Data privacy in a potential post-Roe world – MedCity News
What will data privacy look like now that the Supreme Court overturned Roe v. Wade (as well as Planned Parenthood of Southeastern PA v. Casey) and removed federal Constitutional protection for abortion in the case Dobbs v. Jackson Women’s Health Organization? The exact answer, for now, will depend how each state wants to treat abortion, how aggressive each state and various levels of officials are in enforcing new laws, and how businesses holding private information will respond. The majority opinion from the Supreme Court has thrown open the doors to a significant amount of both increased and ongoing conflict. It has not alleviated, nor should it be expected to alleviate, the fractures in public debate as it claimed the longstanding precedent had exacerbated.
The majority opinion
Before considering where data privacy may go, it will be helpful to briefly summarize the majority opinion. From a very brief perspective, the Supreme Court’s majority opinion removes the prior Supreme Court precedent of recognizing Constitutional protection of the right to obtain an abortion. The majority opinion asserts that a definition of the word “liberty” does not extend to recognizing a right to abortion (it is helpful to remember that the decision in Planned Parenthood of Southeastern PA v. Casey shifted the analysis from privacy to liberty). In reaching the determination, the majority goes through a historical analysis and discussion of how the Roe and Casey precedents were allegedly unworkable.
A point emphasized in the majority opinion is that the decision does not (at this point in time at least) provide an assessment of any other right recognized to be covered by the penumbra of privacy. The penumbra of privacy has been cited by the Supreme Court in a number of decisions both before and after Roe to create Constitutional protections for, among other things, access to contraception, interracial marriage, same-sex marriage and more. The majority opinion asserts that those other rights, all connected to privacy, are not being impacted, but the line of reasoning utilized in the majority opinion could support future challenges. Troublingly, a concurring opinion does explicitly call for all of the other privacy rights to be re-evaluated, which may be a siren call for some.
Back to the states
Even with the majority opinion and its removal of precedent that had been in existence for almost fifty years, abortion is not banned or illegal at the federal level. The majority opinion does mean that no parameters or guardrails are recognized under the Constitution, which leaves the decision of how to regulate abortion completely up to the states or Congress on a federal level if that can happen. Leaving the decision to each state means that 50 (or more if protectorates are considered) different laws will determine whether abortion is legal or not or to what extent the service is available.
Concerns arise in the number of states where new laws are being passed to wholly restrict or greatly limit access to abortion as well as states with trigger laws. A trigger law is a law that was previously enacted, but with a built-in clause that the law is only in effect if or when a controlling precedent changes. In the case of abortion, the trigger laws all look to Roe being overturned or changed in such a way that the severe restrictions or criminal provisions would not be pre-empted by interpretation of the Constitution. Those laws are all now becoming effective.
With Roe now overturned, the states with statutes criminalizing abortion will assert specific interests in determining whether individuals have violated those laws. The criminal aspect creates the opportunity for criminal investigations and the basis for using state powers in those investigations. The investigations could include subpoenas, warrants for documents, and related police work. All of those tools are commonly used to investigate suspected criminal conduct and gather evidence to support an indictment and/or prosecution. That comes down to gathering information using processes that take advantage of available formal mechanics.
The impact under HIPAA
What do all of the swirling winds mean for privacy? The shortest, least nuanced answer is that privacy will very likely be pretty severely impacted in a state where abortion is criminalized. Using HIPAA as an example, patient information may be disclosed to law enforcement pursuant to a valid warrant or subpoena. If a statute criminalizes abortion for the individual going through the process or providing the service, it would not be a stretch to see an investigation request medical records to determine whether an illegal procedure occurred. The disclosure pursuant to such an investigation is one of HIPAA’s uses and disclosures that does not require giving an individual an opportunity to object. That means medical records would likely be turned over without the subject individual knowing what was happening.
The same outcome can occur in a non-criminal court proceeding too. If a subpoena or other lawful process requesting documents is served, then disclosure of medical records may occur without giving an individual an opportunity to object (assuming all of the elements called for by the HIPAA Privacy Rule are satisfied).
An open question is how much an entity receiving such a request will want to fight the request. The language in the HIPAA Privacy Rule is interesting because in both examples given (law enforcement or court proceeding) the entity may disclose protected health information. The use of the word may suggest a decision can be made because “may” is not an obligatory word. Will an organization make the decision to refuse a request based on the word “may”? It will certainly be a potential argument to watch, though the prospect is not necessarily farfetched.
Non-HIPAA scenarios
The privacy picture is much murkier for all of the newer technology-based solutions that are presented on a direct-to-consumer basis. More often than not, a direct-to-consumer solution falls outside HIPAA’s coverage area. If HIPAA does not apply, any privacy protections may rest upon state laws. Direct application of state law to an organization is not assured. Many of the new privacy laws being adopted have threshold requirements compliance becomes necessary.
Regardless of whether a state privacy law applies or not, the same considerations or exemptions will likely apply to law enforcement seeking to obtain data. It is highly unlikely that the laws would completely prevent law enforcement from getting at the data. The laws may require certain hoops to be jumped through, but ultimately the data can be forced out.
The terms of use or privacy policy of service are also important. When HIPAA does not apply, the primary limitation is just being honest and transparent about how data will be used. If it is stated how the data will be used and disclosed, then the data can be used in those ways. While there may be some nuance, that is a pretty solid baseline.
How can privacy be enhanced?
In light of privacy not being absolute, what can be done to enhance protections? New laws setting out protections or limitations on access could be a good start. If certain, clearly defined data sets are more concerning than others, then legislation could create needed shields. Another outcome will be organizations taking stands on how data collected will be disclosed or if a fight will be pursued. The nature of such stances could influence use.
The Supreme Court’s majority opinion in Dobbs will create a big mess around what data will be revealed and the repercussions that will come when data are obtained. Individuals will bear the brunt of the burden while it all gets figured out.
Photo: JuSun, Getty Images