The end of federal abortion rights quickly made a common, safe medical procedure illegal in many parts of the United States and turned routine medical data into something that can be used against people suspected of having an abortion.
Despite being highly sensitive, health data often isn’t as private as people might assume. There isn’t much preventing medical records from being weaponized against people seeking abortions in states where it is illegal. Even though medical records contain sensitive, personal information, most people don’t have much control over the information in them or how they are shared.
Medical privacy laws like the Health Insurance Portability and Accountability Act (HIPAA), don’t stop subpoenas or warrants for medical records data, and under those laws, doctors are able to share medical information if they suspect a crime has occurred. “If you’re in a state where something is just flat out illegal, there aren’t really legal protections that prevent your medical records from being used against you,” says Carly Zubrzycki, a health law professor at the University of Connecticut School of Law.
Most patients don’t own their own medical records. Only one state — New Hampshire — gives people explicit ownership over their medical records. In some other states, laws specifically say that medical providers or hospitals own the records. “Most health systems will claim it’s their property,” says Eric Perakslis, the chief science and digital officer at the Duke Clinical Research Institute. “And that they have a right to it.”
HIPAA, the law governing medical privacy, requires that people are able to see their full medical records. But research shows that the process is often complicated and that clinicians sometimes don’t comply with policies designed to help people access their records. Even if someone manages to get full access, it can sometimes be missing things like clinicians’ notes or other details. Tracking down the complete picture can be difficult for anyone without the time and resources to advocate for themselves.
If they are able to get a full picture, patients are also able to request amendments to their medical records if they think something is inaccurate. Records often include decontextualized information, and it can be easy for people to spin that into whatever story they want to tell. With laws in place criminalizing abortion, people might want to make sure that their records are clear about how and why they sought out certain medical procedures. Doctors and hospitals, though, don’t have to agree to make that amendment. “How can you even request changing things when you can’t get basic access to your medical information?” says Jennifer Miller, a bioethicist at the Yale School of Medicine. “That’s troubling.”
It’d be even more difficult to try to adjust medical records to keep out something that did happen, like a pregnancy-related procedure that could be deemed illegal. “There’s not any formal mechanism by which you can insist that something true be taken out of your record,” Zubrzycki says.
The conversations between doctors and patients may play out differently on the ground, and some doctors might be more open to requests to make changes — or to keep information from entering the record in the first place, Zubrzycki says. But that depends on the doctor being trustworthy and a patient having the experience, knowledge, and resources to self-advocate around their medical data. It’d be a case-by-case situation.
So, patients don’t have control of what goes in their records. But they also have limited control over where that opaque, unchanging medical record goes. Hospitals and healthcare providers can share patient medical data with their business partners. They can also share personal medical information from patients with third parties as long as it’s stripped of identifying information. And they do this all the time — hospitals regularly sell patient health data to tech companies, research groups, and pharmaceutical companies.
That can put the security of medical records (and the privacy of patients) at risk. De-identification isn’t perfect, and research shows that it’s possible to tie supposedly anonymized medical records back to individuals. And anonymized buckets of data sent around by hospitals pose risks as well, says Perakslis. “When you target a community, you will probably end up harming individuals,” he says. For example, anonymized data about patients that seek abortions at a hospital could theoretically be used to find groups of patients that anti-abortion groups might focus on for misinformation campaigns or that law enforcement might target for prosecution, Perakslis says.
Policies designed to make it easier for doctors to share information about patients also yank medical records further out of patients’ control. In some cases, laws require that doctors send medical records to each other when treating a patient — and the moves don’t require the patients’ knowledge or consent. Easy transfer of medical records is a longstanding goal for health experts, and in most cases, it improves patient care. But abortion bans and restrictions reveal some downsides to the free flow of information, Zubrzycki says. She outlined the risks in an upcoming Yale Law Journal Forum article: if medical records can follow people doctor to doctor, they can also follow people state to state. So the records of someone getting pregnancy-related care in a state that allows abortion could be sent back to their doctors in a state that criminalizes abortion — where it could theoretically be used against them if they were suspected of an abortion back home, she argues.
Laws that stop anti-abortion states from obtaining medical records from doctors in states providing abortions — like one newly passed law in Connecticut — wouldn’t necessarily stop this from happening. They block physicians from sending information in formal criminal or civil proceedings but don’t appear to stop records from traveling between providers and between states during normal patient care. “I think that’s a big risk and that worries me,” Zubrzycki says.
The criminalization of abortion throws into relief just how little control most people have over their medical records. And it reframes medical data as something that can hurt patients rather than something that helps them. That could erode trust between patients and doctors — and lack of trust often leads to people avoiding getting care at all, reproductive or otherwise. “This is a case that resurfaces concerns about the role of privacy and the doctor-patient relationship,” Miller says. “When there’s a lack of trust in the system, people disengage.”