Millions of women use reproductive health applications (or "apps") to track menstrual cycles, ovulation, and pregnancy. These apps provide women that use the rhythm method for birth control and women seeking to become pregnant access to more accurate information about their reproductive systems. To accurately track a user's reproductive cycles, many health apps need the users to share highly sensitive and personal health data. This sensitive data is generally stored and may include dates of ovulation, conception, pregnancy start, and pregnancy end, if applicable. Needless to say, reproductive health app developers manage and maintain a data platform that contains some of the most sensitive and private information about their customers.

The highly sensitive and private customer information contained in reproductive health apps has been thrust to the forefront of the evolving landscape of abortion laws in the United States. The U.S. Supreme Court ("SCOTUS") decision to overturn Roe v. Wade authorizes states to limit, restrict, and criminalize abortion. As many as half of all U.S. states have some form of an abortion ban in effect, or one that is expected to take effect in the near future, due to the SCOTUS decision. These abortion ban laws are frequently referred to as "trigger laws." State laws that criminalize abortion could have an immediate impact on how reproductive health apps implement and enforce personal health data security measures (i.e., privacy policies and procedures).

In addition, reproductive health app developers should consider enhancing their patient privacy protocols in light of certain state abortion laws that place enforcement of such laws in the hands of private citizens as described below:

  • A Texas law bans abortion as soon as cardiac activity is detectable — typically around six weeks. This abortion law affords Texas citizens a private right of action to enforce the ban. The Texas law explicitly offers a reward of at least $10,000 for anyone who successfully sues an abortion provider, a person who obtains abortion services, and/or an individual that assists a person in obtaining abortion services.

  • A new Oklahoma law completely bans abortion in Oklahoma. The statute makes it unlawful for providers to perform abortions in Oklahoma, with very limited exceptions, and makes it unlawful for anyone to help a pregnant person obtain an abortion. Similar to the Texas law, the Oklahoma law puts enforcement in the hands of certain private citizens and offers a monetary reward to any person who successfully sues an abortion provider or any individual who assists a pregnant person in accessing abortion services.

Because reproductive health apps store personal health data related to periods, ovulation, conception, and pregnancy, these apps have access to data showing that a pregnancy has ended. This type of information is particularly sensitive in light of the trigger laws and other state abortion-related laws.

It is important to note that reproductive health apps are generally not subject to the Health Information Portability and Accountability Act of 1996, and its implementing regulations ("HIPAA") or the Health Information Technology for Clinical Health ("HITECH") Act. Although the information entered by customers into the app likely meets the definition of "protected health information" under HIPAA, reproductive health apps do not conduct standard transactions (i.e., submit insurance claims), and therefore, such apps are not "Covered Entities" (as defined under HIPAA) governed by HIPAA. Reproductive health apps may be considered "Business Associates" (as defined under HIPAA) only if the app is providing services on behalf of a Covered Entity or other Business Associate that involves the creation, receipt, maintenance, or transmission of electronic Protected Health Information (as defined under HIPAA). Thus, unless a reproductive health app conducts standard transactions or is deemed a Business Associate under HIPAA, it is unlikely to have any obligation to limit the use or disclosure of customer data in accordance with HIPAA. However, state privacy laws governing personal data will apply, such as the California Privacy Rights Act, Colorado Privacy Act, Utah Consumer Privacy Act, and Virginia Consumer Data Protection Act, and most recently, Connecticut's Act Concerning Personal Data Privacy and Online Monitoring.

Following the SCOTUS ruling, the Department of Health and Human Services' Office for Civil Rights released new patient-privacy guidelines that explicitly outline the federal protections for "protected health information," as defined under HIPAA. The guidelines emphasize the restrictions HIPAA places on the disclosure of protected health information and reinforces the limited circumstances where organizations subject to HIPAA are authorized to provide such information. However, these guidelines do not create additional protections for protected health information — therefore, a state law that requires the reporting of abortion services to law enforcement personnel would be enforceable and a Covered Entity's or Business Associate's disclosure of protected health information related to the patient's abortion would not be limited by HIPAA. Reproductive health app providers should be aware that state laws specifically imposing requirements for healthcare providers to release patient information related to abortion services could be used by law-enforcement officials to investigate potential violations of state abortion laws.

Given the ubiquity of purchasing datasets from technology companies and the structure of new state anti-abortion laws, it is conceivable that an individual could purchase these datasets and use the information to pursue legal action against an individual or an abortion provider. It is equally conceivable that law enforcement could obtain these datasets, via subpoena, court order, or otherwise, and use the datasets to investigate suspected violations of abortion laws. While these outcomes may seem remote, this is a rapidly evolving area of the law where outcomes remain uncertain. Therefore, reproductive health app companies should understand their privacy policies and review them in light of new state abortion laws, including considering whether to voluntarily comply with HIPAA and HITECH to further protect customer data privacy and security. Reproductive health app developers may also want to take measures to increase the security and integrity of their data platforms, including undertaking security risk assessments, reviewing policies and protocols, and identifying any risks associated with permissible commercial transactions involving sensitive customer data. All such measures would reassure reproductive health app users that their sensitive information is appropriately protected and secured as much as possible.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.