Dobbs – A Two Year Retrospective
Center for Democracy & Technology
Promoting democratic values by shaping technology policy and architecture, with a focus on the rights of the individual.
By Andrew Crawford & CDT Intern Ebie Quinn
I. Introduction
Two years ago, the Supreme Court decided Dobbs v. Jackson Women’s Health Organization, reversing prior court precedent under Roe v. Wade and its progeny that guaranteed constitutional protections for abortions. As a result of Dobbs, individual states were given the ability to decide how, and how much, to burden abortion practices and reproductive health care in general. States have responded to Dobbs in a variety of ways. While some states have expanded and codified access to abortion, others have severely restricted or prohibited abortion entirely.?
States that have criminalized or otherwise restricted abortions will seek to enforce those laws. One common way to prove such allegations is by collecting data about the content of people’s text messages, their purchase history, or their visits to certain doctors. For instance, in 2022, law enforcement in Nebraska attempted to use private online communications to prosecute a mother for assisting her daughter in connection with an alleged abortion. Police involved in this investigation sent a warrant to Facebook and retrieved the contents of private messages between the mother and daughter for use in a criminal prosecution. Moreover, given the growing prevalence of medication abortion — and ability to receive reproductive health services from telemedicine — enforcement of anti-abortion laws may increasingly rely on digital and electronic information.?
The looming threat of criminal penalties has also undermined trust between patients and health care providers. Patients who worry that the information they share with doctors and hospitals may be used against them will be much less likely to be truthful and candid with their providers, which can result in lower quality and less beneficial health care.?
Medical privacy has been dramatically reshaped in the two years since Dobbs. This post describes these changes at both the state and federal level. Moving forward, CDT believes it is essential to ensure that patients have a full expectation of privacy when it comes to health care data – as well as the broad range of seemingly unrelated data that can be used to deduce health care activities – and that companies, who can be compelled to share private information in lawsuits and investigations, minimize the collection, storage, and sharing of sensitive health data in order to enhance users’ trust and privacy.
II. State Activity?
In the wake of Dobbs, several states have taken measures to protect sensitive health data. Some states have enacted privacy laws, either comprehensive or health-specific. Through legislative action and governor-issued executive orders, some states have also enacted “shield laws” which restrict the sharing of data related to reproductive health care in various forms, such as in response to an out-of-state investigation. By implementing these shield laws, states aim to protect the data of patients and providers within their jurisdiction, regardless of whether or not the patient is a state resident. CDT’s June 2024 Issue Brief, Two Years After Dobbs: An Analysis of State Laws to Protect Reproductive Healthcare Information from Interstate Investigations and Prosecutions, describes these laws in depth.?
Health Privacy Laws
In the two years following the Dobbs decision, states including Washington, Connecticut, and California enacted data privacy protections that either include or specifically address sensitive health data — as well as other forms of sensitive data that may be used to determine health status and activities.
Washington: My Health, My Data Act?
In 2023, Washington State did what many other states and the federal government have not: it passed a comprehensive health privacy bill, which went into full effect on March 31, 2024. Under the My Health, My Data Act, Washington residents have more agency and control over how their health data will be collected, used, and shared by companies. While this bill is not perfect, it’s an important model for lawmakers seeking to enact meaningful privacy protections.?
The legislation responds to countless instances in which data about a person’s health, including reproductive health data, has been collected, used, or shared in harmful ways. Key provisions of the bill stop companies from collecting or sharing consumer health data when that data is not necessary to provide a product or service that a customer has requested. These are strong limitations and are similar to those found in other legislative proposals, like the federal American Data Privacy and Protection Act (ADPPA) introduced in Congress in 2022, and the American Privacy Rights Act (APRA) introduced in Congress in 2024. Washington’s My Health, My Data Act also has robust mechanisms for people to access and delete their health data.?
Connecticut: Online Privacy Act?
Connecticut enacted Public Act 23-56, the Online Privacy Act, in order to strengthen protections for sensitive health data. This act introduces safeguards on the collection and storage of sensitive health data by businesses in the state. It requires that businesses allow consumers to view their personal data and have the option to delete it. The act explicitly includes information about reproductive health and gender-affirming care in its definition of “Consumer Health Data.” Importantly, the Online Privacy Act includes a prohibition on geofencing to track consumers and gather/send consumer data within 1,750 feet of reproductive health facilities. Both Nevada and New York have also implemented similar geofencing prohibitions.?
California: California Consumer Privacy Act
The California Consumer Privacy Act (CCPA) sets baseline privacy protections for Californians, including the right to know what personal information a business collects, the right to delete that information (with some exceptions), and the right to opt out of the sale or disclosure of that information. The CCPA applies to for-profit companies in California that meet a threshold size of revenue, income, or number of customers. While it does not apply to health information captured by HIPAA (i.e. information held by HIPAA-covered entities such as medical providers and insurers), it does capture sensitive medical data that falls outside HIPAA’s scope (e.g. health information gathered by your smartphone or health tracking app). These types of comprehensive regulations enhance consumers’ ability to exercise control over their own data and mitigate potential data privacy risks post-Roe.?
