Contact us

MODEL BILLS

Privacy Protections

BILL FUNDAMENTALS
Download this Bill

Reproductive Health Client Data Privacy Act

Issue Overview

Unregulated Pregnancy Clinics (UPCs) often present themselves as free medical clinics to mislead clients seeking abortion. Their primary goal is to prevent clients, through persuasion, misinformation, or delay, from having an abortion.143 While these organizations have the right to oppose abortion, most use misleading tactics, including ads, signs, and websites presenting their facilities as conventional medical clinics, even, at times, as abortion providers.144,145 Inside, they often resemble medical offices, with waiting rooms and exam rooms outfitted with medical equipment, and staff in lab coats and scrubs. Clients must often fill out intake forms that ask for private health information.146

Presenting themselves as conventional medical providers, many UPCs solicit and document a great deal of sensitive personal data and private health information. UPCs collect and retain client information in various ways, including on appointment request forms and intake forms completed on premises, reports of interviews before and after testing, written results of STI/STD tests or ultrasound examinations, write-ups from counseling sessions, and via centralized chat services and online client data management platforms.147,148

UPC intake forms are often invasive. Even though they are not medical providers, many UPCs ask clients for prescription drug lists, past or current illnesses, and medical conditions unrelated to their services. Some ask inappropriate questions like the name or age of the person who impregnated the client, whether the client is living with someone they aren’t married to, when they first had sex, or whether they have multiple partners or same-sex partners. Collecting such information is unnecessary and unethical, given that most UPCs only provide over-the-counter pregnancy tests, STD/STI tests without treatment, lay counseling, and material resources like diapers and wipes. Further, even though they don’t bill insurance, UPCs often ask for clients’ government identification documents, insurance information, income, employer, or eligibility for public assistance.149

Because the vast majority of UPCs are not medical clinics, they can and do violate clients’ privacy. Traditional medical clinics must follow the privacy, confidentiality, and records security requirements of the Health Insurance Portability and Accountability Act (HIPAA). UPCs are not subject to HIPAA150 and, therefore, are not required to protect clients’ private health information. On the contrary, many UPCs maintain client records in online databases accessible by third parties outside the UPC.151 A digital system called eKYROS feeds personal client information into a central database linked with the national UPC umbrella groups Heartbeat International and Care Net.152 Other central databases used by UPCs include Next Level153 and CoolFocus.154

The national UPC umbrella organizations collect client records in “digital dossiers” on pregnant people around the country who have contacted or visited a UPC. As a brief by the Alliance reports: “the CPC industry is now functioning as surveillance infrastructure for the anti-abortion movement, amassing data that could be used in pregnancy- and abortion- related prosecutions….”155 The global anti-abortion group Heartbeat International reports using this data to create “digital dossiers,” stating “Big data is revolutionizing all sorts of industries. Why shouldn’t it do the same for a critical ministry like ours?”156

Many states have laws requiring medical privacy and security, and the UPC industry should be subject to such laws. According to a 50-State Survey of Health Care Information Privacy Laws, most states have privacy laws that cover at least some medical facilities.157 Similarly, the American Health Lawyers Association explains, “Most states have enacted laws and regulations related to the privacy and confidentiality of individuals’ health information. Such regulations are usually set forth in facility and/or professional licensure laws, requiring both licensed health care facilities and licensed health care professionals to maintain the privacy and confidentiality of patients’ health information.”158 Such laws should be enacted or amended to cover UPCs.

Reproductive Health Client Data Privacy Act

Summary

The Reproductive Health Client Data Privacy Act prohibits Unregulated Pregnancy Clinics from disclosing personally-identifiable and private health information to any other entity without the consent of the client.

[BILL DRAFTING NOTE: This bill uses a unique definition of “Unregulated Pregnancy Clinic” which fits the needs of this particular legislation. Please work with local advocates to decide if this name works best for you and your state.]

SECTION 1. SHORT TITLE

This Act shall be called the “Reproductive Health Client Data Privacy Act.”

 

SECTION 2. FINDINGS


The legislature finds that:



 

  1. When clients go to any health care facility, they expect their sensitive personal health information to be kept confidential and the records and communications are kept secure from third parties, unless they explicitly give consent to sharing the information.


  2. When hospitals, medical clinics and physicians operating in the regulated health marketplace solicit and record patients’ private health information, they are required by federal law to keep that information confidential pursuant to the Health Insurance Portability and Accountability Act (HIPAA). HIPAA also requires that private health information, as well as all communications with patients, be kept secure against breaches by third parties.

  3. Unregulated Pregnancy Clinics that do not engage in transactions regulated by HIPAA, such as the electronic transfer of client data for the purpose of billing for services, billing health insurance and referrals, are not subject to HIPAA and, therefore, are not legally required to maintain the privacy or security of clients’ health information.

