Column: How a legal loophole allows antiabortion prosecutors to obtain women’s secret health data

The American legal system has a message for women concerned about their abortion rights: Don’t make the mistake of thinking that your pharmacist is your friend.

Thanks to a gaping loophole in federal healthcare regulations, some of our leading drug store chains turn over customers’ most sensitive private healthcare information to law enforcement agencies, even without a warrant.

That’s the finding of a subcommittee headed by Sen. Ron Wyden (D-Ore.), which learned that all eight of the nation’s largest pharmacy chains have routinely turned over prescription records of thousands of Americans to law enforcement agencies or other government entities secretly without a warrant.

Medical care procured outside a patient’s home state increasingly leaves a digital trail that will easily make its way back to the patient’s domicile.

— Carleen M. Zubrzycki, University of Connecticut

The chains are CVS, Walgreens, Cigna, Optum Rx, Walmart, Kroger, Rite Aid and Amazon. CVS, Kroger and Rite Aid, which have a total of about 11,000 locations nationwide, don’t require store staff to run the requests past company lawyers before complying.

Only Amazon notifies customers that it received a subpoena or warrant for their prescription data.

Wyden’s committee sought briefings from the pharmacy chains after the Supreme Court’s 2022 Dobbs decision overturned nationwide abortion rights.

Since then, Wyden told me by email, “Republican states across the country have criminalized abortion.” That placed privacy “under threat like never before.” He said his goal is to urge “the executive branch to do everything in its power to stop far-right prosecutors and politicians from using women’s private records against them.”

The briefings, Wyden and fellow subcommittee Democrats informed Health and Human Services Secretary Xavier Becerra in a Dec. 12 letter, “made clear that these companies’ privacy practices vary widely, in ways that seriously impact patient privacy.”

None of the pharmacies require a warrant before turning over requested data; all “will turn medical records over in response to a mere subpoena,” which often doesn’t have to be signed by a judge.

That’s a flaw in the Health Insurance Portability and Accountability Act of 1996, or HIPAA, which purports to protect individuals’ health information from disclosure by providers except in narrow circumstances.

CVS spokeswoman Amy Thibault told me by email, “HIPAA does not require law enforcement to obtain a warrant or judge-issued subpoena before they make a lawful request for records containing PHI.” She said that CVS staff “are trained how to appropriately respond to lawful requests from regulatory agencies and law enforcement.”

HIPAA applies to pharmacies as well as physicians and hospitals. What sets them apart, however, is the breadth of their networks— it’s a rare hospital or physician’s practice that maintains a database that can be accessed coast to coast.

Wyden and his colleagues urged Becerra to tighten HIPAA regulations to require pharmacies to “insist on a warrant” before turning over private health data, so that law enforcement agencies have to defend their demands in court.

Health and Human Services isn’t the only agency concerned with the misuse of personal data. The Federal Trade Commission on Tuesday charged the data broker Outlogic with selling consumers’ location information extracted from smartphone apps without their permission.

The geolocation data, the FTC said, “could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics, places of religious worship and domestic abuse shelters.” According to a statement by FTC Chair Lina Khan, in at least one contract the company had tracked “Ohio residents who visited specific doctors, including cardiologists, gastroenterologists, or endocrinologists, and then pharmacies or specialty infusion centers.”

The FTC’s legal complaint said the result could include “loss of privacy, exposure to discrimination, physical violence, emotional distress, and other harms.”

In a settlement with Outlogic reached Tuesday, the FTC prohibited the company from selling or sharing any “sensitive location data,” including data involving “locations that provide services to LGBTQ+ people such as bars or service organizations,” “locations of public gatherings of individuals at political or social demonstrations or protests” and data that could be used “to determine the identity or location of a specific individual.”

Outlogic will also have to delete or destroy any such data already collected, and provide consumers with easy ways to refuse permission for their data to be sold and to find out to whom it has already been sold.

Becerra hasn’t responded to the committee’s letter, but his agency did launch a rule-making procedure in April aimed at prohibiting the disclosure of personal information about a person’s reproductive healthcare by a provider, including a pharmacy, in a state where the healthcare is legal, but sought for an investigation or prosecution in a state where it’s banned.

But the Health and Human Services initiative is still only a proposal, not a rule. Several factors have made it more urgent.

The so-called interoperability of medical data is generally reckoned to be a good thing. Pharmacists should have access to the full range of a customer’s prescriptions, for example, so they can watch out for dangerous interactions among medicines that may have been missed by doctors, especially if one patient is treated by multiple physicians.