Shield Laws
Shield laws, at their core, aim to protect people’s health privacy by prohibiting entities who hold or can access people’s healthcare information from sharing such information in an investigation or prosecution under the anti-abortion laws of another jurisdiction. States have taken multiple approaches towards this goal, varying in application and scope:?
Government Officials?
The majority of state shield laws apply to state government officials, such as law enforcement and state courts. These laws prevent officials from assisting other states in abortion-related investigations or prosecutions made possible through Dobbs. This means that state judges and law enforcement are prohibited from issuing or executing subpoenas and other legal process on behalf of an out-of-state investigator, or aiding extraditions that further criminal abortion prosecutions and civil litigation. These restrictions help protect health care providers and recipients from state investigations or lawsuits that may seek to target them even when the care was lawful in the state where it was provided.?
Communication Service Providers?
States like Washington and California have sought to protect private messages and other digital information by enacting broader laws that apply to electronic communications service providers These laws prohibit companies like Meta and Google from providing consumer communications and other data such as web browsing information for use in out-of-state abortion investigations or prosecution. Under this form of shield law, personal messages sent to a physician or friend, are protected from being shared in an anti-choice law enforcement action.
Medical Providers
Some states apply their shield laws to medical professionals, organizations, and electronic health networks. These laws restrict medical providers or other entities that hold medical data from sharing that data for use in out-of-state investigations. These laws take a similar approach to the U.S. Department of Health & Human Services’ recent update to the HIPAA Privacy Rule, which prohibits HIPAA-covered entities from disclosing protected health information to investigators when the healthcare is lawful under the circumstances in which it was provided. This new HIPAA Rule is discussed in more detail below.??
Out-of-State Care?
In the wake of the Dobbs decision, an increasing number of patients are turning to remotely-prescribed abortion medication. In response, some states have drafted shield laws to protect individuals within their jurisdiction who provide reproductive health care services to people who may be located outside their state. These laws recognize that telemedicine providers, and even in-person providers issuing a prescription for abortion medication like mifepristone, may not know the geographic location where their patient takes the series of pills for a self-managed abortion. The law protects such providers, and prohibits them from sharing patients’ information to support an out-of-state lawsuit or investigation. It seems likely that these laws in particular will be challenged by anti-abortion officials, with some going to the Supreme Court.
Gender-Affirming Care
Finally, some states have protected information relating to gender-affirming care in their shield laws, in addition to information about reproductive health care. These provisions similarly serve to protect doctors and patients from out-of-state investigations by prohibiting disclosure of sensitive patient data related to gender-affirming care.????
The below chart provides a summary of the 19 shield laws currently in effect; CDT has also prepared a detailed analysis of these shield laws in each of the states in which they’ve been enacted. See chart at link.
III. Federal Protections
In addition to the state action prompted by Dobbs, the decision prompted renewed calls for comprehensive and health-specific privacy protections at the federal level. In the absence of legislative movement, executive agencies used their existing authority to protect the data of those seeking and providing reproductive health care.?
Key actors included the U.S. Department of Health and Human Services Office of Civil Rights (HHS OCR) and the Federal Trade Commission (FTC), which issued guidance and brought new enforcement actions against entities that failed to protect people’s private health information.
领英推荐
HHS Office of Civil Rights
Earlier this year, the Department of Health and Human Services’ Office of Civil Rights took a crucial step in protecting sensitive reproductive health data with its new HIPAA Privacy Rule to Support Reproductive Health Care Privacy, which updated the Privacy Rule it issued under the Health Information Portability and Accountability Act (HIPAA). Specifically, the rule prohibits covered entities from complying with requests and legal process–like subpoenas, court orders and warrants–involving reproductive health care for use in an investigation or prosecution if the care was legal in that state. Covered entities may only comply with requests for data related to reproductive health care if the request is accompanied with a signed attestation stating that the data will not be used for an investigation or prosecution of abortion-related laws.?
In issuing this rule, HHS OCR sought to respond to increasing mistrust in the medical system post-Dobbs, as patients fear their medical data might be shared without their knowledge, and even used against them in court. The HHS OCR rule helps to create an ecosystem in which patients can safely seek out reproductive health care and share information with their doctor confident that their data will be kept private.
