A nonprofit watchdog is asking Louisiana Attorney General Liz Murrill to investigate whether a New Iberia crisis pregnancy center broke state law after it appeared to post the full names, last menstrual periods, and other personal health information of 13 clients online, despite claiming that it follows federal health privacy laws.
In a letter sent to Murrill’s office on Tuesday, the Campaign for Accountability, a progressive group that’s been urging attorneys general to scrutinize crisis pregnancy centers, called on Murrill to investigate whether The Unexpected Pregnancy Center violated the Louisiana Deceptive Trade Practices Act by falsely claiming their clients’ personal information is protected by the Health Insurance Portability and Accountability Act, or HIPAA.
“We hope that by filing this complaint, The Unexpected Pregnancy Center will be admonished or fined in some way, and that this functions as a deterrent for this type of very unfortunate and distressing behavior,” said executive director Michelle Kuppersmith.
She said this is a cautionary tale for women who might visit one of the more than 30 crisis pregnancy centers across the state seeking help.
“We want every woman in Louisiana to know that it is not an actual medical facility that is regulated by the Department of Health and Human Services. And we want this complaint to serve as a warning to those women that they should be very, very careful about sharing their private information in this context,” she said.
The Campaign for Accountability also asked Murrill to investigate whether both The Unexpected Pregnancy Center and Heartbeat International, with which it’s affiliated, violated the Louisiana Database Security Breach Notification Law by posting client information to the internet.
The complaint comes before new tax credits are set to kick in on Jan. 1. The credits will funnel $5 million a year in taxpayer dollars to crisis pregnancy centers that register with the Louisiana Department of Health.
The tax credits are part of the Republican-controlled legislature’s effort to boost support for Christian-affiliated, anti-abortion and anti-contraception crisis pregnancy centers as an answer to women who are forced to carry unwanted pregnancies amidst the state’s near-total ban on abortion. They’ve been rebranded as “maternal wellness centers,” but the centers are not medical clinics and typically do not provide prenatal or postnatal medical care or other routine reproductive health care.
WWNO/WRKF reached out to Murrill, The Unexpected Pregnancy Center and Heartbeat International.
As of this writing, Murrill’s office has not responded to our request for comment.
After it was contacted for comment by WWNO/WRKF, The Unexpected Pregnancy Center appeared to remove part of its privacy notice that directs clients that they can file HIPAA complaints.
"While TUPC apparently made an attempt to scrub its Notice of deceptive statements, it failed to remove two out of three false claims alleging HHS oversight,” Kuppersmith said in a follow-up statement. “For TUPC to direct clients, in a section called 'Our Responsibilities,' to the HHS website to learn more about the standards it claims it is 'required by law' to follow still perpetuates this HIPAA deception in equally strong terms."
Heartbeat International previously told Time Magazine that the data it collects is “secure. Any information that we publish and pull is just numbers, so we’re not looking at any of that [personal] information.”
Client data posted online
For an unknown period of time in the spring, the personal information of 13 clients appeared in a training video for Heartbeat International’s “Next Level” software for managing client information. The data breach was first reported by Abortion, Everyday in May.
The video included the women’s full names, their due dates and last menstrual periods, and whether they received an ultrasound or pregnancy test. At another point, the video showed the breadth of information the center is collecting on its clients: their ethnicity, marital status, where they live and who they live with, their educational background, their employment status and how much money they earn.
The Campaign for Accountability found the video in March. It researched the names of women listed on the training video and found those names matched social media posts for women living in or near New Iberia, which WWNO/WRKF later verified.
Elizabeth Sepper, a professor of health law at the University of Texas at Austin School of Law, said posting that kind of personal information “for everyone to see” in a training video would be “an egregious breach” of clients’ privacy.
Kuppersmith said the video was no longer publicly accessible as of May, but she worried the clients’ information might still be visible to anyone with access to Heartbeat International’s training videos. Heartbeat International is an umbrella organization for crisis pregnancy centers and says it has over 3,600 affiliates around the world. The organization says more than 10,000 people use its training materials.
Kuppersmith is concerned the center’s client data might be routinely shared with Heartbeat International through its database, “but we don't actually know how many people have access to these women's personal information.”
The Unexpected Pregnancy Center’s website does not indicate that it shares data with any other organization.
