Supreme Court's holding in Roe versus Wade. The Supreme Court in a divided five to four decision did affirm the central premise of Roe versus Wade, which was the constitutional right to an abortion. But nonetheless, the court upheld most of the Pennsylvania Abortion Control Act provisions. And in doing so, the Supreme Court moved away from the trimester system that was established in Roe versus Wade and instead, set a new standard that allowed states to pass heightened abortion restrictions as long as those restrictions did not pose what the court called an undue burden. The court defined an undue burden to mean a substantial obstacle in the path of a woman seeking an abortion before the fetus attains viability. So under this new test, the only provision of the Pennsylvania law that failed this standard was the requirement that the woman notify her husband. So the impact of Casey was that states now had more leeway in passing laws that restrict abortion than they did following Roe versus Wade decision. Now, following Roe and Casey, a number of states did impose new restrictions that weakened women's abortion rights. Some states passed laws requiring women to obtain a fetal ultrasound prior to terminating a pregnancy and other states imposed mandatory counseling and waiting periods. Further, some states continued to pass abortion bans or to keep their current abortion laws on the books that while unconstitutional and illegal during the time of Roe and Casey would have near immediate effect if those Supreme Court precedents were overturned. So these abortion laws were known as trigger laws, meaning that they would take effect with the overturning of Roe versus Wade. And there were 13 states with abortion trigger laws on the books as of 2022. Now separate from the abortion landscape, women's health in general began to gain some traction in 2016 with the coining of the term femtech. So femtech is a subcategory of digital health and medical technology in which healthcare applications are designed to address health issues that are unique to individuals who identify as female. And while the majority of the femtech industry currently focuses on reproductive health with products like period tracking apps, ovulation and fertility trackers and maternal health apps, femtech is actually projected to grow exponentially to address chronic women's health issues in the future. Now the femtech industry grew largely from the need to have tailored solutions for women's health, and also grew from the desire to help women understand their own bodies and their own anatomy, and to also promote their autonomy. And combined with the rise of personalized healthcare, femtech was perceived as a very innovative and revolutionary step towards bridging the health gender gap and finally addressing women's health concerns separate from their male counterparts. In particular, women began demanding more personalized and focused research and health solutions that were not premised on the male body. Historically, modern medicine has been premised on male physiology with the adaptation to women on almost a one size fits all basis. And women's exclusion from clinical trials until 1993 has also contributed to the gender data gap, which has resulted in physicians and healthcare providers often misdiagnosing women because their symptoms of common ailments and illnesses, like heart attacks for instance, may differ from their male counterparts. So femtech was driven in large part by the rise of digital health solutions and digital health adoption. And really that has presented a platform through which women's health data can be collected and studied and can be used to potentially redress some of the data inequities and health inequities that exist in modern medicine. For the most part, women have been receptive to the rise of femtech with millions of women using period tracking apps and other digital health solutions to track their health, understand their bodies and improve their lives in general. A 2019 survey that was published by the Kaiser Family Foundation found that nearly one third of American women do in fact use period tracking apps. Two of the most popular period tracking apps are Flow and Clue, and they have more than 55 million users combined. So it's clear that femtech is serving a high need area with the potential to impact half of the world's population. And since 2016, femtech has continued to rise in terms of both popularity and funding and femtech actually surpassed the one billion fundraising mark for the first time in 2021. So against this backdrop of the rise of femtech, the interest in women's health and decades worth of standing precedent that would permit abortions, we then get the Dobbs decision. So on June 24th, 2022, the Supreme Court issued a decision in Dobbs versus Jackson Women's Health Organization, which completely altered the abortion and reproductive health landscape in the United States. The Dobbs decision contained a challenge to a Mississippi law that banned abortion after 15 weeks of pregnancy. In breaking with nearly 50 years of precedent that was established through the Roe versus Wade decision and the Casey decision, the Supreme Court surprisingly held that the constitution does not confer a right to abortion and that the authority to regulate abortion should in fact be returned to the people and their elected representatives, meaning the states. Writing for the majority, Justice Alito made the following important points. First, he said that the US Constitution does not reference abortion and there is no implicit protection offered to abortion in the Constitution. Second, he noted that abortion is not, what he called, a deeply rooted right in