Those checks have been made even easier by the growth of national drug chains, which have supplanted the mom-and-pop drugstores that used to be common in America. Now one database can provide patient information to thousands of affiliated pharmacists coast to coast.

But the Supreme Court’s overturning of abortion rights in 2022 converted that boon into a potential peril by turning judgments about medical procedures over to the states.

“There are now categories of care in which states have taken dramatically different approaches to whether that care should be available,” says Carmel Shachar, an expert on health law and policy at Harvard Law School. Abortion is the most evident area, but divergences in state law increasingly apply to gender-affirming care and substance abuse treatment.

Those divergences, Shachar told me, make the relevant medical records especially sensitive to the point where they need to be protected from law enforcement.

But expansive databases may make that difficult — a prosecutor in antiabortion Texas might be prevented by a medical shield law from accessing data about a Texan’s legal treatment in Massachusetts, but theoretically could subpoena it from a pharmarcy chain’s branch in Texas.

The challenge goes beyond simply shielding direct evidence of a legal abortion — such as a prescription for mifepristone — from prying law enforcement eyes in an antiabortion state.

“There’s a perception that abortions or gender-affirming care exist on their own islands separate from other medical care,” Shachar says. “But somebody who is medically literate can read between the lines of a medical record to see if an abortion happened.”

For instance, consider if a medical record showed that a woman was pregnant and records show a bit later that she’s begun to take chemotherapy treatment for cancer that would be incompatible with pregnancy.

“That might be suggestive that she was pregnant and is no longer pregnant, with no baby to show for it,” Shachar says. “How much of a medical record you need to protect to truly protect the privacy of people who have had abortions or gender-affirming care is murky.”

Placing a legal moat around medical records of an out-of-state abortion may be difficult. “Medical care procured outside a patient’s home state increasingly leaves a digital trail that will easily make its way back to the patient’s domicile,” observed Carleen M. Zubrzycki of the University of Connecticut in a 2022 law review paper.

When any such patient “receives any subsequent medical care — abortion-related or not — in her state of residence,” she wrote, “the odds are high that her home-state providers will access and incorporate her entire medical record into their own records.” That would undermine the efforts of safe-haven states to protect visiting patients by providing “slam-dunk evidence that could be used in out-of-state litigation to punish abortions.”

The determination of antiabortion activist politicians to narrow women’s reproductive healthcare options is explicit and persistent.

On July 7, 2022 — just two weeks after the Supreme Court handed down the Dobbs decision — a dozen right-wing Texas state legislators warned the Dallas law firm Sidley Austin that it might face criminal charges for having “decided to reimburse the travel costs of employees who leave Texas to murder their unborn children” — i.e., who leave Texas to obtain legal abortions elsewhere.

Last February, the attorneys general of 20 red states, led by Missouri Atty. Gen. Andrew Bailey, sent threatening letters to CVS, Walgreens, Rite Aid, Albertsons, Walmart, Kroger and Costco warning them that federal law prohibited them from using the mail to distribute drugs for medication abortion, such as mifepristone.

The letters cited the antique and long-discredited 1873 statute known as the Comstock Act after its bluenosed progenitor. The law’s applicability to abortion rights has long been dismissed by legal scholars. But it was at the core of a ruling by U.S. District Judge Matthew Kacsmaryk of Texas invalidating the Food and Drug Administration’s approval of mifepristone.

The FDA’s rules on mifepristone, which allow the drug to be taken by patients outside a hospital or doctor’s office, are currently before the Supreme Court.

The quest by antiabortion prosecutors for data pertaining to out-of-state medical procedures is destined to grow. The proportion of patients traveling out of their home states to obtain abortions has doubled over the last three years to 20% in the first six months of 2023 from 10% in the same period in 2020, according to the Guttmacher Institute.

The rate is especially high in safe-haven states bordered by antiabortion states, such as Illinois, where out-of-state patients increased in early 2023 to 18,870 from 5,570 three years earlier. New Mexico and Colorado experienced sharp increases for the same reason. In California, where abortions increased by 15,200 in the statistical period, only 16% of the increase was due to out-of-state patients — presumably because abortion is legal in the nearby states of Nevada, Oregon and Washington.

What is becoming clear as state legislators take advantage of the Supreme Court’s evisceration of medical privacy rights in the Dobbs decision, is that the stakes are destined to become magnified in the absence of federal action. People suffering from infectious diseases linked to what legislators disdain as immoral behavior such as HIV or hepatitis C might face increased discrimination or limits on access to public healthcare programs, for example.

“In terms of states diverging in what medical care is allowed or isn’t allowed,” Shachar says, “abortion and gender-affirming care might be the tip of the iceberg.”