On July 8, 2022, President Biden issued an Executive Order titled, “Protecting Access to Reproductive Health Care Services,” in response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization that overturned Roe v. Wade. The Executive Order aims, in part, to “ [p]rotect[] the privacy of patients and their access to accurate information” regarding reproductive health care services. It directs the Department of Health and Human Services (“HHS”) and the Federal Trade Commission to take certain steps to address the potential threat to patient privacy caused by the transfer and sale of sensitive health-related data, and by digital surveillance related to reproductive health care services from fraudulent schemes or deceptive practices.

The Executive Order directs HHS to (1) consider actions under HIPAA and other applicable statutes to “strengthen the protection of sensitive information related to reproductive health care services and bolster patient-provider confidentiality” and (2) in consultation with the Attorney General, consider actions to “educate consumers on how best to protect their health privacy and limit the collection and sharing of their sensitive health-related information.” HHS recently released two guidance documents: (1) the first provides guidance to HIPAA covered entities and business associates regarding the privacy protections available under HIPAA with respect to reproductive health information, and (2) the second provides guidance to individual consumers regarding privacy measures that can be taken to protect their reproductive health data stored on personal devices and mobile apps.

The Executive Order also directs the Chair of the FTC to consider actions addressing “consumers’ privacy when seeking information about and provision of reproductive healthcare services.” The FTC has the power to enforce its existing Health Breach Notification Rule, issued over a decade ago, which applies, in relevant part, to health apps and connected devices, and requires entities covered by the Rule to notify consumers and the FTC (and in some cases, the media) in the event of a breach of unsecured identifiable health information. The FTC warned health apps of their compliance obligations under this rule in September 2021.