the nation's history and tradition, and is not implicit in the concept of ordered Liberty. Specifically, what he's referring to is the fact that at the time the 14th Amendment was passed, which is the foundation upon which the constitutional right to abortion was based, three quarters of states still criminalized abortion at all stages of pregnancy. And then third, because the court believed that Roe was "egregiously wrong from the start" and that its reasoning was exceptionally weak, the court did not feel bound to continue with prior precedent, when such precedent in the court's opinion, was clearly wrong. So that is how the Supreme Court justified breaking away from the Roe versus Wade decision, which had been in effect for over 50 years. Now, while the Supreme Court's holding in Dobbs was limited to abortion only, other justices, such as Justice Thomas and his concurrents have actually proposed reexamining other Supreme court precedents that are predicated upon the 14th Amendment and the same right to privacy that underpinned Roe versus Wade. And some of the decisions that may be called into question in the future would be things like the right to interracial marriage and the right to contraception. So this shifting landscape for abortion and reproductive rights has called into question a legal structure that has existed for decades, and it has also spurred panic and fear among women who now must determine whether they're reproductive health data and history can in fact be used against them by law enforcement officers in investigations and prosecutions that are related to illegal abortions. So following the release of the Dobbs decision, there has been significant discussion about whether women should delete their period tracking and femtech apps in order to safeguard their data from prosecutors and from law enforcement officials. It's actually estimated that hundreds of thousands of women have already deleted their femtech apps, which is breeding mistrust in an industry that was supposed to facilitate innovation and excellence in women's health. The deletion of period tracking and femtech apps as a result of the Dobbs decision may actually harm long term developments in women's health. So if femtech companies do not actively work to enhance their privacy and their security protections, women may decide that they are uncomfortable providing their health data to these applications and products. And if the amount of health data that's provided to a femtech application does in fact decrease, that app's algorithm could become less accurate because it's going to be trained to make predictions based on fewer data inputs and less diverse data. Because algorithms grow and evolve in conjunction with the data that they receive, this means that the receipt of less data may mean less evolution for these algorithms. Further, decreased data also presents the risk for less diversity, which can facilitate health inequities. A 2020 study showed that the abortion rate in the United States for African American women is nearly four times higher than the abortion rate for Caucasian women. And in many of the states that have those trigger laws, African American and Hispanic women constitute a large percentage of overall abortions. What this means is that African American and Hispanic women will be disproportionately impacted by the changing reproductive health landscape and these minority groups may be more inclined to remove their health data from period tracking apps and to stop providing their health data to femtech apps in the future. As a result, algorithms that are used for femtech will be trained on less diverse data that fails to account for differences in race and ethnicity and that can result in less accurate health predictions for minority populations. And that can be a big problem as we're considering women's health long term and making long term predictions about women's diseases and cures and the effectiveness of things like pharmaceutical drugs or other types of treatment. The other practical consideration that we really need to be aware of is that the individuals who are deleting their period tracking apps and their femtech apps as a result of the Dobbs decision may actually be the women who need access to digital health solutions the most. The poverty rate for minorities is typically higher than that of Caucasians and the "Wall Street Journal" has actually reported that the poverty rate for African Americans has been roughly one third higher than the poverty rate for Caucasians for more than 30 years. Individuals who are living at or below the poverty line may have more difficulty accessing healthcare treatments and taking time off of work to travel for healthcare services. Digital health, however, can be an especially valuable tool as it enhances access to healthcare solutions that may otherwise be unavailable for certain populations. But without a strong privacy and security infrastructure that's there to protect women's health data, we actually risk exacerbating health inequities and limiting healthcare access, which is the exact opposite of what the femtech industry was created and designed to do. There's also significant concern about the maternal mortality crisis as a result of the Dobbs decision, and in particular, the disproportionate impact that this will have on African American women. Indeed, African American women in the United States are more likely to die from pregnancy or childbirth than women in any other race group, and that's according to a 2018 report from the National Partnership for Women and Families. Black women are also estimated to be three to four times more likely to experience a pregnancy related death than Caucasian