Rae Woods (00:02): From Advisory Board, we are bringing you a Radio Advisory, your weekly download on how to untangle healthcare's most pressing challenges. My name is Rachel Woods. You can call me Rae. Over the last two weeks, we've talked about the use of consumer data in healthcare and how the FTC is beginning to wield its power to address data privacy. Now I know that stakeholders are starting to take action to mitigate data privacy risks, but in this episode, I want to explore a key question. What happens when the concerns we've raised in the last two weeks are left unchecked? This might seem like a hypothetical question, but we have a test case that's been top of mind for the last year: reproductive data privacy after the Dobbs decision that overturned Roe v. Wade. In the third and final episode of our data series, we want to explore data privacy in the wake of Dobbs and how healthcare leaders should be thinking about protecting patient reproductive data. To do that, I've brought Advisory Board digital health experts, John League and Ty Aderhold. Ty, John, welcome back to Radio Advisory. Ty Aderhold (01:05): Thanks, Rae. Back again. Third week in a row. Rae Woods (01:07): Yeah, Ty, how sick of me are you at this point? Ty Aderhold (01:12): It's sort of become something I can look forward to every week. It's just conversation with you. Rae Woods (01:17): Oh, that's the best lie that I've heard this week. Truly, thank you for that. Thank you for that. (01:22): Well, if our listeners didn't catch it by now, this is the third conversation in a series that we're doing around data privacy. And the conversations that we've had over the last two weeks have really made me think again and again about a, let's say relatively new challenge for the industry. And that's in the wake of last year's Dobbs decision. Let me get specific here. I'm talking about the fact that consumer data can be used to help identify and ultimately prosecute patients and clinicians. Let me ask the most blunt question. We've been worried about this for a while. Do we have examples of this happening in the year since the Dobbs v Jackson decision? Ty Aderhold (02:21): Rae, we've seen multiple examples of this happening and in those examples there's been different pieces of consumer data that has been used to prosecute these patients. Some of the pieces of data we've seen used multiple times, a big one is geographic location. That's in most of these cases. And that's geographic location of the patient traveling to a clinic or traveling to receive care. We've also seen text messages used. We've seen internet searches used. So multiple pieces around sort of what the patient is doing and searching and what they're saying in conversations in order to help make the case on the prosecution side. Rae Woods (03:07): And are those same data what is concerning on the clinician side for clinicians actually trying to deliver abortion care to patients? Ty Aderhold (03:15): So clinicians should be protected for, let's say, conversations with their patients. So if they're using secure messaging within their EHR to have a conversation with a patient, that would be protected under HIPAA. And also there is continuing guidance coming from the Biden administration around that being protected from any potential suits or any potential discovery in one of these cases. But that's not to say that every sort of form of communication or everything that the patient is doing in regards to their health is protected. So while the clinician would be protected in that secure messaging scenario, the patient traveling to the clinic and that location data still could help prosecute the patient in that case. Rae Woods (04:04): And this brings us back to a conversation that we were having last week about what kinds of data is protected and what kinds of data is not protected. The example that I think most folks probably assumed that we would've started with in this conversation is the recent ruling against Flo, which is a period tracking app. But, Ty, when you just mentioned common data sources, you use things that I wouldn't necessarily think of, even just the geolocation that's on in my phone if I have location services on. So help us understand what are consumers actually protected from and what is not protected. Ty Aderhold (04:42): So they are protected when they are giving information to what is considered a protected entity under HIPAA. This would be a provider or a health plan. And so if they are providing healthcare data to those entities, they are protected. Where this gets tricky, and this is the case with Flo, is that just because something is helping them with a healthcare decision, doesn't necessarily mean it is a protected entity under HIPAA. So in the case of Flo, this is an app that certainly is involved in healthcare, but Flo is not a healthcare organization that falls under HIPAA and therefore that data is not protected. And that's why it's so important to understand who owns the app, where the app is coming from, and the data protections around apps that you're using. John League (05:36): There's another example of this that's related that I think is indicative of how, I guess the word I want to use is insidious, this ability to access data is. There's recently a report that several national suicide hotlines were actually sharing information with Meta, the owner of Facebook, about who was accessing services and connecting to helplines through suicide prevention networks. Now, I don't think this was an effort by Meta to gather this information, but it's one of those things where the organization who has the website is giving all of this utilization information to another entity. And anything that happens there winds up creating a data trail. (06:32): So you might think, hey, I am connecting through my phone on a phone call to someone who is going to provide assistance to me in this very vulnerable moment. But if you tap on a website's link that has that phone number on there, you are creating a record that appears in utilization data that you have used that phone number, and that is information that gets sent on down the line. I think the idea that we have to trade our data for access to any of those sorts of services and interactions is one of the things that we are just now beginning to trip over in the information economy here in 2023. Rae Woods (07:20): And it's one of the reasons why we are seeing more action. Last week we talked