In April 2023, the State of Idaho enacted legislation making it a felony to help a minor obtain an abortion (or medication to induce abortion) by “recruiting, harboring, or transporting the pregnant minor within this state.” With more than a third of U.S. states having severely restricted or outright prohibited access to abortion within state borders, Idaho has now turned its attention to making it more difficult for at least some of its citizens to travel out of state to obtain abortion care. The legislation explicitly rejects as a defense that the provider of abortion services is in another state. Abortion care is not the only type of healthcare service that has raised interjurisdictional conflicts. As of April 2023, at least thirteen states have banned some or all gender affirming care for minors. In some states, government officials have attempted to define gender affirming care as child abuse, which would arguably support removing resident children from parental custody even if the contested care were sought beyond the state’s borders.
In response, other states have enacted legislation intended to shield patients, providers, and others who facilitate care that is lawful within that state from being prosecuted or sued elsewhere. Connecticut, which was the first state to enact such protections, largely prohibits healthcare providers from turning over abortion records in out of state legal proceedings without the patient’s explicit consent and bars state judicial authorities from issuing subpoenas related to reproductive services unless there is an equivalent cause of action under Connecticut law.
Yet, as Carly Zubrzycki demonstrates in her new article The Abortion Interoperability Trap, laws like Connecticut’s “miss[] a crucial piece of the puzzle: medical records are widely shared across state lines to facilitate patient care.” As Zubrzycki explains, these new state laws designed to protect reproductive and gender affirming care “are generally limited to preventing providers and other covered parties from directly sharing information in formal proceedings.” They do not prevent, and indeed often explicitly permit, sharing of patient records across state lines for purposes of patient care. The result is that these statutes largely fail to provide the protection they tout. “The reason is simple: in-state providers subject to a safe-haven law will, in the ordinary course of business as their patients seek care in other states, share medical records with out-of-state providers who are not subject to that law and who can therefore easily be asked to hand over the records in litigation.” This gap between what abortion-protective laws promise and what they genuinely offer is what Zubrzycki calls abortion’s “interoperability trap.” In this timely and insightful article, Zubrzycki offers not just a diagnosis but refreshingly practical solutions. Her work is already having a practical and important impact.
The abortion interoperability trap is not an incidental or minor exception to otherwise robust data protection. Rather, Zubrzycki compellingly demonstrates that it threatens to “swallow the protections the legislation purports to offer.” HIPAA, though widely known for its Privacy Rule, is actually primarily concerned with the portability of medical data. After all, the “P” in HIPAA stands for “portability,” not privacy. The growth of electronic health records and electronic medical-records systems has also facilitated the freer flow of medical data among a single patient’s providers. More recently, expansion in the applicability of the federal Information Blocking Rule, which is designed to limit information hoarding by individual medical providers, has “shifted the incentives for those with access to medical records to begin sharing those records far more widely.” The result (or at least, the intended goal) of this “legal and technological ecosystem of medical records” is to “require providers and others to share patient information seamlessly with other providers and health-information-technology companies.”
This new regulatory framework for sharing health data was not designed to trap abortion patients or others seeking contested care out of state. It was targeted at resolving persistent problems affecting the portability and sharing of medical records. But the seamless sharing of a patient’s medical data among her providers may have unintended consequences, and the abortion interoperability trap is one of them.
Zubrzycki explains that existing legal tools are unlikely to resolve the interoperability trap. The federal regulatory exceptions to medical information sharing are permissive, rather than mandatory, and are narrowly framed such that they are unlikely to provide much protection. Nor will the HIPAA Privacy Rule or the Fourth Amendment resolve this quandary. The HIPAA Privacy Rule, as I have explained elsewhere, broadly authorizes law enforcement access to otherwise protected personal health information. Moreover, the Privacy Rule “expressly permits patient records to be shared whenever the sharing is for treatment purposes.” The Fourth Amendment is equally unavailing. “[E]ven at its remedial maximum, the Fourth Amendment requires only a warrant based on probable cause in order for law enforcement to obtain records.” That is, “even assuming that the Fourth Amendment protects medical records at all . . . law enforcement could still obtain those records with relative ease, as the probable-cause standard is not particularly burdensome” in investigating a suspected unlawful abortion.
But all is not lost! In addition to lucidly and incisively diagnosing the abortion interoperability trap, Zubrzycki also identifies legal and other mechanisms for addressing this problem. She argues that private providers and other stakeholders can take steps to better protect sensitive medical records under their control. Healthcare providers could, for instance, adopt more exacting patient informed consent requirements prior to disclosing an abortion, miscarriage, or stillbirth, so long as that requirement is not so onerous as to run afoul of the Information Blocking Rule. A more extreme, but perhaps more effective, response would involve reverting to paper records instead of electronic ones, as paper records are not covered by the Information Blocking Rule.
Better still, Zubrzycki identifies interventions that state and federal actors could take to better shield sensitive medical data—and her work here has already had an impact. In March 2023, Maryland enacted legislation based in significant part on Zubrzycki’s recommendations for closing the abortion interoperability trap. In introducing the legislation, the sponsoring state senator expressly invoked Zubrzycki’s proposal that “[t]he most effective legislative approach for states may be to prohibit electronic-health-record vendors and health-information exchanges from facilitating the transfer of abortion-related data across state lines.” The U.S. Department of Health and Human Services has also proposed changes to the HIPAA Privacy Rule to better protect reproductive health care privacy that are consistent with Zubrzycki’s recommendations, though the notice of proposed rulemaking does not cite Zubrzycki directly.
Scholarship like Zubrzycki’s not only advances the scholarly conversation about data and health privacy; it also makes concrete and positive change in the real world. Particularly as states act ever more aggressively to regulate contested forms of care, such scholarship is an essential part of successful academic work.