women, and that risk actually spans income and education levels. Additionally, black women are more likely than other racial groups to also experience maternal health complications throughout the duration of their pregnancy. This means that they're more likely than their Caucasian counterparts to experience things like gestational diabetes, hypertension, preeclampsia, obesity, and other pregnancy complications. And additionally, whenever African American women do go to deliver, about 75% of them will give birth at hospitals that predominantly serve African American patients. And there's research that has shown that hospitals predominantly serving the black communities provide lower quality maternal care and also perform worse than other hospitals on about 12 out of 15 birth outcomes. And that includes things like elective deliveries, non-elective cesarean births and maternal mortality. As states move to incorporate full abortion bans, there actually estimates that suggest that black maternal deaths could increase by 33% compared to a 21% increase for the overall population. So what this unfortunately means is that we may start to see some greater gender and racial disparities when it comes to healthcare access, healthcare treatment, all types of healthcare data, and specifically in the birth and maternal context, when it comes to pregnancy related complications, postpartum complications and abortion, we may see significant disproportionate impacts on the black community. And these impacts on maternal mortality are something that the White House is acutely aware of. And in June, 2022, the White House delivered a blueprint for addressing the maternal health crisis. In that blueprint, the White House acknowledged that the United States is in fact facing a maternal health crisis and that the country's maternal mortality rate is the highest of any developed nation in the world and more than double the rate of peer countries and most pregnancy related deaths are actually considered preventable. So the goals that were laid out in the White House blueprint include things like increasing access to and coverage of comprehensive of high quality maternal health services, ensuring that women who are giving birth are actually being heard by their physicians and other decision makers in accountable systems of care, helping to advance data collection, standardization, harmonization and transparency. Also, helping to expand and diversify the perinatal workforce and strengthen the economic and social supports for people before, during and after pregnancy. Now, in addition to having higher maternal mortality rates and birth complications, what the Dobbs decision also means for African American women is that, as I mentioned before, certain racial groups and ethnicities may be less likely to use these femtech apps because they are worried that their data may get into the wrong hands, such as the hands of law enforcement officers, and can be used to prosecute them for abortion related crimes. And given the high percentage of African-American women in the Southern states who are obtaining abortions, and there's a lot of Southern states that are part of those trigger laws, it may make those communities less likely and less willing to invest in and use femtech apps which have been providing some of the crucial care that these women may otherwise not receive. So this shifting abortion landscape really means that it's crucial for health tech apps and femtech apps to prioritize privacy and security for their users and also, for attorneys to really understand the privacy and security requirements that exist for health tech startup companies that they're advising. So I want to focus our next segment of this presentation on providing an overview of the applicable privacy and security laws for the US healthcare industry and helping to explain where femtech apps fall within or outside of these these regulations. And truly only through enhanced privacy and security can femtech and health tech companies start to regain the trust of their consumers and continue providing much needed healthcare and reproductive health services, particularly in communities that are going to be hardest hit by these abortion bans. All right, so let's start first by looking at the federal healthcare privacy landscape. So the US federal law governing data privacy for reproductive health data is the Health Insurance Portability and Accountability Act or HIPAA. And while most people equate HIPAA with patient privacy, the concept of patient privacy actually existed long before HIPAA was enacted. Physicians have long recognized the importance of protecting a patient's privacy and it was actually one of the central tenants of the Hippocratic oath, which was written more than 2,500 years ago. And while the language has evolved since then, that central tenant remains the same, a patient's health information is not for the world to know. By ensuring patient privacy, healthcare providers can foster an environment of trust that allows for free flowing dialogue between the patient and her provider. And that will result in more optimal care outcomes than if patients were afraid to disclose their health data and histories to their providers. So if the concept of privacy has been around for thousands of years in the medical profession, why then did Congress feel the need to enact HIPAA and direct the Department of Health and Human Services, or HHS, to implement regulations that govern healthcare privacy? Well, to answer this question, it requires us to understand briefly the history of HIPAA. So Congress passed HIPAA in 1996 to address the rising administrative costs and burdens that were associated with healthcare