An executive order signed by President Biden places the White House’s weight firmly behind states where access to abortion is guaranteed, urging the FTC and other executive entities to examine and reinforce data protection policies. Without a digital trail to follow, attempts to criminalize private medical activity across borders may prove far more difficult.
The legal battles ahead over reproductive rights in the post-Roe era will likely be complex and unprecedented, and data will be an important part of them. As a medical procedure, abortion is covered under the federal patient privacy law HIPAA, but that will likely conflict with state rules demanding disclosure. Furthermore, digital services like period-tracking apps and even fitness and wellness platforms may track and even sell data that could be incriminating.
The executive order fundamentally limited in what it can achieve (as many will recall, Trump issued dozens to little effect), but it does emphasize which and where federal resources will be deployed in the legal conflicts to come. The full text of the EO is here, but let’s look at the portions most immediately relevant to the tech industry. (Quoted text is very lightly edited for brevity.)
First, the Secretary of Health and Human Services will issue a report …
… identifying ways to increase outreach and education about access to reproductive healthcare services, including by launching a public awareness initiative to provide timely and accurate information about such access, which shall … share information about how to obtain free or reduced cost reproductive healthcare services through Health Resources and Services Administration-Funded Health Centers, Title X clinics, and other providers; and … include promoting awareness of and access to the full range of contraceptive services, as well as know-your-rights information for those seeking or providing reproductive healthcare services.
This is clearly directed at attempts to limit the information available to people seeking care; some states plan to make it difficult to know what options are actually available, whether it’s legal to travel to another state for a procedure or medication (it is) and so on. While the feds can’t force, say, a state health agency to provide information on where to get abortion pills or the like, they can ensure that this information is available in the state through other means. They may even get a foot in the door with hospitals and clinics that take federal funding.
While that may seem elementary (of course the federal government can put whatever it wants on its own sites), the real goal here is enumerating the ways that states will attempt to control information and how best to counteract those.
Next, federal entities including the attorney general and Homeland Security will “consider actions” to address new safety and security risks associated with providing or seeking reproductive care.
To address the potential threat to patient privacy caused by the transfer and sale of sensitive health-related data and by digital surveillance related to reproductive healthcare services, and to protect people seeking reproductive health services from fraudulent schemes or deceptive practices:
The Chair of the Federal Trade Commission (FTC) is encouraged to consider actions … to protect consumers’ privacy when seeking information about and provision of reproductive healthcare services.
The Secretary of Health and Human Services shall consider actions, including providing guidance under [HIPAA] and any other statutes as appropriate, to strengthen the protection of sensitive information related to reproductive healthcare services and bolster patient-provider confidentiality.
The first part of this is clearly a warning to major tech companies like Google and Meta, which have means and opportunity to track people’s behavior down to a disturbingly granular level. We’ve all read horror stories about people seeing ads for baby products before they’ve announced they’re pregnant. Now imagine if a state required a company to disclose if a user had discussed or was algorithmically categorized as seeking an abortion.
Protecting people from “fraudulent schemes” seems less an issue than the everyday trade in potentially sensitive information to the likes of data brokers. The FTC may very well issue guidance on this issue pertaining to claims of “privacy” that are not borne out by a company’s actual practices.
The HIPAA part is a difficult one, as there will almost certainly be a direct conflict between federal non-disclosure laws and state forced-disclosure laws that will have to be worked out in court. While that is likely to be a years-long conflict and speculation upon its outcome would be fruitless at this stage, in states where abortion remains legal it may be simpler.
Health and Human Services is likely to issue guidance and interpretation of HIPAA regulations that favor privacy in a fashion specifically tailored to spoiling cross-border requests. If state law and federal law stack up to protect a patient’s privacy, suits and requests from states looking to criminalize behavior in neighboring jurisdictions may be non-starters.
The next section adds to this in that the AG will provide “technical assistance” to states on the matter of protection for out-of-state patients, which is as much as saying “let’s write that law together.”
To some, this executive order will appear to be something of a nothingburger; and indeed if this is all the administration can bring to bear after weeks of inaction, that is justifiably disappointing to those urging more concrete action. But although it accomplishes little on its own, it clearly shows the administration’s intent to, at the very least, stand behind states fighting to protect reproductive rights rather than those curtailing them.