How Private and Protected Is Virtual Reproductive Care?
While online telehealth visits surged during the pandemic, consumers now seeking remote reproductive health services face a number of privacy and legal challenges
As COVID-19 spread around the world, patients and providers turned to telehealth en masse, with many accessing online healthcare for the first time. Abortion care began to follow a similar pattern in December 2021, when the Food and Drug Administration said it would allow people access to what’s known as medication abortion—where pills are used to induce an abortion—via a virtual consultation with a doctor. This move permanently waived an earlier rule that required an in-person visit.
Since then, abortion providers say demand for telehealth abortions—abortions facilitated remotely by a medical provider—has been on the rise, with many pregnant people attempting to turn to internet-based platforms dedicated to reproductive care. Now that the Supreme Court has overturned Roe v. Wade—many states have banned abortion outright, and hundreds of abortion clinics across the country are expected to shut down—that trend is likely to continue, experts say.
How HIPAA Protects—and Doesn’t Protect—Telehealth Visits
The primary law that governs the handling of medical data is the Health Insurance Portability and Accountability Act (HIPAA) of 1996. It sets out the rules insurers and providers must follow when handling personal data, but it doesn’t cover all medical conversations. HIPAA applies only to healthcare providers, health insurance companies, and certain other entities that handle medical information, such as medical billing services, so it doesn’t generally apply to internet searches or apps, and it won’t protect someone from a court order or subpoena. HIPAA prohibits these entities from disclosing private healthcare information—such as what medication you’re taking, what surgeries you’re scheduled for, and what diagnoses you’ve received—except in very specific situations.
That also applies when it comes to reproductive care. “If an abortion provider, including a telemedicine abortion provider, takes insurance and bills insurance electronically for at least one patient, then the telemedicine provider is a covered entity and must comply with HIPAA,” says Stacey Tovino, a professor of law at the University of Oklahoma College of Law in Norman and a leading expert on bioethics and health law. Even if they aren’t governed by HIPAA, licensed nurses and doctors who don’t take insurance must comply with local medical practice laws that require certain levels of patient confidentiality.
(Read more about what HIPAA covers and what it does not.)
But there are many ways that information about an abortion or other reproductive care can be disclosed that are not covered by HIPAA. Text messages and emails to friends or family, Google searches, location data, and other types of online data are generally not protected by any privacy laws, even if you’re discussing your health or other sensitive matters. Information from these types of searches and communications can be sold by tech companies or subpoenaed by law enforcement. However, in early July, Google announced that it won’t collect location data around abortion clinics, fertility centers, domestic violence shelters, and other sensitive healthcare facilities.
Now that Roe has been overturned, things will only get murkier. For someone who lives in a state where abortion is restricted or illegal, an online conversation with a doctor—even through a HIPAA-compliant program, such as Zoom for Healthcare—may be subject to law enforcement access. That’s the case regardless of what state the doctor is licensed to practice in.
“In general, if there’s a law in the state that requires people to notify officials if they suspect a crime occurred—you can see this with child abuse or other mandatory reporting laws—that’s an exception to HIPAA,” says Greer Donley, an associate professor at the University of Pittsburgh School of Law who studies reproductive care and abortion laws.
The Department of Health and Human Services recently published updated guidance on reproductive healthcare clarifying that HIPAA-regulated entities, such as doctors and nurses, are permitted to disclose protected health information only when presented with a court order or a warrant that’s enforceable in a court of law.
Legal Questions About Different Types of Telehealth Abortion Care
In addition to privacy questions, there are also now thorny legal questions around telehealth appointments for reproductive care. These issues are intertwined: When health data is not private or secure, it is easier for it to be used by prosecutors or investigators if someone is suspected of running afoul of state laws.
Online abortion providers generally separate into two types of care: conventional telehealth reproductive-care platforms that offer consultation with a medical professional before the pills for a medication abortion are prescribed, and “self-managed abortion,” in which someone seeks an abortion outside of a traditional healthcare setting via either medication, or other, more dangerous methods. The laws and rules governing access to these services vary from state to state, and it’s often not clear when and where the pursuit of online abortion care could be seen as criminal—or what the penalties might be.
Conventional telehealth providers include online-only platforms such as Abortion on Demand, Choix, and HeyJane, along with certain providers and clinics that offer in-person care as well, such as Planned Parenthood and some gynecologists.