delivery. And it often surprises individuals to know that HIPAA was actually not enacted with the primary purpose of addressing privacy and security of health data. Rather, the legislation was originally introduced during Bill Clinton's tenure as president and it ensured that healthcare coverage would continue when individuals changed employers. So the privacy and the Security Rules that resulted from HIPAA were not substantively discussed in the actual HIPAA statute. Rather, as a result of this push towards administrative simplification, more healthcare institutions began to use electronic medical records, and that marked the shift towards using digital health information. At the same time, though, organizations encountered difficulty maintaining patient privacy in this new digital world. And as a result, the finalized HIPAA statute required the creation of federal regulatory protections for the privacy of certain health information in certain settings. And this is what became known as the HIPAA Privacy Rule and the HIPAA Security Rule. While HIPAA offers federal protection to patient health data, it's important to recognize that the HIPAA privacy and Security Rules actually do not apply to all types of health data in all settings. The applicability of the Privacy and Security Rules is purposefully limited. And as a result, most of the femtech apps and products that are on the market today will actually fall outside the bounds of HIPAA. And as we'll discuss shortly, this is really important because there's oftentimes this assumption that HIPAA applies to all health data, and that can cause some false senses of security with respect to what laws are actually applying to patient data to safeguard that data from law enforcement. So given that, it's really crucial to understand when and to whom HIPAA applies. So first who must comply with the HIPAA Privacy Rule? The Privacy Rule actually only applies to covered entities. So to be a covered entity, an individual or an organization must fall into one of three categories. They have to either be a healthcare provider who processes standard transactions, meaning, for example, billing insurance, they have to be a health plan, or they have to be a healthcare clearing house. Now, what do these terms mean? Well, a healthcare provider is an individual or an organization who gets paid to provide healthcare. In other words, it's a provider or a medical or health services, and any other person or organization who's furnishing, billing or paying for healthcare services through the normal course of business. To be subject to the Privacy Rule, a healthcare provider must transmit health information in electronic form in connection with a covered transaction, which essentially means that the provider needs to bill insurance. This typically means that cash only healthcare businesses are going to be exempt from the HIPAA Privacy Rule, unless they somehow qualify under another covered entity category. Separately, a health plan is an individual or a group that provides or pays the cost of medical care. Examples of health plans that are covered under HIPAA would include health insurance companies, health maintenance organizations, group health plans that are sponsored by an employer, government funded health plans like Medicaid and Medicare and other companies or arrangements that pay for healthcare. Finally, a healthcare clearing house, which is probably the least familiar of all three categories, is an entity that processes information so that it can be transmitted in a standard format between covered entities. More specifically, it's a public or private entity that performs certain functions, including processing or facilitating the processing of health information received from another entity in non-standard format or containing nonstandard data content into standard data elements or a standard transaction. And it can also include receiving a standard transaction from another entity and processing or facilitating the processing of health information into nonstandard formats or nonstandard data content for the receiving entity. Healthcare clearing houses include companies that provide things like billing services, re-pricing companies, community health management information systems, and value added networks. And in fact, clearing houses are often perceived as a go between for healthcare providers and health plans. So that means that they're going to very rarely deal directly with patients. Now, if an individual or an organization does not fit into a covered entity category, does that mean that your analysis ends there? Well, no, it doesn't get to stop there. The HIPAA Privacy and Security Rules could still be applicable if the individual or the entity qualifies as a business associate. So business associates were not originally contemplated under the HIPAA privacy and Security Rules. Rather, they were added through subsequent legislation. In 2009, Congress passed the Health Information Technology for Economic and Clinical Health or HITECH Act as part of the American Recovery and Reinvestment Act. The HITECH Act was intended to increase the adoption and implementation of electronic health records and their supporting technology. As a result, HITECH anticipated the expansion in the exchange of electronic protected health information between doctors, hospitals, and other healthcare entities. The HITECH Act also provided monetary incentives for entities who were able to demonstrate the meaningful use of electronic health records or EHRs. And importantly, HITECH also expanded many of the requirements under the HIPAA Privacy and Security Rules to business associates of covered entities. So that brings up the question, what