Health Data Privacy: Why the Law Matters

By Shantanu Mukherjee and Amruth Rao[1]

 

On June 24, 2022, the United States Supreme Court overruled Roe v. Wade 410 U.S. 113 (1973), and Planned Parenthood v. Casey, 505 U.S. 833 (1992), and held that the American Constitution does not confer upon its citizens the right to abortion. In doing so, the Court allowed the states to impose any form of restriction on the right to abortion. In states such as Missouri, Louisiana and Kentucky that already had trigger laws in place, abortion is now banned with very few, narrow exceptions.

The emotional, sociological, political and financial impact of this ruling has been adequately documented in the weeks since it occurred. The ruling, however, also has implications for the field of health data and privacy, the most crucial of which is whether healthcare information can now be used to incriminate patients and healthcare service providers.

 

HEALTH DATA PRIVACY IN THE U.S.

A. Reproductive Health Data as Evidence

Unlike many other countries, including India, the United States has federal legislation that explicitly protects health data of its citizens – the Health Information Portability and Accountability Act (HIPAA).

One might assume that the HIPAA protects the health data of women seeking abortion. However, the law is inadequate in this regard, and the protection of patients’ privacy is not absolute. Health law experts Kayte Spector-Bagdady and Michelle Mello identified three situations in which HIPAA would fail to protect the privacy of patients.[2] These include using a patient’s medical records to prosecute them for seeking abortion, using healthcare facility records to prosecute the medical institution and using online activity information to show that a woman is seeking abortion.

In the first scenario, where law enforcement authorities or courts have issued subpoenas to access the electronic health records of a patient, clinics, hospitals and medical establishments would be obliged to give the authorities the information. This is possible because of the exceptions prescribed under HIPAA. Entities that are covered by HIPAA and handle healthcare data would be ‘required by law’ to comply with such orders. The information obtained can then be used as evidence by enforcement authorities to prosecute persons seeking or abetting an abortion.

B. Recent HHS Interventions

U.S. senators have recently called on the Human and Health Services (HHS) to address this issue and protect the reproductive healthcare information of patients. The Office of Civil Rights of the HHS then issued a guidance outlining the ways in which citizens could protect their health information while using cell phones and tablets, and provided guidance to healthcare providers that unless state law required them to report abortion related incidents, the Privacy Rule under HIPAA would prevent them from making such disclosures. Further, the guidance noted that healthcare providers were not required to disclose personal health information absent a valid court order or subpoena from law enforcement authorities.

The HHS has been urged to do more, including by way of using their administrative powers to update the HIPAA Privacy Rule, specify the covered entities, limit the circumstances in which these entities can share reproductive health or abortion related information and clarify that health care information cannot be shared with law enforcement agencies who may be targeting women seeking abortion.

C. Inter-State Travel and Privacy

Another issue that arises in this context is that of residents of one state travelling to another state to get an abortion. In his concurring opinion, Justice Brett Kavanaugh writes that he believes that states cannot prevent a woman from travelling to another state owing to their constitutional right to interstate travel. However, Justices Breyer, Sotomayor and Kagan are skeptical and of the view that states may end up banning such travel or prevent women from obtaining abortion medication from other states.

Some states have proactively adopted laws to prevent out of state prosecutors from obtaining a patient’s information and abortion records in order to shelter the abortion rights of women from other states. For instance, Connecticut state law protects medical information at a general level and bars HIPAA covered entities from sharing medical data relating to reproductive healthcare services to out of state prosecutors. However, health law expert Carleen Zubrzycki argues that such laws don’t do much to address the ‘interoperability trap’. [3]

According to her, due to the increased regulatory push to sharing data and electronic health records and the limited scope of HIPAA, prosecutors can easily obtain information about abortion related procedures through a doctor or hospital in their home state. Interoperability of health data allows doctors from different medical practices to access prior healthcare information of a patient. By using this to their advantage, prosecutors can ask home state providers that are not subject to the laws of other states to simply hand over medical records.