This rule also seeks to empower providers of reproductive health care. Previously, the HIPAA Privacy Rule operated on a permissions basis, in which providers had discretion when responding to requests by law enforcement for patient data related to reproductive care. However, the uncertainty of the discretionary model put the burden on doctors and providers, who often felt pressured to comply with requests from law enforcement, to discern and fulfill their affirmative obligations. In shifting the model from permissions to prohibitions, HHS OCR simplifies the decision making process for health care providers, empowering them to protect their patients.?
In addition to the new final HIPAA rule, HHS OCR has taken additional actions to keep health data private. In December 2022, HHS OCR released a Bulletin highlighting the important privacy obligations under HIPAA that health providers (like doctors’ offices and hospitals) must follow when using apps and websites. OCR’s bulletin is designed to address an ongoing problem where data shared by patients with their health providers is also being inappropriately shared with advertisers. There are ample news accounts of health providers’ services, like patient portals, containing tracking technologies, such as cookies or “beacons,” that can collect and share people’s health information with unrelated third parties to be used for purposes such as targeted advertising. This bulletin has been subject to legal challenges and in June of 2024, a federal judge in Texas found portions of the guidance unlawful. At the time of writing, it is unclear how OCR plans to proceed in the wake of this ruling.
HHS OCR has also partnered with the U.S. Food and Drug Administration and the Federal Trade Commission to release a Mobile Health App Interactive Tool. This interactive tool is designed to assist mobile health app developers in identifying which federal laws and regulations may apply to their apps. Checking this tool early in the development of consumer-facing products, well before any digital health app is released, can ensure apps are in compliance with applicable privacy laws.
Federal Trade Commission
The Federal Trade Commission (FTC) is also using existing authority to address privacy concerns after the Dobbs decision. The FTC has used its authority in several ways to protect health data, including through rulemaking and through its enforcement actions against particular companies.
Rulemaking
On May 30, 2024, the FTC published the final version of the Health Breach Notification Rule (HBNR), which sets forth the protocol in the case of a breach of health data. Since the FTC enacted its initial HBNR in 2009, the number of health tracking apps has dramatically increased and Dobbs has created new health privacy risks, making it critical for the FTC to clarify that HBNR applies to this novel form of data collection. The final rule requires entities that manage personal health records (but are not subject to HIPAA) to notify the FTC, the consumer, and in some cases the media following a breach of personally identifiable health data. The update of the rule clarifies its applicability to health apps, and strengthens the notification mechanisms in this space.?
Enforcement?
Additionally, the FTC has initiated a range of enforcement actions, including against GoodRx, Easy Healthcare, and Kochava. This increase in consumer protection enforcement sends a message similar to that of the updated HBNR: if companies plan to handle data related to reproductive health in a post-Dobbs world, they must proceed with caution.?
GoodRx: In February 2023, the FTC brought an enforcement action against GoodRx, an online prescription company, for disclosing customer health data to Google, Facebook, and other third-party advertisers. This data was shared without the consent of consumers and GoodRx did not provide notice of the disclosure. The enforcement action bars GoodRx from sharing this data and requires GoodRx pay a $1.5 million penalty.
Easy Healthcare: In May 2023, the FTC brought a similar enforcement action against Easy Healthcare Corporation, in connection with their fertility tracking app, Premom. This company collected sensitive health data related to menstruation and ovulation and it improperly disclosed the information to third party advertisers in violation of its stated privacy policies and the HBNR. This enforcement action resulted in a $100,000 civil penalty.
Kochava: In February 2024, the FTC undertook an enforcement action against Kochava, a geolocation data broker, which the FTC claims sold geolocation data for millions of individuals that might connect them to sensitive health locations. Particular locations of concern include “reproductive health clinics, places of worship, homeless and domestic violence shelters, and addiction recovery facilities.” This litigation is ongoing, and has significant privacy implications broadly as well as for the protection of data in a post-Dobbs ecosystem.
Legislative Proposals?
There have been some federal legislative efforts to increase protections for private health information in the wake of the Dobbs decision. For example, bills like the federal My Body My Data Act of 2023 (MBMDA) seek to restrain overreaching data collecting practices, limit how long companies can retain personal reproductive or sexual health information, and give people clear ways to access and delete their health data. Its core provisions would prevent companies and covered entities from collecting, retaining, or using reproductive or personal health information without express written consent unless it is “strictly necessary to provide a product or service that the individual to whom such information relates has requested from such regulated entity.”?
In addition to more targeted legislative proposals, a comprehensive federal privacy bill that includes robust limitations around corporate data practices, especially around sensitive data categories like health data, would go a long way towards keeping all Americans’ data private. The American Data Privacy & Protection Act (2022) and American Privacy Rights Act (2024) have each marked significant bipartisan efforts to establish long-overdue federal privacy protections, but their progress has been mired by opposition. Meaningful collection, use, retention, and sharing limits will result in less data overall being collected and retained, including health data. Less data and stronger limitations on data usage will inevitably result in fewer privacy harms.