is a business associate? At its most basic, a business associate is a downstream organization or person that works for a covered entity. But importantly, it's not an employee of the covered entity. A business associate means any person or entity who, on behalf of a covered entity, creates, receives, maintains, or transmits protected health information for a function or activity regulated by HIPAA or who provides legal, actuarial, accounting, consulting, data aggregation, management, financial services, or accreditation to or for the covered entity. For example, a business associate may perform claims processing or claims administration on behalf of a covered entity, or conduct data analysis, utilization review, quality assurance or public safety activities. Other examples of business associates would include health information organizations, e-prescribing gateways, attorneys whose legal services to a health plan involve the access of protected health information, an independent medical transcriptionist who provides transcription services to a physician, a pharmacy benefits manager that manages a health plan's pharmacist network, and many, many more. Now, while the definition of a business associate is broad, it's not all encompassing. There are categories of individuals and entities that will not qualify as business associates. And these include healthcare providers with respect to disclosures by a covered entity to that healthcare provider that concern an individual's treatment, a plan sponsor with respect to disclosures by a group health plan to that sponsor, a government agency with respect to determining eligibility for or enrollment in a government health plan and a covered entity that is participating in an organized healthcare arrangement performing certain functions. So if an individual or an entity does not qualify as a covered entity, that next question you need to ask, right, is whether the HIPAA Privacy and Security Rules applied by virtue of an individual or entity being a business associate of a covered entity. If you do not have a covered entity or a business associate involved, then you do not need to continue the HIPAA Privacy or HIPAA Security analysis. That's because you will have a class of individuals to whom the HIPAA Privacy Rule and the HIPAA Security Rules do not apply. Now assuming an individual or an entity does qualify as a covered entity or a business associate, you need to move to the next step. And that next question is whether that individual or entity collects or processes what is known as protected health information or PHI. The HIPAA Privacy Rule only applies to PHI and the HIPAA Security Rule applies to an even narrower subcategory, which is electronic PHI or EPHI. PHI refers to individually identifiable health information, including demographic data, that relates to a person's physical or mental health, the provision of healthcare services to that individual or payment for healthcare services, and that identifies the individual or would provide a reasonable basis for identification. And there are certain exceptions to the definition of PHI, one of which is de-identification. So data that has been de-identified in accordance with HIPAA's requirements does not qualify as PHI. All right, so now that we've covered the rules for the applicability of the HIPAA Privacy and Security Rules, let's examine the context in which HIPAA does or does not apply to protect reproductive health data in this post Roe versus Wade world. And first, let's start with femtech apps and products. So it may surprise consumers to know that most femtech apps and products on the market today do not fall within the scope of HIPAA. And this is largely because femtech apps and products are created primarily by the technology industry, not the healthcare industry. And what I mean is that most femtech apps and products are not created by healthcare providers, health plans or healthcare clearing houses, and they're not created for or on behalf of those organizations. While some femtech apps may be used by healthcare providers, such that the femtech company could qualify as a business associate, the majority of femtech apps, particularly during their startup phase, and particularly if they're going direct to consumer for their model, they don't have these industry partnerships and they don't employ a nexus or have a nexus with a covered entity that would subject them to the HIPAA Privacy and Security Rules. So because of that, most femtech apps on the market today are not going to be covered by HIPAA because the companies that are are making these apps and are deploying these apps are not themselves covered entities or are not business associates to existing covered entities. So this means that because the HIPAA Privacy and Security Rules don't apply, there are actually no federal privacy regulations applicable to healthcare that are going to govern the types of femtech apps that are up and running and on the market in the United States. Now, let's contrast that scenario with a situation in which a patient visits her physician and discloses reproductive health data to her OB/GYN. And for this scenario, let's just assume that the OB/GYN does in fact bill insurance. So under this factual scenario, the patient's reproductive health data would be covered by the HIPAA Privacy and Security Rules because that healthcare provider is considered a covered entity, and reproductive health data, assuming that it's individually identifiable and not de-identified would constitute protected health information. What this means is that an individual could actually give the exact same reproductive health data to a femtech app and to her healthcare provider and