Biden Order Seeks to Protect Reproductive Data PrivacyExecutive Order Addresses Concerns in Aftermath of SCOTUS Ruling
U.S. President Joe Biden signed an executive order Friday aimed at protecting individuals' access to reproductive healthcare services, including provisions to help safeguard the privacy of patients' data.
The executive order is a response to the U.S. Supreme Court last month overturning a constitutional right to abortion embodied by the five-decade-old precedent Roe v. Wade. Since then, at least nine states have successfully banned abortion, and more are expected to soon follow.
"There is increasing concern that extremist governors and others will try to get that data off your phone, out there in the ether, to find what you're seeking, where you're going and what you're doing with regard of your healthcare. Talk about privacy. … There's no privacy, period," Biden said today during a press conference where he was flanked by Vice President Kamala Harris and Department of Health and Human Services Secretary Xavier Becerra.
"Right now, when you use a search engine or the app on your phone, companies collect your data and sell it other companies. They even share it with law enforcement," Biden said.
The executive order encourages the Federal Trade Commission to protect patient privacy when it's threatened by the transfer or sale of sensitive health-related data and by the pervasive collection of consumer data, a move Biden says is directed against data brokers.
Federal Trade Commission Chair Lina Khan is widely expected to soon initiate a privacy rule-making by invoking the agency's power to police unfair and deceptive practices.
The order also instructs the Department of Health and Human Services to consider actions, including under HIPAA, to better protect sensitive information related to reproductive healthcare.
The order further directs HHS, the FTC and the Department of Justice to collaborate on options to address deceptive or fraudulent practices, including online, and to protect access to accurate information about reproductive health.
The executive order comes about a week after the HHS' Office for Civil Rights issued new HIPAA guidance clarifying that, with limited exceptions, medical clinics, physicians and other healthcare providers are not required - and in many cases, not permitted - to disclose patients' private information to law enforcement authorities (see: HHS Tackles Data Privacy Concerns Linked to Abortion Ruling).
Along with the recent HIPAA guidance for healthcare providers, HHS OCR also last week issued guidance for individuals pertaining to the steps they can take to better protect the privacy of their personal information, including how to turn off location settings on mobile apps.
Regulatory attorney Rachel Rose tells Information Security Media Group that criminal cases and subsequent convictions would have the most significant impact on deterring conduct involving privacy violations.
A critical segment of HHS' recent HIPAA guidance, she says, states that "in the absence of a mandate enforceable in a court of law, the Privacy Rule's permission to disclose personal health information for law enforcement purposes does not permit a disclosure to law enforcement where a hospital or other healthcare provider's workforce member chose to report an individual's abortion or other reproductive healthcare."
That is important, because whether a healthcare worker initiated a disclosure about a patient seeking abortion or disclosed PHI at the request of law enforcement authorities, that disclosure would be in violation of the HIPAA privacy rule, she says.
"The greatest power that both the DOJ and the FTC can wield is enforcement actions - holding people accountable by instituting criminal and civil actions, coordinating with agencies to have perpetrators enter into corporate integrity agreements, and levying significant monetary penalties and fines," Rose says.
Meanwhile, Congress also has the power to potentially enhance data privacy protections in the aftermath of the Supreme Court's ruling, Rose says.
More to Do
Privacy attorney David Holtzman of the consulting firm HITprivacy LLC says that online tracking of an individual's internet activity is a widespread practice that to date has not been addressed through enforcement of the HIPAA privacy standards.
"Healthcare organizations and their IT vendors may install third-party trackers on their websites and patient portals to measure traffic to their sites and the effectiveness of ads on social media platforms," he says.
"These tools are free to use, but the HIPAA standards get blurred when the companies that build the trackers, like Google and Meta, keep the data. In the case of people seeking reproductive healthcare, the tracking and sharing of personally identifiable information is a critical privacy issue," according to Holtzman (see: Lawsuit: Facebook is Collecting Patient Data of 'Millions').
Holtzman, a former senior adviser at HHS OCR, suggests that HHS should examine where it has authority to limit the collection and disclosure of health information collected through these internet trackers.
Where data falls outside of HIPAA, HHS should look to use its enforcement discretion to exclude information about reproductive health from the requirements of its Information Blocking Regulations that prohibit interfering with third-party access to data, he says.
"HHS could also modify the information blocking regulations and the certification standards for health IT to address the use of website trackers that collect identifiable data about patients when they interact with patient portals maintained by electronic health records vendors, healthcare providers and health information exchanges," he says.
Nonetheless, the Biden executive order is "mostly instructions about things to do in the future," says privacy attorney Kirk Nahra of the law firm WilmerHale.
"These are thoughtful starts on next steps, where the real thinking will be how to change/improve existing rules," he says.