about action from the FTC, but Ty even mentioned in passing that we know that the executive branch is at least attempting to step in on this issue. A few months ago, the Biden administration actually issued some guidance on how everyday users can handle their data privacy post Dobbs. Can you remind our listeners of that guidance? And for you as researchers, what does it signal as the attitude moving forwards towards oversight? Ty Aderhold (07:53): Sure, Rae. So there were two parts to the guidance. The first was really directed towards clinicians and providers, and it reaffirmed the rules in HIPAA as well as FERPA, which for those who aren't familiar is the Family Education Rights and Privacy Act. And that's specifically aimed at colleges and other schools that provide healthcare as well. And so it affirmed when those organizations should and should not be cooperating with law enforcement and other things and the protections that it provides to those organizations as well as the protections around patient data and those protections. So that was part one. There's nothing really new there, that was just reaffirming sort of what was already in those rules. Rae Woods (08:37): Reaffirming the protections that you already named at the top of this podcast. Ty Aderhold (08:41): Yes, yes, yes, yes. The second part was directed at consumers and patients, and that piece was specifically guidance around how they can protect their data from potentially leading to a prosecution. And so the guidance there was, one, avoid using apps that aren't provided from a protected entities. So we talked about those protected entities earlier, their guidance is don't use those if possible. Their other guidance was turn off your geolocation permissions on your phone. Go into your phone, and there's actually, it lists how to do it on iPhone and Androids. They're providing explicit instructions in how to do this, but they end by saying, even if you go through all those steps, you're still going to have some geolocation data that goes to your service provider, your telecom service provider, that could be used in a potential prosecution. So the last line of their recommendation is, when possible, we would recommend leaving your phone at home if you are trying to avoid being tracked in these scenarios. And so that is pretty stark guidance in 2023 to say, you know what? All we can really tell you to do if you're trying to avoid being tracked and this data not get out there is just leave your cell phone at home. And what that tells me is they're putting all of the sort of impetus to avoid some of this tracking and this consumer data getting out there on the patient themselves. Rae Woods (10:22): Which we said explicitly last week is far from fair, even though it feels like that is the option that's available. (11:46): Let's talk about the role of the people who are listening to this podcast, which are of course the health leaders, the stakeholders from providers to payer to life sciences companies and everything in between. What do you want to see them do to help protect patient data on behalf of pregnant people, and of course also for their clinical staff? John League (12:07): I think it's on the providers to be the advocate for the patient about the data. We wouldn't cede the position of informing patients about anything that was related to their healthcare to another organization. If plans and providers are really interested in caring for these patients, they have to give them all the information that they require. And here, that relates to how their data can be related to their healthcare. That is a bar that we have not been ready for in a lot of ways. And I think that we need, as an industry, to share that burden with the patients. Rae Woods (12:51): And help me square that with the kind of trend that we've seen over the last few years of patients wanting to be more active in their health using digital tools and frankly our listeners embracing that. I'm thinking the digital education that helps somebody prepare for a surgery that they're having, an app that helps somebody manage their type 2 diabetes, right? There are all of these examples that providers and payers in particular have embraced to help improve patient outcomes. And yet we have this example where we're saying, wait a minute, that's not only perhaps not going to be helpful, but it could even be dangerous for the patients that we serve. Ty Aderhold (13:33): Well, Rae, I think there is a path for digital tools to still be used in reproductive care. The path would be, one, have those tools be offered by covered entities under HIPAA, so the providers themselves not through third parties. And the second is those providers or payers need to make sure that they're not sending off patient data to a place like Meta. Rae Woods (14:01): And explicitly knowing whether or not they are doing that, because we talked about the fact that sometimes they don't even know that. Ty Aderhold (14:07): Right. But if those two things are true, so it's an app or website that is directly offered by the covered entity and they're not sharing data with third party, then everything will be protected under HIPAA and can't be prosecuted or discovered under lawsuit. And so in those specific instances, you could still see a digital tool being useful. Again, there is limitations though, and that goes back to some of this geolocation data stuff. There's no good answer there at the end of the day for some of those things other than talking to patients about it. Rae Woods (14:43): I wonder if what we're saying then is that the stakeholder that has the most power to step in here is actually provider organizations. And if that's true, that immediately makes me nervous because I would not call them the most tech-savvy stakeholder that we work with. John League (14:59): The requirement for them is not unique. The technology and the capabilities require them to look in different places. But if you think about how a provider determines a course of treatment for a patient, one of the things that they always have to consider is what are the side effects? What is the downstream consequence of this treatment? This is a side effect of that treatment. And when we speak about reproductive care and we talk about digital solutions, we have to be aware that this is one of those things that presents at the same time. Now, that's not great, and that is kind of a terrible place for us to be in maybe as