HIPAA's privacy and security protections would only apply while that data is being held by the healthcare provider, not while that data is held by the femtech app. Assuming that a patient does provide reproductive health data to her healthcare provider, meaning a covered entity, how is her data then protected? Well, as we know, the data would be governed by the HIPAA Privacy Rule. And the HIPAA Privacy Rule operates to define and to limit circumstances under which a covered entity can use or disclose an individual's protected health information. The general rule is that a covered entity may not use or disclose PHI, except as the Privacy Rule permits or requires or as the individual otherwise authorizes in writing. Now, the Privacy Rule itself only mandates disclosure of PHI in two circumstances. First to individuals when they request access to or an accounting of the disclosures of their PHI. And second, to the Department of Health and Human Services when it is undertaking a compliance investigation, a review or an enforcement action. You'll notice that disclosure of PHI to law enforcement officers in connection with a court order or lawful subpoena is actually not listed as a required disclosure. So outside of these two circumstances, all other disclosures are either permissible or require prior written authorization by the individual whose data is being disclosed before such disclosure can occur. While the Privacy Rule only mandates disclosure in two circumstances, it does allow disclosure in many additional scenarios. And these are situations in which disclosure of protected health data is permissible but not required. Prior authorization from an individual, however, is not needed for these uses and disclosures of PHI. Now, a discussion of all of the permissible uses and disclosures of PHI under the Privacy Rule is outside of the scope of this conversation, but I want to highlight a few of the most common permissible disclosures that you'll encounter. So the first one is disclosure to the individual, and this applies unless the disclosure is required for access or accounting of disclosures, in which case, it would be a mandatory disclosure. But this says that a covered entity may disclose PHI to the individual who is the subject of the information. The next permissible use is public interest and benefit activities. So covered entities are permitted to use and disclose PHI without authorization as otherwise required by law, and this can include the disclosure of PHI to public health authorities authorized by law to collect or receive information for preventing or controlling diseases, can include public health or government authorities to report child abuse or neglect. And it can include individuals who have been contracted or have been exposed to, I'm sorry, who have contracted or who have otherwise been exposed to a communicable disease whenever that is permitted by law. The next exception, which is one that is very common in the healthcare scenario, is treatment, payment and healthcare operations. So a covered entity can use and disclose PHI for its own treatment, payment and healthcare operations activities, or for the treatment activities of any other healthcare provider, the payment activities of another covered entity or healthcare provider and the healthcare operations of another covered entity that involves certain activities. The term treatment refers to the provision, coordination or management of healthcare and related services for an individual by a provider. And this can include things like consultations and referrals. Payment concerns the activities of a health plan to obtain premiums and determine payment responsibility or benefits coverage. And finally, healthcare operations is a really broad term that can apply to a number of different activities, such as quality assessment and improvement activities, insurance functions, conducting medical reviews and audits, business planning and development, business management, and other general administrative activities. So given this federal healthcare landscape, we know that femtech apps and products, the majority of them on the market today, are not going to be subject to HIPAA protections, and we know that data provided to a covered entity or business associate, such as your healthcare provider who bills insurance, is going to be protected by HIPAA. So let's think now about the correlation here between the federal privacy protections and the post Roe versus Wade world and the risk of healthcare data being turned over to law enforcement officers. In other words, why, now that we have the Dobbs decision, are women excessively worried about their privacy in a way that we haven't seen them worried about their privacy before? Well, as I mentioned, right, in this post Roe versus Wade environment, women are very concerned that the data they're inputting into their femtech apps or the data that they're providing as part of their course of treatment and care to their healthcare provider could end up in the hands of law enforcement officers. And as we continue to see more and more states ban or restrict abortion, there's a fear that that data could be used to prosecute the woman or otherwise prosecute providers or those who aid or abet the women in obtaining an abortion and have criminal or civil consequences. And while this may seem theoretical, Facebook recently just turned over data to law enforcement officers in Nebraska that is being used to prosecute a mother and her daughter for an illegal abortion. And this case really shows how data can be used against women in this post Roe reproductive health landscape. Now there's a lot of nuance to that Facebook case. And specifically, the original