  4. Many Unregulated Pregnancy Clinics collect personal health information from their clients, including medical histories, the results of medical tests, and communications with clients about health issues. Many Unregulated Pregnancy Clinics also maintain client records in online databases that are accessible by third parties outside of the center.

  5. The State must ensure that health information is kept confidential unless individuals providing the information expressly agree to a disclosure.

SECTION 3. PRIVACY FOR CLIENTS OF UNREGULATED PREGNANCY CLINICS

After section XXX, the following new section XXX shall be inserted:

(A) DEFINITIONS—In this section:

  1. “Health information” means information about the past, present, or future physical or mental health or condition of an individual, or the provision of health care to an individual, as these terms are used in the Health Insurance Portability and Accountability Act (HIPAA) Sec. 160.103.
  2. “Unregulated Pregnancy Clinic” means a facility offering pregnancy-related health care services, including determination of pregnancy and pregnancy health care counseling, but is not a “covered entity” under the federal Health Insurance Portability and Accountability Act (HIPAA), 42 USC Sec. 1320d et al. and 45 CFR Parts 160 and 164.

 

(B) PRIVACY OF RECORDS REQUIRED

  1. An Unregulated Pregnancy Clinic shall not disclose to any entity or individual a client’s name or any health information that could reasonably be linked with an individual client, without written permission of the client for that specific disclosure of information.
  2. Prior to obtaining written permission for the disclosure of information, the Unregulated Pregnancy Clinic shall provide the client with a clear and understandable privacy notice, including:(a) the specific purpose for disclosing the information to a third party;
    (b) the specific types of information to be disclosed; and
    (c) the third parties who might or will receive the information.
  3. An Unregulated Pregnancy Clinic shall provide a simple mechanism for a client to revoke any consent for the disclosure of information.
  4. Within 10 business days of a client’s request, an Unregulated Pregnancy Clinic shall provide to a client, without charge, a copy of all of that client’s records possessed by the center.
  5. This section does not prohibit an Unregulated Pregnancy Clinic from disclosures that maintain the confidentiality of individual clients’ personal information, such as the numbers of clients who have been provided with particular goods or services.
  6. Nothing in this section shall be construed to restrict an Unregulated Pregnancy Clinic’s ability to:
    (a) comply with federal, state or local laws, rules or regulations;
    (b) comply with lawful civil, criminal or regulatory inquiries; or
    (c) defend itself against legal claims.

(C) SECURITY OF CLIENT HEALTH INFORMATION REQUIRED

  1. An Unregulated Pregnancy Clinic shall:(a) Protect clients’ health information by using data security protocols as effective as those required by the federal Health Insurance Portability and Accountability Act (HIPAA);
    (b) Protect against any reasonably anticipated threats or hazards to, or prohibited uses of, such information; and
    (c) Ensure compliance by its workforce.
  2. Unregulated Pregnancy Clinics that receive client information by way of electronic communication, including but not limited to phone calls, emails, text messages, instant messages, chat room, and video or voice calls conducted via internet-based platforms, shall utilize an encryption system, meaning an algorithmic platform to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.

(D) ENFORCEMENT

  1. Whenever the Attorney General or a district attorney [if applicable: a city attorney, a county counsel] has reasonable cause to believe that an Unregulated Pregnancy Clinic has violated this section, the Attorney General may issue a civil investigative demand pursuant to [cite code].
  2.  The Attorney General may commence an action in any court of competent jurisdiction for injunctive relief to compel compliance with the provisions of this section, and for civil penalties for violations.
  3. Prior to commencing an action in court, the Attorney General shall give written notice to the Unregulated Pregnancy Clinic to cure such violations not later than 10 business days after receipt of the written notice.
  4. Upon a finding by the court that an Unregulated Pregnancy Clinic has violated this section, the state shall be entitled to recover:

    (a) civil penalties of up to three thousand dollars for a first violation;
    (b) civil penalties of up to ten thousand dollars for a second or subsequent violation; and
    (c) reasonable attorneys’ fees and costs.

  5. In determining the overall amount of civil penalties to assess against an Unregulated Pregnancy Clinic, the court shall include, but not be limited to the following in its consideration:

    (a) the nature and severity of the violation;
    (b) the size, scope, and type of the offending organization; and
    (c) the good faith cooperation of the offending organization with any investigations conducted by the Attorney General pursuant to this section.

 

SECTION 4. EFFECTIVE DATE

This law shall become effective on July 1, 20XX.

Privacy Protections

Explore other Legislative Tools

Right to Dignified Care Act
Religious Freedom in Reproductive Health Act