An executive order signed by President Biden places the weight of the White House firmly behind states where access to abortion is guaranteed, and urges the FTC and other executive agencies to investigate and strengthen data protection policies. Without a digital trail to follow, efforts to criminalize private medical activity across borders may prove much more difficult.
The legal battle ahead over reproductive rights in the post-Roe era is likely to be complex and unprecedented, and data will be an important part of it. As a medical procedure, abortion is covered by the federal patient privacy law HIPAA, but that will likely violate state rules requiring disclosure. In addition, digital services such as time-tracking apps and even fitness and wellness platforms can track and even sell data that can be taxing.
The executive order fundamentally limited what it can accomplish (as many will recall, Trump has issued dozens to little effect), but it does highlight which and where federal resources will be deployed in the coming legal conflicts. The full text of the EO is here, but let’s look at the parts that are most directly relevant to the tech industry. (Quoted text has been edited very lightly for brevity.)
First, the Secretary of Health and Human Services will issue a report…
… identify ways to increase reach and education about access to reproductive health care, including by launching a public education initiative to provide timely and accurate information about such access, which … will share information on how to provide free or lower-cost reproductive health services through health can be obtained Resources and services from publicly funded health centers, Title X clinics and other providers; and … include promoting awareness of and access to the full range of contraceptive services, as well as information about your rights to those seeking or providing reproductive health care.
This is clearly aimed at attempts to limit the information available to those seeking help; some states plan to make it difficult to know what options are actually available, whether it is legal to travel to another state for a procedure or medication (it is) and so on. For example, while the FBI cannot force a state health organization to provide information about where to get abortion pills or the like, they can ensure that this information is available in the state through other means. They can even get a foot in the door at hospitals and clinics that take federal funding.
While that may seem elementary (of course the federal government can post anything on its own sites), the real purpose here is to list the ways states will try to control information and how best to counteract it.
Next, federal entities, including the Attorney General and Homeland Security, will “consider actions” to address new safety and security risks associated with providing or seeking reproductive care.
To address the potential threat to patient privacy posed by the transfer and sale of sensitive health-related data and by digital surveillance associated with reproductive health care, and to protect people seeking reproductive health services from fraudulent schemes or deceptive practices:
The chairman of the Federal Trade Commission (FTC) is encouraged to consider measures… to protect consumer privacy when seeking information about and providing reproductive health care.
The Secretary of Health and Human Services will consider actions, including providing guidance under: [HIPAA] and any other statutes, to strengthen the protection of sensitive information related to reproductive health care and to strengthen the confidentiality of patients and healthcare providers.
The first part of this is clearly a warning to big tech companies like Google and Meta, who have the resources and capabilities to monitor people’s behavior to an alarmingly granular level. We’ve all read horror stories about people seeing ads for baby products before announcing they’re pregnant. Now imagine if a state required a company to disclose whether a user had discussed an abortion or had been algorithmically categorized as seeking an abortion.
Protecting people from “fraudulent schemes” seems less of a problem than the day-to-day trading of potentially sensitive information for data brokers. The FTC can provide very good advice on this matter regarding claims of “privacy” that are not corroborated by a company’s actual practices.
The HIPAA part is tough, because there will almost certainly be a direct conflict between federal nondisclosure laws and state forced disclosure laws that need to be worked out in court. While that will likely be a conflict for years to come and speculation about the outcome would be fruitless at this stage, in states where abortion remains legal it could be simpler.
Health and Human Services is likely to provide guidance and interpretations of HIPAA regulations that promote privacy in a way specifically geared to corrupting cross-border requests. When state law and federal law go together to protect a patient’s privacy, lawsuits and requests from states seeking to criminalize behavior in adjacent jurisdictions can be non-starters.
The next section adds that the AG will provide “technical assistance” to states on out-of-state patient protection, meaning “let’s write that law together.”
To some, this executive order will seem like something of a noob; and indeed, if this is all the government can do after weeks of inaction, it is justifiably disappointing for those pushing for more concrete action. But while it accomplishes little on its own, it clearly shows the government’s intent to at least support states that fight to protect reproductive rights rather than those that curtail them.