charges were actually filed before the Dobbs decision. But since the Dobbs decision has come out and more and more data has been gathered from traditional sources, right, we're not talking period tracking apps here, we're talking Facebook, more data was gathered showing their communications, given the Dobbs decision, there was a retroactive addition of a new charge in that case. So it's interesting to see that this does actually play out. And so given that, what are the ways in which law enforcement can obtain data and how does that align with HIPAA protections, which do apply in certain circumstances, like with healthcare providers? Well, there are four ways in which law enforcement officers can generally obtain reproductive health data post Roe versus Wade. First, data can be obtained directly from a woman's digital device and the applications on it. As I mentioned, HIPAA is generally not going to protect the data that resides in those types of femtech apps. Law enforcement officers are also very attuned and very astute at requesting and obtaining digital data about suspected criminals. They do this on a regular basis, even outside of the reproductive health context. So in addition to this Facebook Nebraska case, law enforcement officers also previously obtained Google search history data in 2017, and used that data to charge Lattice Fisher with murder for the death of her fetus. So it's very important that consumers understand how their data may be disclosed to law enforcement officers directly from reproductive health companies. If your period tracking app is served with a subpoena for your reproductive health data, the majority of the time, unless there's a good cause, the company is going to have to comply and turn over your data. Another way in which law enforcement can obtain data is through downstream third parties such as data brokers. And this avenue is much more common in femtech apps than with healthcare providers. So what may happen, right, is that your femtech app could have as a permissible disclosure that it says in its privacy policy that it's going to disclose the data downstream to data brokers. What data brokers do is they collect and combine data, package it up and sell it. Anyone can go to a data broker and buy data, you can do it, I can do it, law enforcement officers can do it. And this is actually a way in which law enforcement officers can obtain data that they otherwise would have to get through a lawful subpoena. The third way is law enforcement officers can obtain data directly from femtech and reproductive health companies through those lawful subpoenas and court orders. That's one way in which they can do it for the femtech apps. Now, let's think about that though, through the lens of a HIPAA protected covered entity. If a law enforcement officer comes and serves a reproductive health company, like a OB/GYN practice, with a subpoena for health data, does the healthcare practice have to turn over that data? So the interesting thing, right, is that as I mentioned, turning over data under HIPAA to law enforcement officers is not a required disclosure. And the HHS's Office for Civil Rights, OCR, recently issued guidance on the applicability of the HIPAA Privacy Rule to the protection of reproductive health data. And what this means is that disclosures to law enforcement officers under the HIPAA Privacy Rule for data are considered permissible, not required disclosures. This means that a covered entity may respond to a law enforcement request to turn over reproductive health data that is made through a lawful court order or subpoena, but that it's not legally required to do so. So for example, if a law enforcement official presents a reproductive healthcare clinician with a court order for records of abortions that were performed at the clinic, the clinic could, but would not be required to produce the records. If the clinic did produce the records, it would be a permissible disclosure under the HIPAA Privacy Rule and the clinic would not be in violation of the HIPAA Privacy Rule. Practically speaking, what this means is that each healthcare provider or covered entity is going to be responsible for determining their own policies and procedures governing the disclosure of reproductive health data. Finally, the fourth way in which law enforcement can easily obtain data would be through data that's stolen from a breach or a cyber attack, and subsequently disclosed to law enforcement by a cyber criminal. So to quickly sum up what we've learned so far, right? We know that data is going to be more vulnerable to law enforcement subpoenas and court orders if that data resides in a femtech app or a product that exists outside the bounds of HIPAA, but that reproductive healthcare companies and providers that are considered covered entities or business associates have more control over whether or not they will disclose reproductive health data upon receipt of a law enforcement subpoena, court order, et cetera. It does not mean that healthcare providers will not turn over that data, just that it is a permissible and not a required disclosure. All right, so we've covered the federal landscape. And now, in addition to the federal landscape, we also need to address state reporting laws. So as we know, right, covered entities can elect whether to disclose reproductive health data under the HIPAA Privacy Rule. There are, however, some state laws that do mandate provider reporting of abortions in certain circumstances. And these state abortion reporting requirements are not new and they actually do not represent a direct response to the Dobbs decision. Rather, the Centers for Disease Control and Prevention have been partnering with states for over four decades to collect statistics on abortion in the United States. And while states are not required to submit abortion data to the CDC, the majority do. And to collect this individual level data, the majority of states have imposed reporting requirements on providers who do perform abortions. So currently, according to the Guttmacher Institute, 46 states and the District of Columbia require hospitals, facilities and physicians that provide abortions to submit regular and confidential reports to the states. 