In the wake of efforts across the U.S. to criminalize abortion, concerns have arisen over the fact that crisis pregnancy centers, many of them affiliated with national anti-abortion networks, are collecting people’s data but are not bound by data privacy laws.
There are 85 crisis pregnancy centers in Minnesota — most of them faith-based, unregulated medical clinics that seek to deter patients from obtaining abortion care.
On Monday, Attorney General Keith Ellison issued a consumer alert about crisis pregnancy centers, warning that staff at the centers may provide misleading information about abortion and contraception, and often do not provide services they claim to offer.
Earlier this month, a Post Bulletin investigation reported results consistent with Ellison’s alert.
The centers provide free services such as ultrasounds, pregnancy tests and counseling sessions to discuss pregnancy options, all of which can be attractive to patients facing unplanned pregnancies.
Since 2005, funding through Minnesota’s Positive Alternatives Grant Program has provided over $3 million annually to assist unplanned pregnancies, and dozens of crisis pregnancy centers have been recipients of those funds.
But the facilities are not treated as clinics by regulators nor legally bound by the patient privacy stipulations of the Health Insurance Portability and Accountability Act or Minnesota Health Records Act, with the exception of the latter in the case of 27 centers that receive funding from the state.
Greg Myers, a Minneapolis-based lawyer who practices health law, said this puts sensitive patient health data at risk of exposure. A crisis pregnancy center might not face HIPAA-related consequences, he said, for sharing a patient’s pregnancy status or decision to get an abortion.
“They do not have any duty under HIPAA,” said Myers, who focuses on HIPAA compliance as a partner at Lockridge Grindal Nauen P.L.L.P. “There could be violations of client privacy.”
PRIVACY PROMISED, NOT GUARANTEED
Tammy Kocher, executive director of First Care Pregnancy Center, a crisis pregnancy center with clinics in Rochester and the Twin Cities metro, said her facility’s policies follow HIPAA guidelines.
“Our policies and procedures require that everything is kept strictly confidential,” Kocher said. “If a patient wants to have their records released to themselves (or a provider), we require a written release of information by the patient.”
Although First Care Pregnancy Center and other centers state on their websites that patient information is confidential, Myers said this compliance is voluntary and that he’s skeptical that the centers could protect a patient’s information in the same way that a licensed medical facility could if they were sued, for example.
During civil litigation HIPAA regulations require that parties holding protected health information enter into a protective order, Myers said, requiring them to maintain confidentiality of the health information, use it only in regards to litigation, and see that it is destroyed or returned at the close of litigation.
While crisis pregnancy centers could enter into their own protective orders in such a circumstance, he said, they would not be able to point to HIPAA for protections if challenged or if the protective order is violated.
“Anyone can agree to follow HIPAA,” Myers said. “The issue is going to be how do they accomplish that? When push comes to shove, would they really be able to keep your information private?”
The Post Bulletin reached out via email to all 85 crisis pregnancy centers in Minnesota for this story, and asked them about concerns over data privacy, but only Kocher responded.
‘EVEN LESS OVERSIGHT’
Although the facility as a whole is not bound by HIPPA, First Care Pregnancy Center has licensed medical providers on staff, so those individuals would be beholden to data privacy laws. However, medical staff are found in only a minority of Minnesota crisis pregnancy centers.
According to a 2021 report about crisis pregnancy centers authored by a collaboration of law and policy centers working to advance gender equity, including Gender Justice in St. Paul, within Minnesota, “only 9% of the centers claim to have a physician and only 20% indicate they have a registered nurse on staff.”
Myers said this means centers without licensed medical staff have even less oversight, because individual staff members would not be subject to HIPAA or state regulatory boards, such as the Board of Medical Practice or the Board of Nursing.
Minnesota Citizens Concerned for Life, an anti-abortion organization which advertises the centers on its website, said it did not have exact numbers on how many crisis pregnancy staff members have medical licenses.
“I don’t think that anybody who goes to a pregnancy care center needs to have a concern about privacy or record keeping,” said Scott Fischbach, executive director. “The care centers have always been wonderful in providing complete privacy for those individuals.”
When asked about privacy concerns, Fischbach said he believes that going to an abortion clinic is a greater privacy risk.
“We don’t have any licensing restrictions of abortion centers and there are no laws really regulating the procedure here in Minnesota,” Fischbach asserted. “So, you know, whether they’re going to abide by HIPAA laws, I think it is questionable.”
“This is a very interesting assumption that on its face isn’t true,” said Asha Hassan, a researcher at University of Minnesota’s Center for Anti Racism Research for Health Equity.