A telehealth abortion appointment with one of these providers is similar to most other telehealth medical appointments: A patient consults with a provider via either videochat, phone call, or text message. The provider can then prescribe a regimen of two pills, mifepristone and misoprostol, which can be used to induce an abortion up to 11 weeks gestation (though some providers, including Abortion on Demand, Choix, and HeyJane, have earlier limits). The pills generally arrive in the mail within about a week of the appointment. If a patient is too far along to take abortion medication, the online provider will recommend that they make an in-person appointment with a gynecologist or other abortion provider to discuss their options, according to a spokesperson for Choix.
Conventional telehealth abortion may seem like an option for people in places where abortion is limited or illegal, but it generally isn’t. Even before Roe v. Wade was overturned, making most abortion illegal or soon to be illegal in many states, there were already 19 states that either limited or prohibited telehealth abortion care. Most telehealth abortion providers work within each state’s laws and don’t offer abortions to people who are in a state that prohibits telehealth abortion, such as Louisiana or Texas.
That’s because the rules that apply to the practice of medicine are based on where the patient is, not where the provider is. So a provider offering telehealth abortion to someone living in a state where it is illegal would not only face potential criminal liability but also risk losing their medical license, says Donley, the associate professor at the University of Pittsburgh School of Law.
In a self-managed abortion, someone seeking an abortion could obtain medication from a variety of sources, such as online pharmacies that are often based abroad, according to the abortion access website Plan C. The term “self-managed” also includes more dangerous methods of trying to induce abortion, such as buying drugs via unverified black market sources or using herbal remedies.
Self-managed abortions are technically not allowed in any state that outlaws abortion because it would be illegal for providers of the drugs to send them to patients. Some explicitly ban the practice. Current laws primarily criminalize the providers of abortion care, not the recipients. And online operations that are located outside the U.S. are not subject to the jurisdiction of any U.S. states, so those abortion providers are operating in a legal loophole.
And then there are hybrid entities such as the European organization Aid Access, which operates somewhere between conventional telehealth and self-managed abortions. Aid Access doctors offer prescriptions for abortion pills without regard to the legal status of abortion where a patient lives.
The FDA has advised consumers against purchasing abortion pills over the internet or from foreign sources because those fall outside of the FDA’s regulatory oversight. Providers such as Aid Access also operate in a gray area when it comes to federal drug regulations because “the FDA doesn’t allow personal importation of drugs,” says Ziegler, the UC Davis professor who also wrote the book “Beyond Abortion: Roe v. Wade and the Fight for Privacy.” “At least until the present, the FDA also hasn’t pursued anyone for doing this, but in theory, that could change.”
How Laws Could Change and Further Affect Reproductive Telehealth Services
Now that Roe v. Wade has been overturned, approximately 26 states are expected to ban all abortion care, according to the Guttmacher Institute, a reproductive rights research and policy group. That means restrictive state laws may also soon go beyond policing providers, according to Donley at the University of Pittsburgh School of Law.
Anti-abortion organizations are already advising states on further restrictions that would enforce laws on people or groups offering advice to those seeking abortions, whether online or in person. The National Right to Life Committee, the largest anti-abortion group in the country, has drafted model legislation that would make it a crime to tell a person how to seek an abortion or to host a website providing information about where people can seek abortion medication in any state that chose to adopt the legislation.
Future laws, say Donley and Cohen at Drexel University, may also target the pregnant person—someone who obtains abortion pills online directly or via a service like Aid Access, for example. This is in part because of how difficult it is for states to enforce existing anti-abortion laws when online pharmacies and providers such as Aid Access are based overseas, according to Donley. While such providers might not be vulnerable to such state laws, people in states where abortion is illegal certainly are, and may find abortion-related searches or communications they thought were private used against them in a prosecution.
People with desired, but nonviable or medically dangerous pregnancies or miscarriage complications may find themselves targets of these laws as well. “It will become harder for patients to get care after an abortion or miscarriage, and they may be more fearful of doing so, depending on what activities a state law criminalizes,” says Allison Hoffman, a professor of law at the University of Pennsylvania Carey Law School who specializes in healthcare law and policy.
In certain states with extremely limited access to abortion, this already occurs, according to Drexel University’s Cohen. Patients “have had to fly while they’re in the middle of miscarriage to another state to get the care they need because no Texas provider will care for them,” he says. This is in part because some of the procedures done to help a patient experiencing a miscarriage “could be seen as an abortion,” he says.
