| |

Watchdog Group Asks 5 Attorneys General to Investigate Crisis Pregnancy Center Privacy Practices

By now I’m sure you’ve heard or read the story about the watchdog group, Campaign for Accountability, asking 5 Attorneys General to investigate pregnancy centers. I find it very suspicious this news broke the same day the HHS published a final rule amending the HIPAA Privacy Rule in an effort to protect abortionist. Just in case you have not heard or read the story, please read on.

“A progressive watchdog group sent letters Tuesday asking attorneys general in five states to investigate the privacy practices of crisis pregnancy centers, arguing they could be misleading patients with claims that sensitive medical data is protected by health privacy laws, according to copies of the letters obtained by NBC News.

While the letters don’t allege misuse of private health information the pregnancy centers collect, they ask the attorneys general to investigate what they use the information for and whether crisis pregnancy centers are using it to further anti-abortion goals.

The letters, sent by the Campaign for Accountability, allege that the centers, which try to dissuade pregnant women from seeking abortions, gather sensitive and private medical information as part of their appointment scheduling processes. The letters asked the attorneys general of IdahoMinnesotaNew Jersey, Pennsylvania and Washington to use their investigative power to probe why crisis pregnancy centers are gathering and retaining sensitive medical information and what they do with it — and potentially charge the centers with violating state consumer protection laws. 

The centers, which provide counseling and services for women coping with unplanned pregnancies, say on their websites that they comply with the federal Health Insurance Portability and Accountability Act, known as HIPAA, as a promise that the information is protected and kept confidential.

However, because the centers offer services for free, they are not legally bound by federal health data privacy laws, creating a privacy risk that could be exploited in the wake of efforts to criminalize abortion, according to the letters.

At the time of publication, the pregnancy centers discussed in the letters from Campaign for Accountability had not responded to a list of questions. 

The letters, signed by the group’s executive director, Michelle Kuppersmith, argue “women are guaranteed no actual privacy protection when they hand over highly sensitive information about their pregnancies or reproductive health.” 

The practice is “particularly disturbing given some neighboring states’ desires to prosecute women who travel to seek abortion — including to states where abortion remains legal,” Kuppersmith writes.

Andrea Swartzendruber, an associate professor of biostatistics at the University of Georgia College of Public Health who studies crisis pregnancy centers, said: “They have so much information about the people who go to crisis pregnancy centers. There is some language in those forms that is completely problematic in the hands of crisis pregnancy centers.”

Susannah Baruch, executive director of the Petrie-Flom Center for Health Law Policy, Biotechnology and Bioethics at Harvard Law School, said claiming to be HIPAA-compliant while actually not being regulated by the federal privacy law could leave consumers whose data is shared without their consent with no recourse.

“There can be enforcement mechanisms against an entity that doesn’t do what the privacy rule requires, assuming that entity is covered by the HIPAA privacy rule,” said Baruch, who said it would be difficult for “visitors to enforce their rights, because this is not an entity against whom they can sort of claim the protections and HIPAA privacy rules.”

While many crisis pregnancy centers offer free services, such as pregnancy tests and ultrasound scans, as well as counseling, reproductive health doctors say many of them also provide misleading or false information, such as linking abortion to mental illness or infertility, meant to discourage or prevent women from receiving abortion care. 

The rise of crisis pregnancy centers

Community-based pregnancy centers began to crop up around the country in the 1960s. As the anti-abortion movement gained momentum after Roe v. Wade, religious activists began organizing them into national networks. Eventually, the centers shifted to take on the appearance of medical facilities to attract women seeking abortions and “impact a woman’s decision to choose life,” according to the National Institute of Family and Life Advocates, the organization that introduced ultrasound technology into crisis pregnancy centers.

However, the centers are not subject to the same standards as health facilities, and they are often unregulated by state health departments, which can lead to confusion over what services they actually offer: Women who are seeking abortions mistakenly schedule appointments at facilities that will try to counsel them against the procedure.

There are more than 2,500 crisis pregnancy centers across the country, compared to just over 800 abortion clinics, according to the Guttmacher Institute, a research group that supports access to abortion. There have been attempts to restrict the centers by requiring them to display written notices informing women about abortion access. In 2018, the Supreme Court ruled the efforts violated the First Amendment.

Questioning whether crisis pregnancy centers engage in deceptive privacy practices is an approach that the Campaign for Accountability hopes will prove more effective.

“CPCs are playing an increasing role in the anti-choice movement’s strategy,” Kuppersmith said. “Given the prevalence of these centers and their efforts to reach minors and other often low-income women, their activities merit close scrutiny.”

Collecting data

The crisis pregnancy centers discussed in the letters, like many across the country, are affiliated with Care Net and Heartbeat International, major pregnancy-center networks that describe themselves as religious ministries. In return for affiliation fees, pregnancy centers receive training, digital support and digital forms used to collect client information from women who interact with their facilities.

“We believe we are better together, and our center management software reflects that by collecting data, across the pregnancy help movement, on critical metrics to provide powerful, actionable insights at the local level,” Heartbeat International writes on its website.

Baruch, of Harvard Law School, said: “Many of the crisis pregnancy centers are part of networks, and they’re sharing the information up to the networks, which are there to try to reduce the number of people accessing abortion. We don’t know exactly what they would do with the information.”

