Ciox is helping providers navigate how to protect reproductive data privacy

Reproductive data is scattered throughout a patient’s medical record, with few ways to automate processes of redacting sensitive information.

Why it matters: Following the Dobbs decision, US health care providers are scrambling to respond to varying state regulations around reproductive freedom, and figuring out how to best protect patient data.

The bigger picture: Ciox, a major player in health information management, is counseling providers on how to navigate various regulatory environments, says chief privacy officer Elizabeth Delahoussaye.

  • Some states, including Delaware, Connecticut, New Jersey and California, have enacted legislation protecting reproductive health information.
  • Many of those laws forbid the release of abortion records, protect people from extradition for criminal charges related to abortion, and establish the states as not subject to other states’ abortion regulation.
  • Delahoussaye says she expects similar legislation in Colorado, Hawaii, Illinois, Maine, New Mexico, New York, Oregon, Rhode Island and Washington.

Yes, but: The regulation is somewhat broad — and doesn’t necessarily account for every piece of reproductive data that might be lurking in the corners of an EMR.

  • Doctors often ask patients about reproductive health during routine checkups like a colonoscopy — inquiring whether a patient has ever been pregnant, how many times, and how many live births they’ve had, Delahoussaye says.
  • “Hypothetically, I say, listen, I’ve been pregnant twice, but I’ve only had one live birth,” she says. “OK, now we have to dive into ‘Well, what happened with the other pregnancy?'”
  • Patients taking medications that have both reproductive health and other health uses could also see that data taken out of context, she says.

Zoom in: Take Oklahoma, which has banned abortion except in cases of rape or incest.

  • To receive an abortion, patients must file a police report, which is given to the provider so they can perform the procedure.

  • “The question becomes where does that police report go?” Delahoussaye says. “How do you keep it in the EMR?
  • “If, for some reason, it gets questioned as to whether or not the provider had permission to do this, they can pull that information out,” she says.

Between the lines: Redacting potentially sensitive reproductive health data is a manual process, though Ciox is looking into developing technology that may automate the workflow, Delahoussaye says.

  • The process of sorting and redacting data requires expertise and constant attention to ever-changing legal frameworks, Delahoussaye says.
  • Providers should ensure patients are familiar with HIPAA’s Patient Right of Access, designed to give patients more ownership over their medical records, allowing them to restrict or decline to authorize release of certain data.

The bottom line: “Reproductive health isn’t in a box. It’s all over that medical record,” she says.


Leave a Comment