On July 8, 2022, President Joe Biden passed an executive order aimed at protecting access to abortion. The order issued directions to the Health and Human Services, the Department of Defense and the Federal Trade Commission to take efforts to give women access to abortion medication, travel across states among others. But again, without a federal law, Biden will not be able to protect the right to abortion or prevent states from accessing reproductive healthcare information from providers.

D. Online Data Collection

Another privacy concern that Spector-Bagdady and Mello highlight is a person’s online activity being used as evidence to establish the fact that they sought abortion or assisted someone else with an abortion. Many women use menstruation apps on their mobile phones to keep track of their reproductive health. These applications collect various data points including information about one’s sexual life and menstruation cycles. All of this may be used to infer the status of pregnancy by law enforcement agencies.

Strikingly, these apps are not regulated by HIPAA as they do not fall under the category of covered entities. This also allows them to freely monetize the data that they collect. It has been found that many menstruation apps in the U.S. share data with third parties. Information such as whether the woman wishes to have a baby or wants to avoid one is used by advertisers to display ads about fertility or abortion clinics.

Apart from the menstruation apps, other online activity including internet searches, phone records, geolocation and text chats can also be used by prosecutors to pursue legal action against those seeking abortion. State prosecutors have already used a woman’s online search history as evidence in cases of alleged murder, neglect of a dependent and feticide.[4]  Law enforcement agencies can easily get hold of such digital information by obtaining a judicial warrant or even by buying the information from private companies who sell digital data.

Following President Biden’s executive order, the Federal Trade Commission, in a welcome move, asserted their commitment to enforcing the law against misuse of highly sensitive data. In a blog post, Kristin Cohen from the FTC’s Division of Privacy & Identity Protection highlighted how easily companies are able to collect information about consumers either online or through mobile applications. Data such as location history and information related to reproductive health have even been used to target women seeking abortion, she says. The FTC warned companies not to engage in unfair trade practices, collect excessive amounts of data or exploit consumer data, or risk facing legal consequences.

 

HEALTH DATA PRIVACY IN INDIA

The U.S. experience shows us that despite the existence of a detailed healthcare privacy law focused on protecting sensitive information (the HIPAA), the health data of its citizens could still be left vulnerable, leading to reproductive health data not only being monetized by companies but even being used to prosecute women seeking access to abortion.

In India, the situation is arguably worse. In recent years, a worrying trend has emerged of data privacy legislation being drafted, debated by Parliamentary committees and ultimately being shelved for reasons uncertain, even as the scale and scope of data monetization by private and state actors multiplies.

A. DISHA, 2018

In 2018, the Ministry of Health and Family Welfare released the draft Digital Information Security in Healthcare Act (DISHA) and invited comments from stakeholders. However, in the four years since the draft was published, there has been no progress in the implementation of the law, and DISHA has neither been passed nor tabled in the Parliament.

DISHA aimed to create national and regional health authorities and regulate the collection, storage, and transmission of health data. It also sought to ensure that data privacy and confidentiality are maintained. It acknowledged the importance of patient autonomy and requires the consent of the patient at multiple stages. It even banned the sharing of anonymized data for commercial purposes.

According to DISHA, Digital Health Data would include electronic records of information related to an individual’s physical or mental health, tests or examinations conducted, health services availed, clinical establishment accessed and the donation of a body part or substance. Apart from this, DISHA also earmarked two separate categories of data: Personally Identifiable Information and Sensitive-Health Related Information. The Act has a wide ambit
and imposes a duty on clinical establishments as well as any other entity who comes in possession of digital health data to protect the privacy, confidentiality, and security of the same.

DISHA has also faced its share of criticism, however. First, the Chief Health Officer of the Health Exchange Authority established under the Act would have access to the digital health data even though they only act as an intermediary. This raises concerns about a possible breach of data and unwanted sharing of health data. Another issue with the Act is that it does
not explicitly recognize the right to be forgotten which was emphasized by the Supreme Court in the Puttaswamy[5] judgement. Although not a concern for everyday citizens, tech and pharma
companies have also criticized DISHA for completely prohibiting (including in anonymized form) the sharing of digital health data with third parties.