The Campaign for Accountability asks the same question in the letters, writing, “This raises the question of why” crisis pregnancy centers are “gathering and retaining this highly sensitive medical and personal information and what the group does with this information.”

Much of the data is collected on pregnancy centers’ websites, which prompt prospective clients to make appointments, much as they would for doctors’ visits. 

The online intake forms ask for private information such as first and last name, phone number, email address, date of birth, first day of last period and, in some cases, interest in obtaining abortion care and interest in specific pregnancy services. 

Voluntary compliance

Websites for the centers say they are “fully HIPAA-compliant.” Some of the centers discussed in the letters say in their privacy policies that they are “required by law to maintain the privacy and security of your protected health information” and instruct clients that if they believe their data has been compromised, they can “file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights.”

However, in a blog post, Care Net acknowledges that compliance is voluntary, because the pregnancy centers are not actually bound by the federal privacy law.

“Most centers do not meet the legal definition of a covered entity under the HIPAA regulation because they do not furnish, bill, or are paid for health care in the normal course of business and do not transmit health information in electronic form in connection with a transaction for which a HIPAA standard has been adopted by HHS,” the blog post says.

That is also acknowledged in the privacy practices of some of the clinics discussed in the letters from Campaign for Accountability.

Sage Women’s Center in Twin Falls, Idaho, writes on its website that “any transactions that invoke coverage of the HIPAA Privacy  Act” and therefore its privacy practices are “voluntarily undertaken.”  

“Therefore, nothing in this notice should be construed as creating any contractual or legal rights on behalf of patients,” the privacy policy says.

Privacy policies for two of the pregnancy centers say personal data can be disclosed without consent “when required by law, when required for public health reasons” or “when necessary to avert a threat of harm to you or a third person.” Privacy policies for the three others say personal data can be disclosed “as required by law” or “when required to protect our rights or your safety or the safety of others.”

In the letters, Kuppersmith urges the attorneys general to investigate whether pregnancy centers could consider “a woman’s decision to seek abortion care as a ‘threat’ to the safety of a fetus and a ‘morally compelling’ reason to break confidentiality.”

In their advertising and legal materials, Care Net and Heartbeat International maintain that confidentiality is a priority. 

“Personal and health information is treated highly confidentially,” Care Net writes on its website. “Except in rare cases where information must be shared in compliance with state law for the protection of an endangered child, or to protect the client or others from physical harm, client information is held in the strictest confidence.”

A legal manual for Care Net and Heartbeat International pregnancy centers obtained by NBC News says: “For non-medical pregnancy centers, the confidentiality policy is primarily ethical, not legal.  “Nevertheless, because centers voluntarily promise confidentiality, centers could be held legally liable should such confidentiality be breached for inappropriate reasons.”

In a blog post, Care Net says its “pregnancy centers agree to respect client/patient privacy, and medical centers adhere to and distribute a notice of privacy practices modeled on HIPAA.” 

“Centers readily comply with all applicable confidentiality and HIPAA regulations that apply to many abortion clinics, retail clinics, and other physician’s offices,” the blog post says. “Care Net will disaffiliate any center that persists in violating or is unwilling to comply with our standards of affiliation.”

In a statement to NBC News, Jor-El Godsey, president of Heartbeat International, said, “Pregnancy help organizations comply with all applicable laws, including state-level data privacy laws and applicable HIPAA provisions.”

“For centers, confidentiality is so much more than merely complying with the law. It’s about serving her well, which includes safeguarding her private information and honoring her trust — hence the ethical duty to maintain confidentiality,” Godsey said. “Because our services are free of charge making HIPAA not applicable, confidentiality is of the utmost importance.”  

At the time of publication, Care Net had not responded to a list of questions.

On Monday, the Biden administration announced new rules to strengthen HIPAA to offer more legal protections for people who obtain or provide abortion care in states where it is legal to do so. The final policy prohibits health care organizations from disclosing private health information to state officials to conduct investigations or prosecute patients or providers. 

The new rule does not apply to crisis pregnancy centers, a Department of Health and Human Services official said.

“Generally, a crisis pregnancy center that provides services for free and does not bill health insurance does not meet the definition of a covered entity under HIPAA and therefore the HIPAA Privacy, Security, and Breach Notification Rules (‘HIPAA Rules’) do not apply,” the official told NBC News in an email.

There is precedent for penalizing companies for misleading consumers about why their reproductive health information is being collected and how it is being shared. In 2021, the Federal Trade Commission filed a complaint alleging Flo, a period- and pregnancy-tracking app, shared millions of users’ data with third-party companies, despite having promised users their data would stay private.

A group of Senate Democrats has tried to get answers about how crisis pregnancy center networks use and protect such data before, having sent a letter to Heartbeat International highlighting concerns that the data could be used in abortion-related prosecutions. In response, the organization declined to “respond materially” to questions about how and with whom it shares client data, Sen. Elizabeth Warren, D-Mass., said in a news release, but it posted on its website that it has never “had a security breach related to client information,” maintaining that “any data we collect has always been secure, safe, and legal.””

Leave a Reply