Abortion providers and clinics are some of the most regulated in medicine, Hassan said, noting that Minnesota clinics are required by law to ensure abortion patients meet with a licensed medical provider beholden to data privacy laws.
Abortion care staff usually consist of medical assistants, nurses and doctors, Hassan added. Medical assistants (typically unlicensed) assist with vitals, rooming and intake. Licensed nurses may provide counseling, she said, while only licensed doctors and advanced practice clinicians can perform and prescribe for abortions.
“There is no instance in which an abortion patient isn’t seen by a licensed provider at one of Minnesota’s eight operating abortion clinics,” Hassan said.
SHARED DATA NETWORKS
Citing the interconnected nature of many of the nation’s crisis pregnancy centers, critics believe there’s more at stake than just one center obtaining a patient’s information without an assurance of privacy.
A report published in 2019 by the London-based privacy organization Privacy International found that one of these networks, markets to its members proprietary software intent on removing, in the researchers’ words, “data silos between anti-abortion centers globally.”
“We believe we’re better together, and so is our data,” Ohio-based Heartbeat International, writes on its website, touting a content management system which “harnesses the power of big data” and gives users “the ability to enter and access information anywhere at any time.”
Heartbeat International did not respond to the Post Bulletin’s requests for comment.
An anti-abortion organization which describes itself as “interdenominational Christian,” and which supports more than 3,000 affiliated pregnancy help locations worldwide, Heartbeat International counts 53 affiliate members in Minnesota, according to its website.
The Heartbeat International software “appears to unify what questions people are asked when seeking a center’s help,” the Privacy International report found, “and to centralize the information that visitors to anti-abortion centers are asked to provide during their visit.”
It also noted that the content management system seeks to collect data on name, address, email address, ethnicity, marital status, living arrangement, alcohol and drug use and and medical history of visitors to a crisis pregnancy center, including sexually transmitted disease history.
A software web page highlighted by Privacy International promotes its shareability, saying “the data your organization collects needs to work not just for you but for the rest of the pregnancy help movement.”
The privacy researchers also raised concerns over Heartbeat International’s Option Line, a 24-hour hotline and online chatbot in which users are asked to provide name, location, demographic information, and what they plan to do with the pregnancy.
It’s not clear how many Minnesota crisis pregnancy centers utilize Option Line, but their numbers include Choices Pregnancy Center in Redwood Falls, which receives state funds through the Positive Alternatives Grant Program.
The Option Line is promoted on billboards in southern and central Minnesota as well.
Heartbeat International told Privacy International it kept patient data confidential and used the data only on a de-identified basis, but the privacy advocates noted it was unclear how and by whom such de-identification took place.
‘LARGE AMOUNTS OF DATA’
In June, the National Right to Life Committee, an anti-abortion organization, released draft legislation titled the Post-Roe Model Abortion Law intended for lawmakers to utilize should they wish to criminalize abortions and anyone “conspiring to cause, aiding or abetting illegal abortions.”
While there is no evidence thus far of crisis pregnancy centers sharing a patient’s private information outside of a facility, Harvard University’s Laura Dodge, a professor of obstetrics and gynecology, said she is concerned the centers have access to large amounts of sensitive information, given the alarming possibility, in her words, of a “data dump.”
“They could turn over large amounts of data on many, many clients and not just on a case by case basis … as part of an individual investigation,” Dodge said. “Your health information is not protected at a crisis pregnancy center the way that it is when you visit a licensed medical facility.”
Tammy Kocher of First Care Pregnancy Center asserted her facility would never voluntarily release patient information without the patient’s written consent. Even with the best intentions of maintaining privacy, however, crisis pregnancy centers could be forced to turn over data in response to a lawsuit or police search warrant, health care lawyer Greg Myers said.
HIPAA-bound providers are not invulnerable to search warrants, Myers said, but HIPAA only requires them to disclose protected health information in certain circumstances, whereas crisis pregnancy centers would not be able to use HIPAA’s limitations as a defense.
Kocher said that if law enforcement requested records through a search warrant, “we would contact our attorney to determine what we are legally required to comply with, as this would be unprecedented.”
Myers said he recommends patients visit licensed regulated clinics required to adhere to data privacy laws. For patients who wish to visit a crisis pregnancy center, Myers advised they do so at a state-funded facility, as they are bound by the Minnesota Health Records Act, which prohibits a health care facility from sharing health records without the patient’s consent.
“Right now we are facing an uncertain landscape,” Myers said. “There’s so much more value in dealing with a regulated healthcare provider.”
With reporting assistance by Paul John Scott, Minnesota health correspondent for NewsMD.