B. Personal Data Protection Bill 2019, and the Data Protection Bill, 2021

Another piece of draft legislation that was recently withdrawn altogether, after lawmakers had labored over it in one form or another for four years, is the Data Protection Bill, 2021 (DPB).

The DPB has its genesis in the famous 2017 judgment of the Indian Supreme Court, Justice K.S. Puttaswamy (Retd.) & Anr.Union of India & Ors., which called out the need in India for a strong data protection regime. The judgment led to the constitution of a committee, headed by former Indian Supreme Court Justice B. N. Srikrishna, which on 27 July 2018, proposed a draft data protection law, later codified as the draft Personal Data Protection Bill, 2018. This bill was revised, after consultation with stakeholders, and tabled in Parliament on 11 December 2019, as the Personal Data Protection Bill, 2019 (“PDP Bill”). A Joint Parliamentary Committee was then set up to review the PDP Bill, which duly submitted its report in December 2021, proposing that the PDP Bill be replaced with a new bill, the DPB.

The DPB was then abruptly withdrawn by the Government of India on 03 August 2022, with the stated reason being “to make way for a comprehensive legal framework for the digital ecosystem.”

The DPB, and the PDP Bill before it, had been criticized by privacy advocates and some lawmakers as shifting the focus of the bill from citizens’ privacy to the economic and security interest of the state. It gave the government broad powers to store, use and control the large amounts of personal data it gathered on its citizens, including fingerprints and iris scans, while exempting law enforcement agencies and public entities from the law’s provisions, ostensibly for national security reasons. Opposition politicians pointed out that the DPB created “two parallel universes — one for the private sector, where it would apply with full rigor, and one for the government, where it is riddled with exemptions.”

C. The IT Act and the SPDI Rules

The Information Technology Act, 2000 (the “Act”), and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “SPDI Rules”) framed under the Act, are today the only laws that govern data privacy (whether general or health data) in India.

The essence of the SPDI Rules is that body corporates must take steps to implement suitable security measures to protect sensitive data. If body corporates fail to safeguard the data of individuals or take appropriate security measures, they would be required to pay compensation to the individual affected.

The SPDI Rules are limited in scope – they apply only to body corporates. Small clinics or independent doctors, for example, who also handle health data are not be subject to them. The SPDI Rules also fail to incorporate, among others, the right to be forgotten, or object to or restrict data processing, or the right to portability, and do not provide for a dedicated data protection authority for grievance redressal.

 

CONCLUSION

In a recent interview (with ET Tech on 4 August 2022), a Government representative promised that the “comprehensive legal framework” referred to when the DPB was withdrawn, was “almost ready” and would “soon be made available for public consultation”. In any event, with the withdrawal of the DPB, the legislative process has regressed to 2011, as we’re back to relying on the SPDI Rules for data protection.

In the meantime, a combination of increased smartphone adoption and rapid digitization, and an institutional lack of commitment towards preserving citizens’ privacy, has led to indiscriminate data collection in India, including through massive, nation-wide Government-led initiatives such as the Aadhaar, Arogya Setu and Ayushman Bharat Digital Mission projects (which aims to create a national electronic health records system that allows doctors, patients, and healthcare providers access to huge amounts of patient data). These programs operate entirely in the absence of in-built data protection principles and appear to collect data without explicit consent or purpose limitations.

Recent events in the U.S. have shown how personal and health data can be used against a nation’s citizens in the absence of adequate data privacy laws. There is enough cause for Indian citizens to fear a similar fate given recent trends.

 

[1] Amruth Rao is a 4th year student at Jindal Global Law School.

[2] https://jamanetwork.com/journals/jama-health-forum/fullarticle/2794032?resultClick=1

[3] https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4147900

[4] https://scholarworks.law.ubalt.edu/cgi/viewcontent.cgi? article=2078&context=ublr, also  https://www.washingtonpost.com/technology/2022/07/03/abortion-data-privacy-prosecution/

[5] (2017) 10 SCC 1.