Science and Tech


HIPAA Won't Always Protect Your Health App Data In A Post-Roe World

Medical data is thought to be be private, but there are loopholes in HIPAA, especially when it comes to apps and possible abortion information.
Posted at 8:08 PM, Jul 06, 2022

Legal battles over abortion have sprung up across the country since the Supreme Court overturned Roe v. Wade. There’s been confusion among medical providers, patients and law enforcement over what information could be used against someone in court if they try to get an abortion that’s been criminalized.

In particular, there’s been a lot of discussion about what medical info law enforcement can get by just using what’s already on someone's cell phone, and it’s actually much easier to get to than one might think.

But before we get there, you may think medical data is mostly private anyway, so how much damage can be done? Well, let’s talk about HIPAA.

A lot of Americans might assume any medical decision, procedures or data is completely protected by HIPAA — the Health Insurance Portability and Accountability Act. The law created standards to protect sensitive health information from being disclosed without patient consent, but there are a lot of misconceptions around what HIPAA actually covers, and what it doesn’t.

This can potentially include anything that might indicate a patient was considering and seeking an illegal abortion, not just the procedure itself.

For services that are subject to HIPAA rules, like a typical hospital, the data protections are still not as strong as you might think.

To start, there are 12 "national priority purposes" within HIPAA that allow for information to be disclosed without your permission. Law enforcement is only one of them. Information can be disclosed for things like court orders, identifying potential witnesses to a crime or if the entity holding the info believes the medical data is evidence of a crime.

It should be noted that the Department of Health and Human Services issued updated guidelines to clarify privacy rules specifically relating to abortion. For example, they noted any hospital employee who suspects a patient had an illegal abortion cannot report to law enforcement unless the state’s law requires it.

It’s important to understand this doesn’t fundamentally change HIPAA, nor plug these security gaps in HIPAA completely. Some legal experts have noted healthcare providers are one of the most common ways for a patient to be prosecuted, but it’s not the only one: Many cases also begin with a personal report to law enforcement from an angry partner or acquaintance.

Once law enforcement is alerted and the prosecution is trying to determine if a pregnant person tried to end their pregnancy, that’s where that phone data is going to come into play, and there is a lot of data they can pick through.

Apps that collect and store important health information can have surprisingly poor privacy protections. Digital health products aren’t covered by HIPAA, so companies have more flexibility with your data. An investigation from the tech outlet Motherboard found just how easy it was for data brokers to buy and sell data from apps like Clue, one of the most popular period-tracking apps in the U.S. Plus, that’s all without a warrant.

The team bought a sample of data for just $100 off the data marketplace Narrative, which is a platform that lets anyone easily sign up and purchase app information directly. The purchase took just minutes and included over 5,000 identifiers for devices that allegedly belonged to Clue users. These kinds of identifiers are technically not supposed to be connected to names and people, for anonymity, but it should be noted there are legal ways to connect those dots anyway. Clue released a statement claiming the identifies don’t correspond to user IDs and that they don’t know where this data comes from.

It’s not just health-related apps that might be incriminating. Any ordinary apps can have location tracking data, and Motherboard also found at least one data broker who has sold location information for users that visited abortion clinics.

There's already been at least a couple of cases where women have been incriminated using data like this — not even medical info, just data as straightforward as your search history.

Take this case in 2017, where a woman in Mississippi was charged with murder after a failed pregnancy. She had confessed to a nurse she had wanted to terminate the pregnancy, so prosecutors tried to prove this with search history on her phone that showed she looked into options. The murder charge was eventually dismissed. In 2019, prosecutors also used the browsing history for a young mother in Ohio to try and argue her stillborn baby was actually killed. She was also ultimately acquitted of murder charges.  

That was all before the overturning of Roe v. Wade. It’s likely we may see many more cases like these. The murky legal waters after the ruling have put a spotlight on already existing issues with incriminating data. Perhaps this could be cause for changing the way we think about tech, health and our own data privacy.