By now, we don’t have to tell you about Friday’s decision overturning Roe v. Wade.
The Supreme Court ruling knocked down abortion rights across the US, and the true implications for different states have yet to be fully determined. To be clear, it’s not just an issue for cisgender women: It also affects transgender and nonbinary individuals. It’s also something that tech companies need to be thinking about and taking action on — especially when it comes to consumer privacy and protection.
Depending on where you’re located, this ruling has a few connotations. In the DMV region, for instance: DC leaders do plan on maintaining legal abortions in the district, but it gets a little complicated with Congress approving our laws (though in the worst-case scenario of a Republican-led Congress stripping DC of its safe abortion laws, it would likely get a veto from President Joe Biden). In Maryland, the state even expanded its abortion laws recently. Virginia currently allows abortions up until 25 weeks, although the governor is currently looking to bring that down to 15 weeks.
But there’s much more to this than just whether or not abortions are legal in your particular jurisdiction. Tech companies, particularly health and fertility tech ones, have plenty to consider following this ruling. Bethany Corbin, a senior counsel at law firm Nixon Gwilt Law specializing in femtech and privacy laws (who is based in South Carolina, but previously worked at DC firm Wiley Rein), answered some of our questions about reproductive tech, privacy and more.
What are some of the main tech-based takeaways from this decision? What should tech companies be thinking about?
To start, Corbin recommends honing in on two issues: privacy and security. Apps developed outside of an official healthcare environment are not protected by HIPAA, so creators need to be extra careful about protecting consumer data.
But some don’t have that baked in, either legally or within the technology. If you’re still developing the tech for your healthtech startup, Corbin insists you build patient-friendly privacy practices into the backend.
If you already have a product on the market, let this be the time to take stock of what you’re collecting, where it’s located and the data’s input and output. If you get breached, it’s crucial to know exactly what went missing. Then, you can even scale down and only collect the necessary data, or none at all (in this case, you can also consider synthetic data).
If tech companies don’t want to have their data turned into a dragnet against people seeking abortions and people providing abortion support, they need to stop collecting that data now. Don’t have it for sale. Don’t have it when a subpoena arrives.
— Eva (@evacide) June 24, 2022
Corbin said that this health data is about 20 to 50 times more valuable than credit card data, and a newly higher ransom means that hackers are even more interested in obtaining that information. So, protection is crucial, and small startups are especially vulnerable without the right protections.
“You can change your credit card number, but you can’t change your health data,” Corbin told Technical.ly. “Just by its nature, health data is valuable. Now, you add a landscape in which numerous states have these trigger laws that have gone back into effect outlawing abortion. Well, that means [that] if you’re a company that has that reproductive health data, the value of that reproductive health data has just skyrocketed.”
This also applies to companies that don’t collect such data directly, but instead contract with an entity that does. They could be a stepping stone for cybercriminals, she noted, and also need to up their privacy standards.
Should you delete your period and fertility tracking apps?
Corbin noted that data from your period tracking, ovulation, fertility or other related apps can be accessed in a few ways. If a law enforcement official has a subpoena or court order, healthcare apps and companies do have to hand over the data. It can also be accessed through data breaches, be it an unfulfilled ransom payment or someone quietly entering a system that isn’t up to snuff. Finally, if it’s sold to a data broker, the broker can, in turn, can sell it to private citizens or, again, law enforcement officials (yes, there is a loophole where they don’t need a subpoena).
But it’s more complicated than just deleting the app. While those in states with rights being taken away might be tempted to dump their tracking apps, some of these apps actually connect with researchers and universities studying fertility, pregnancy and related healthcare for people with uteruses. Losing the data from all of those states, which can be used to train algorithms, could lead to erroneous results.
“It’s really, really a weighing of pros and benefits for each person,” Corbin said. “But what I would expect to see is individuals, especially those who are in those trigger states, start to delete those accounts.”
If you want to keep your apps, Corbin said that you can switch to ones that keep data out of the cloud — although that still doesn’t protect it from subpoenas. She recommends looking closer at your apps’ privacy policies and ensuring you keep them on the strictest privacy settings.
So, how can reproductive tech companies better protect consumer data?
Many early-stage startups in the sector, Corbin said, actually create very similar privacy policies to their competitors. But how a competitor uses and discloses data is going to be different, even if you’re building almost the same product. That means it’s even more important to examine and potentially rewrite existing privacy policies to ensure they accurately reflect how your company uses data.
What about healthtech companies that aren’t specifically focused on reproductive issues?
Even if you’re not running a period tracking or ovulation startup, Corbin said any startup in the health space should be on guard. These privacy and security concerns are not unique to reproductive health companies, and she expects that many companies will be subject to similar scrutiny and concerns.
She especially expects this to spill over into mental health apps. But on the whole, she thinks tech companies should be tightening up their data protection policy.
“Having good privacy and security hygiene can be a differentiator in this market right now,” Corbin said. “So it can also be a competitive advantage, and I don’t think a lot of companies really think about it that way.”
How can healthtech companies reassure consumers that they’re capable of protecting their data?
If you recently updated your policy (after reading this article, perhaps), you legally have to notify consumers of those changes. But you can also be proactive and tell consumers that you’re listening and making changes to protect them, Corbin said.
“Highlighting what you do or don’t do with your data in a very easy-to-find document on your website or [sent] out to your consumers would really be meaningful, I think, to just try to help raise to your consumers that you’re doing the right thing for them,” Corbin said.
What if I’m not a healthtech company? How can I be supporting employees?
Any difficult event gives companies a chance to offer employees space to speak, PTO and mental health resources. But following this decision, company leaders can also consider their own insurance policies.
Corbin said she’s recently seen an uptick in companies who are offering abortion and other reproductive health benefits, and it’s a trend she expects to continue among tech companies. So far, JPMorgan Chase and Dick’s updated policies to support employees seeking (and maybe traveling to obtain) abortions.
But employers have a lot to evaluate when creating these policies, especially as they affect remote workers in different jurisdictions. To best support employees, companies need to make sure they’ve answered questions like: Can an employee travel a few states over to get an abortion? Are they allowed to choose the provider, or does it have to be one the insurance covers And, as mentioned above, is their health data protected?
Companies with employees in several states must also understand the state laws to which those employees are subject. Some actually have aiding and abetting restrictions within their abortion legislation, which may expose companies offering abortion benefits that permit workers crossing state lines to liability (and maybe put the employee at risk). That doesn’t mean you shouldn’t have it as part of your policy; instead, it must be airtight.
“Companies need to think very carefully and cautiously about how they want to approach that to support employees, so that they’re doing it not only in a way that minimizes their liability, but also in a way that offers the maximum protection for patients and employee security and privacy,” Corbin said.-30-