Currently, there are no states that limit physically traveling across state lines for an abortion, including a telehealth abortion, though some states, such as Missouri and Arkansas, have signaled a desire to criminalize such activities. Both Biden and U.S. Attorney General Merrick Garland have asserted that based on “bedrock constitutional principles” people must remain free to travel for their reproductive healthcare. And according to Biden’s July 8 announcement, the attorney general will also provide “technical assistance to states affording legal protection to out-of-state patients.”
Protecting Your Privacy When Seeking Medical Care Online
Consumer Reports experts have consistently argued that patients deserve to have their medical information protected. “The laws protecting patient data are outdated and out of touch with consumers’ expectations of privacy,” says Justin Brookman, director of privacy and technology policy at Consumer Reports. “We need stronger protections for sensitive health data.” In the meantime, as the landscape continues to shift for reproductive health, here are important considerations for protecting your privacy when seeking any medical care online.
Use a HIPAA-Regulated App
Among the first things you generally should do to protect your medical privacy online is ensure that the app on which you’re conversing with a provider is required to comply with HIPAA. All healthcare providers who take insurance are bound by HIPAA, Tovino says. But some platforms sell data for marketing purposes, or have otherwise lax protections, and in those situations, personal data could be sold to data brokers and thus be easily accessible to law enforcement or anybody with the cash to buy the data.
In other words, your doctor is subject to HIPAA, but the platform on which you’re talking to them might not be. You can check this list to see if the platform your doctor uses is regulated under HIPAA (though keep in mind that the list, while extensive, is not comprehensive). If not, you can always ask your doctor to hop on the phone instead. (See our previous articles on HIPAA-compliant videochat programs and the limits of HIPAA.)
Set Up Online Privacy Tools
There are a variety of tools that can improve the privacy of any online activity. The Electronic Frontier Foundation, a privacy and technology nonprofit, recommends using private browsers, such as Firefox and the mobile-only DuckDuckGo. Using a VPN—or virtual private network—may offer some measure of privacy protection, too, because it obscures your IP address and prevents third parties from seeing what websites you visit or data you share. CR’s Brookman recommends considering the private browser Tor to minimize traces of what you’re looking for. Securing your router is another good step. The Department of Health and Human Services also provides some additional tips for securing personal data on your phone or tablet.
But it’s important to understand the limitations of all of these steps. “A VPN could shield your activity from your ISP [internet service provider], but now your VPN could know who you’re talking to,” Brookman says. For example, if your workplace provides your work computer with a VPN, your employer still has access to your browsing if it takes place on a work computer, he says. That’s one reason it’s important to do any sensitive medical searches or consultations on your own personal device, and if you’re going to use a VPN, choose one with ample privacy protections. Mullvad and IVPN are two good options, according to CR’s tests.
Understand The Risks of Searches and Conversations About Reproductive Care
“Users need to think of their laptops, phones, digital assistants, home cameras, etc., as open books on their activities,” says Anton Dahbura, PhD, the executive director of the Johns Hopkins University Information Security Institute in Baltimore. “Virtually anything users do or see on their devices can be tracked later, even if the user thinks that they deleted the information.”
That’s particularly important when it comes to online activity about reproductive care, where the laws can be tricky and confusing. “The average person with a smartphone who’s thinking about getting an abortion may Google ‘abortion near me’ or ‘where’s Planned Parenthood,’ or they may direct-message someone on Facebook or Instagram,” says Ziegler, professor of law at the University of California, Davis. Though common, that sort of activity is generally not private.
Abortion-related prosecutions that rely on internet search data have happened in at least one instance, when Latice Fisher, a Mississippi woman, was indicted for murder in 2018 after losing a pregnancy. “The inclusion of Ms. Fisher’s alleged internet search history related to her reproductive health as evidence of criminal intent will become standard protocol across the country once abortion is again criminalized,” Cynthia Conti-Cook, a tech fellow at the Ford Foundation, wrote in a 2020 paper published in the University of Baltimore Law Review.
If someone is texting, emailing, or calling their medical provider about any medical care, they may want to use separate applications for these communications rather than their regular email account, their phone’s built-in messaging app, and call service. A provider may be willing to converse via an encrypted app, such as Signal, for example. You can also use Signal to chat with friends or family, but “you still need to trust the person on the other end,” Brookman says. He also recommends selecting the option to automatically delete all messages after a certain period.
Some telehealth abortion providers, including Choix and Hey Jane, let patients request communication via encrypted messaging.