IV. Moving Forward
Law enforcement and civil litigants have new powers under state anti-abortion laws, and they will seek data to help them build their cases. While the new state and federal protections discussed above represent positive steps, much more work is necessary to preserve individuals’ rights to access health care and maintain their privacy. This section details some additional actions that governments and companies should take to ensure individuals have agency and choice over their own health care and enjoy powerful privacy protections.
Government actions
First, states should continue to look to one another and iterate on privacy protective approaches like those taken in California, Washington, and Maryland. Moreover, state legislators should look to CDT’s Field Guide to Blocking Statutes: Limiting Interstate Abortion Investigations. This guide illustrates how states can most effectively create or improve shield laws to avoid complicity in enforcement of out-of-state abortion bans and create an environment where patients feel protected when accessing lawful care. It notes that shield law statutes, if adopted, must be carefully tailored to the specific laws of the states in which they are passed.
In addition to legislative efforts at the state level, additional steps can be taken at the federal level. Given the long odds of federal legislative solutions, it remains incumbent on executive agencies like the FTC and HHS to continue to issue guidance to companies and healthcare providers and rigorously enforce existing laws to protect people’s privacy rights.?
For example, the FTC should continue to use its authorities to ensure consumers’ health data is kept private and not shared in ways that are unknown and unwanted – including if it moves forward with a rulemaking on commercial data practices in the coming year. Moreover, while the HHS update to the HIPAA Privacy Rule is a positive step forward in the fight for securing essential reproductive rights, to best capitalize on its protections it is essential for HHS OCR to educate health care providers and insurers about its requirements. As an initial action item, HHS OCR stressed that providers must update their patient privacy notices, but that must be understood merely as a first step. Education and information sharing will play an outsized role in increasing awareness of the shift from a model in which doctors had to decide whether to share data, to one in which reproductive data sharing is generally prohibited. Doctors and providers must be aware of this change so that they can most effectively protect their patients.
Additionally, as the new HHS rule is implemented, it will be necessary to clarify its interaction with state laws such as Washington’s My Health My Data Act and state shield laws. The state shield laws are more specific and nuanced than the federal rule, which allows them to protect more data than is currently captured in the HHS rule. The HHS update of HIPAA therefore sets a floor for reproductive health data privacy on which the states can build by adopting more comprehensive protections in the health data sphere. That said, this remains a potentially confusing area which may make compliance more difficult. It will be helpful for HHS to issue further guidance on the overlapping state and federal compliance requirements in order to best maximize individual protections.?
Finally, the Biden Administration should take action to restrict federal surveillance and investigative resources from being used for abortion investigations. As it stands, the federal government provides assistance to state and local law enforcement to support surveillance and complex investigations. This federal support could be used by hostile states to monitor reproductive health activities, through the federal provision of digital forensic services, assistance in acquiring private communications and data, and storage of sensitive information. While the Administration has taken a strong position supporting reproductive rights, it should ensure that federal funds and resources aren’t directed toward investigations of individuals seeking reproductive care.
Company actions
In the post-Roe era, companies should play an active role in protecting their customers’ and users’ private information. The best way to prevent data that companies collect from being used against abortion-seekers and -providers is simply not to have that data in the first place.?
There are a host of steps the private sector should take to protect that information, captured in CDT’s 2023 report, Data After Dobbs: Best Practices for Protecting Reproductive Health Data. In particular, companies should be proactive in minimizing the risk (of the company’s data being used to jail someone for seeking or providing an abortion) by limiting the amount of data they collect and store. Moverover, this effort cannot be limited to obvious health data, such as biometrics, health conditions, and health tests. It should include all that data companies collect, retain, and share because information that may not appear to be health-related can nonetheless reveal a person’s reproductive health conditions and choices when used in certain ways or combined with other data points. Such data includes location data, browsing history, and search queries.
By being diligent and knowing what data is needed for products and services, and by declining to collect additional data, companies can help reduce the likelihood they will have to respond to law enforcement or civil litigants’ requests for data in abortion-related cases. In instances where companies must collect personal data, companies can and should retain that data only for as long as necessary to perform the task that the data was originally collected for. And then it should be deleted. For more, see CDT’s Data After Dobbs report.
V. Conclusion
The Supreme Court’s decision in Dobbs ended the fundamental right to an abortion and has introduced serious threats to data privacy. Without Roe as a safeguard, the desire for law enforcement to seek access to private health data will be supercharged. Implementing strong privacy protections is paramount. While legislation on the federal level remains improbable, executive agency action and pro-repro state legislation have served as an important preliminary step in the Dobbs era. But ultimately, companies must pick up the slack and adopt commercial practices that prioritize the privacy and fundamental rights of their customers.
Data privacy is an important tangent that needs stronger policy intervention. Thanks for highlighting this