Instead, its website says that people who come to the center “can rest assured that your visit and any information you share with us is completely confidential.” It also states it “will not share any personal information about you or your visit with anyone outside of our organization.”
Kuppersmith said that may not be true.
“We don't know if that information is being used in a centralized database for tracking purposes. We don't know if they're selling that data for advertising purposes,” Kuppersmith said. “We just want all women to be very aware of what might happen to their personal information once they fill out any forms about themselves at a crisis pregnancy center.”
Privacy claims and HIPAA
On its website, The Unexpected Pregnancy Center posts a lengthy privacy policy that suggests client information is protected by HIPAA.
That’s language people are used to seeing when they visit a doctor’s office, Sepper said.
“I think people rightly expect that healthcare providers are a vault and a sealed vault that keeps their information from getting to the outside world, whether it's in casual conversation or by virtue of a data leak.”
Prior to learning of this reporting, The Unexpected Pregnancy Center stated in its privacy policy that clients can file HIPAA complaints via the Office for Civil Rights at U.S. Department of Health and Human Services (HHS). After learning of this reporting, that language was removed from the privacy notice.
The policy still describes the information it collects about a client as a “medical record” and states that it is “required by law to maintain the privacy and security of your protected health information” while linking to an HHS web page describing HIPAA privacy practices.
But a letter from HHS disputes the claim that the center is covered by HIPAA. The Campaign for Accountability filed a complaint with HHS over the training video. In a letter dated Nov. 26, the Office for Civil Rights said “the requirements of the HIPAA Rules do not apply to The Unexpected Pregnancy Center & Heartbeat International.”
“The Unexpected Pregnancy Center & Heartbeat International does not meet the definition of a covered entity or a business associate,” the letter continues.
The letter suggests many other crisis pregnancy centers — and any Heartbeat International affiliates — claiming to be governed by HIPAA are also making false statements, Kuppersmith said.
The website for Cenla Pregnancy Center, another Louisiana crisis pregnancy center and Heartbeat International affiliate, says it “maintains excellence in operation by being HIPAA compliant.”
The regulatory ‘blind spot’ of crisis pregnancy centers
Crisis pregnancy centers are largely unregulated by state or federal agencies, and they function primarily as charities to offer assistance to pregnant women and people caring for children under the age of 2.
The Campaign for Accountability has asked attorneys general in other states to investigate crisis pregnancy centers over their privacy claims — part of growing criticism of the amount of personal information collected by these centers across the country.
“HIPAA is not a regulatory regime that you can opt in or out of,” said Carmel Shachar, an assistant clinical professor of law at Harvard Law School.
HIPAA only covers health care providers and businesses, such as insurers. But it has developed “brand recognition” that gives people confidence their information will be protected, Shachar said.
Sepper said crisis pregnancy centers could be claiming to follow HIPAA as part of a broader strategy to appear as if they’re legitimate medical clinics.
“They could be telling patients, effectively, your data is secure and we operate according to very high standards of data security,” she said. “What seems equally likely is they are trying to convince people that they are healthcare providers while not being subject to the legal restraints that apply to health care-covered entities under HIPAA.”
In addition to concerns women might have about their privacy and the stigma they could face if their personal information were shared, Sepper said pregnancy information can be used against women in criminal investigations.
A recent report from the reproductive rights organization Pregnancy Justice found that in the first year after the U.S. Supreme Court overturned Roe v. Wade, “at least 210 pregnant people faced criminal charges for conduct associated with pregnancy, abortion, pregnancy loss, or birth.”
Sepper said attorneys general do have a role in protecting consumers from deceptive practices. But if they don’t investigate, Shachar said that leaves a “gray area” of enforcement. It’s what she calls a HIPAA “blind spot” that could be solved by expanding what groups the Office of Civil Rights at HHS can investigate.
“The problem is you're pretending to be a HIPAA-covered entity, and you're not,” Shachar said. “It should be clear that OCR has the ability to police HIPAA impersonators.”
Shachar said in an ideal world, women seeking help at crisis pregnancy centers would understand that these organizations do not have the same legal requirements that medical clinics do.
Instead of providing personal information that they would give to their doctor, they should share the same kind of information that they’d give their hairdresser, “because they don't have any legal obligation to respect my privacy.”