28 states require providers to report post-abortion complications and 16 states require providers to give some information about the patient's reason for obtaining the abortion. 10 states specifically ask whether the abortion was performed due to a threat to the woman's health or life, and seven states inquire whether the abortion was performed as a result of rape or incest. 15 states ask whether the abortion occurred because of a diagnosed fetal abnormality, and 14 states require providers to indicate if the state mandates for abortion counseling and parental involvement were satisfied. So what this means is that depending on state law, providers may be obligated to report the performance of an abortion to the state. Often, the reports do not include identifying information about the woman who obtained the abortion, but going forward, especially in this changing abortion landscape, the reports could conceivably be used to prosecute women in the future in states where abortion is illegal. So it's important for patients to remember that HIPAA is not the only governing framework for healthcare data disclosures. In addition, we also have state privacy laws and these may operate to protect patient health data that is either already protected under HIPAA, or that falls through the cracks of HIPAA, as we've seen with the femtech products. And depending on how the state laws are worded, these laws and requirements may apply to femtech companies. They may not apply to femtech companies depending on where those companies are operating and whether or not they meet the threshold eligibility requirements. So it's really important as an attorney to make sure that you're also analyzing state privacy law and advising any of your startup health tech companies on those state law requirements. States that have passed privacy legislation currently include California, Colorado, Connecticut, Virginia, and Utah. Finally, it's important to understand the role that the Federal Trade Commission or FTC plays in privacy. So the FTC has the power to investigate and to stop unfair and deceptive acts and practices against consumers. This means that femtech companies need to accurately describe their data collection and disclosure practices in their privacy policies that are published externally to the patients and the users of their products. If a femtech company fails to accurately disclose how it is using and disclosing data to consumers, it could be subject to an FTC investigation and future consent orders. And that's actually what happened to the popular period tracking app Flow in 2021. Flow was expressly telling its consumers it was not using or disclosing data to certain third parties when in fact, Flow was using and disclosing data to those third parties. So what can femtech companies do, right? In light of the Dobbs decision, femtech companies have to ensure that they're adequately protecting and safeguarding reproductive health data in order to minimize the chances that this data will be used against a woman to prosecute her for an abortion. It's also necessary that we reinstill trust in the femtech community so that we don't end up with data that's less diverse and less reflective of the overall female population. So real quickly, here are four key steps that femtech companies can take. They can map their data flow, meaning create a data map and understand all of the places in which your data is being collected, is being disclosed, only collect the minimum necessary data. So look at your app and make sure that you're not collecting excess data. There's a huge tendency in today's world to collect additional data than necessary. So femtech companies should ensure that they are only collecting what's necessary to make their algorithm or product function. Third, limit the sale of reproductive health data, and specifically, limit disclosures to data brokers to only those that are absolutely necessary for your revenue stream. And then finally, review and update privacy policies to make sure that they are accurate and fully disclosing the way in which data is being used to your consumers. On the other side of the spectrum, what can healthcare providers be doing to enhance data protection? Well, healthcare providers should be determining their organizational policies on how to handle subpoena requests from law enforcement officers when reproductive health data is involved, they should communicate to patients how their data is being protected, and the provider's policy for disclosure of health data to law enforcement officers, and they should enhance cybersecurity protections and protocols. So thank you so much for attending today. I know that was a lot of action packed information about a very rapidly changing reproductive health landscape. It's important that both femtech companies and healthcare providers ensure that they understand and abide by their obligations to safeguard reproductive health data in this new reproductive health environment. And it's also important to reassure patients and consumers that their data is valued, protected, and will be safeguarded in order to regain trust in women's health innovation.
Read full transcriptSee less