a society, but this is where we are. And so we have to start with seeing the reality of the situation and responding in the best way we can. And I think to your point, Rae, about what do we do? This is what providers can do. Ty Aderhold (15:47): The other thing I'll add here, John, is the FTC and government regulators are really the place that can have the biggest impact here in changing this. If we continue to see the FTC acting aggressively to protect consumer data in healthcare, and not just healthcare data specifically, but trying to broaden some of the protections to cover more of this consumer data, that could also have a huge impact over the course of the next year. So it's almost a wait and see and let's see how aggressive the FTC continues to be. Rae Woods (16:19): Is there a role of a stakeholder that maybe we wouldn't have considered prior to the Dobbs ruling that we want to see some action here? I'm thinking specifically about the role of employers. Ty Aderhold (16:32): Employers were a big talking point right after the Dobbs ruling. A lot of them came out to talk about funding and helping their employees travel for out-of-state abortions. But now, a year later, I don't think we've heard a ton of employers actually doing this. There's not been a ton out there, certainly nothing that I've been hearing directly. And so this is another stakeholder that I think could have an impact. There was certainly some discussion of is this the right thing for these employers to be taking these aggressive stances? Can they back it up? So far, I don't know if we necessarily have seen them be able to back it up. But I think there is still a role to play for those stakeholders if they choose to jump into this. Rae Woods (17:18): Ty, you just mentioned what you are perhaps hoping to see from the FTC moving forward, and we talked about what we want to see from health plans, from providers, and now from employers. What are you hoping to see from the government, whether it's the executive branch, state government, when it comes to protecting reproductive health data? Ty Aderhold (17:38): So I already mentioned FTC. That is the first place I would look for more protections here or continued action against some of this health data privacy, particularly in apps. The other place I would look is to the states. So states like California and Washington are already acting to protect health information in apps. I don't think we'll necessarily see this in all states, but that may not necessarily matter. When we think about states passing specific laws to protect health information or generally when it comes to internet services, that can have an impact nationally. Rae, there's a specific example of this happening. If you think back to net neutrality, it was a big deal a few years ago that there was no longer going to be this net neutrality. But what happened was California specifically passed a law that preserved net neutrality in the state of California, and internet service providers decided it would be too hard to have one governing set of how they run their services outside of California and another set inside California. That net neutrality has stayed for the entire country just because California passed that law. And so you could see if enough states have strict health data privacy laws, it could force app providers to adhere to those laws in those states because they don't want to have to have two different apps or functions that they're providing based on state by state. Rae Woods (19:18): I think it would be easy for our listeners to walk away from this episode in particular, but really the last three episodes of Radio Advisory, and feel a little bit defeated. And I want to make sure that we are giving our listeners an action item, something that they can do that empowers them to use data in a way that is impactful for their organizations and also protects the needs of the patients that they serve. So what is the one thing that you want listeners to do as a result of listening to the conversations that we've had over the last three weeks? Ty Aderhold (19:55): Go ask questions of your own organization. Ask questions around who your organization partners with for your marketing and for your consumer data and what information and data your organization gives up in order to have those partnerships. Go ask the questions because I think so many organizations don't even realize they need to be talking about this or questioning sort of the current partnerships and vendors that they're using, and I think that's a huge step one. John League (20:28): I would say take a patient centered approach, take a member centered approach. So many of the organizations that we talk to, Rae, say things like, oh, we're so patient centered and we're so patient focused. If you're really focused on the patient, you need to be their advocate when it comes for the way that their health data is used, full stop. Rae Woods (20:53): Well, John, Ty, thank you so much for coming to Radio Advisory. John League (20:56): Thanks, Rae. It was great to talk. Ty Aderhold (20:58): Thanks, Rae. Rae Woods (20:59): Ty, I am so happy that we will not have you next week, although I will miss you very dearly. Ty Aderhold (21:04): It'll be nice to have a few weeks off before we chat again, I'm sure. Rae Woods (21:07): Before the next time. Ty Aderhold (21:08): Before the next time. Rae Woods (21:14): Look, the most important thing that I want you to take away from the last three weeks of episodes is that you all play a very important role here. And I know that getting used to consumer data and asking interrogating questions about its use is going to be a new muscle for most of you,. But I hope this episode emphasizes how essential it is. And remember, as always, we're here to help. (21:46): If you like Radio Advisory, please share it with your networks. Subscribe wherever you get your podcasts and leave a rating and a review. If you're interested in learning more about how our researchers are thinking about the impact of the Dobbs decision one year later, I want you to go to the link in our show notes. Radio Advisory is a production of Advisory Board. This episode was produced by me, Rae Woods, as well as Katy Anderson, Kristin Myers, and Atticus Raasch. This episode was edited by Josh Rogers, with technical support by Chris Phelps, Joe Shrum, and Dan Tayag. Additional support was provided by Carson Sisk and Leanne Elston. Thanks for listening.