Rapid growth in the use of health and healthcare apps has revolutionized the individual users’ involvement with their personal health. For example, MyFitnessPal allows users to track their nutrition and exercise. Calm and Headspace offer meditation and relaxation tools to support users’ mental well-being. MySugr assists in monitoring diabetes and Medisafe assists with adhering to a medication regimen. Teladoc provides virtual medical consultations to make healthcare more accessible.

However, these apps exist in a regulatory gray area. Unlike hospitals and doctors which are covered entities regulated by the Health Insurance Portability and Accountability Act (HIPAA), many health and wellness apps fall outside the regulatory purview of federal health privacy laws. This loophole has enabled a boom in the data brokerage industry, where personal health data is collected, sold and sometimes even used against consumers.

The following aims to explore the legal gaps that allow non-HIPAA-covered entities to monetize sensitive personal health information (PHI), the role of data brokers who take advantage of this regulatory oversight and potential legal solutions to overcome this regulatory gap.

Health Apps and the HIPAA Gap

Health apps are software applications that are designed for smartphones and mobile devices, offering a range of services from medical diagnosis and symptom tracking to medication management and fitness monitoring. By providing tools for telemedicine consultations and mental health support, health apps enhance accessibility and convenience for users. These apps use and assess health information, but they are not covered under HIPAA, which only applies to entities such as hospitals and doctors, health insurers, and business associates that handle data on behalf of covered entities. Since the majority of health apps do not directly provide healthcare services, they successfully evade HIPAA’s privacy and security requirements. Instead, many apps operate under minimal federal oversight, leaving room for unregulated data collection, weak security protocols and monetization of sensitive user information. Apps created by or for covered entities (CEs), such as healthcare providers or insurers, must comply with HIPAA as they handle PHI. However, apps designed for personal use without CE involvement typically fall outside HIPAA’s scope.

The determination ultimately will depend on its specific use case and the relationship between the app developer, the users, and any covered entities or business associates involved. Developers of health-related apps should carefully assess their obligations under HIPAA and ensure that their app is compliant if necessary.

The Data Broker Loophole

Data brokers collect and sell personal information about consumers from various sources, often without the consumers’ knowledge. In the United States, the lack of comprehensive federal privacy legislation allows these brokers to operate with minimal oversight. Health apps, which fall outside the purview of regulations like HIPAA can legally share or sell user data to third parties like advertisers, insurance companies and even law enforcement. This practice creates a significant privacy gap as users’ sensitive health information can be sold without their explicit consent or awareness. For example, a research team at Organization for the Review of Care and Health Apps (ORCHA) reported that “84% of period tracker apps share data with third parties”, but “only one single app demonstrated best practice by explicitly asking users for permission” to share data with data brokers. The ORCHA report exemplifies how entities can sell users’ location data, reproductive health details and mental health history without violating federal law.

The Federal Trade Commission (FTC) has taken steps to regulate data brokers and deceptive health data collection, though FTC enforcement has had limited effect. For example:

• The Federal Trade Commission (FTC) has taken action against data brokers like Gravy Analytics and Mobilewalla for collecting and selling sensitive location data such as visits to healthcare facilities. Such data sales can lead to unauthorized profiling and potential misuse of personal health information.
• A 2023 FTC investigation found that BetterHelp shared users’ sensitive mental health data with advertisers despite promising confidentiality. BetterHelp agreed to pay $7.8 million to settle charges brought by the FTC. This case highlighted the lack of enforceable federal regulations that would prevent such practices in the future.
• In FTC v. Kochava (2023), the FTC sued Kochava, Inc., alleging it sold precise geolocation data that could identify visits to clinics, mental health facilities and addiction treatment centers. As the Verge reported, “Precise location data from advertising IDs and mobile apps can be used for surveillance that, according to the FTC, puts millions of Americans at risk.”

 

At the state level, California has introduced California Consumer Privacy Act (CCPA), Cal. Civ. Code § 1798.100 et seq. However, there is no single comprehensive federal law closing this regulatory loophole for data collection and sharing.

Privacy and Security Risks

Health apps are vulnerable to privacy and security risks just like any other computer software. Apps collect data that can be used to violate an individual’s privacy. Health apps like mental health trackers and period trackers also pose serious risks to user privacy and security without effective regulation.

Mental Health Apps Sharing Data

A 2022 study found that many mental health apps lacked encryption and transmitted data to third parties without user consent. Another study analyzing mental health applications made similar findings of negligent encryption and data sharing, which not only breaches user trust but also exposes individuals to potential discrimination or exploitation based on their mental health data. As researcher Joanne Kim highlights, “Health insurance providers… could buy mental health data to discriminately charge individuals for care or discriminately target vulnerable populations with advertisements…Scammers could…exploit and steal from individuals living with mental health conditions.”

Period-Tracking Apps and Reproductive Health Data

Period-tracking apps help users monitor their menstrual cycles but also expose sensitive data (PHI) to third parties, including data brokers. Following Dobbs v. Jackson Women’s Health Org. (2022), concerns over reproductive health data escalated. While some states have shield laws to protect reproductive health data, law enforcement and prosecutors can bypass subpoenas and shield laws by simply purchasing user data like location history directly from brokers, creating a direct conflict between state-level privacy protections and permissible activity on the unregulated data market.

The Need for Regulatory Reform

The exploitation of health data through these loopholes has prompted demand for improved regulations. Advocates including Health and Human Rights (HHR) argue for comprehensive privacy laws, suggesting provisions that require apps to obtain informed consent before curating user data and to disclose how PHI will be used. Accordingly, entities that violate privacy standards would be subject to fines and/or sanctions to deter misuse.

Some states have begun to address these issues by following California’s example of the CCPA. For instance, New York’s proposed Health Information Privacy Act aims to limit tech companies’ control over consumer health data and protect individuals. The New York Act can be found here.

Legal Solutions to Protect Health Data Privacy

The unregulated sale of health data collected on health apps presents serious constitutional and consumer protection concerns. While HIPAA was designed for traditional healthcare entities, it fails to regulate the growing health app industry, leaving millions of users vulnerable.

One proposed solution is federal legislation such as the American Data Privacy Protection Act (ADPPA), which proposes restrictions on the sale of consumer health data at the federal level. This would prohibit data brokers from collecting and selling sensitive health information without explicit user consent.

Another approach to addressing this issue involves amending HIPAA to extend its reach to consumer health applications and digital health platforms. This reform would ensure that companies such as fitness trackers, mental health apps and telehealth services, which all collect health-related data, are subject to the same privacy and security requirements as traditional healthcare entities. Expanding HIPAA’s scope in this way would create uniform standards for data protection and require app developers and tech companies to obtain user consent before sharing health data with third parties. Additionally, it would hold these tech entities accountable for breaches and misuse of sensitive information.

At the state level, legislative efforts have attempted to fill the gaps left by federal inaction. [For instance, California’s CCPA and New York’s proposed Health Information Privacy Act aim to limit corporate data sales but without federal backing, enforcement remains inconsistent.] Laws like California’s CCPA and New York’s similar proposed act grant consumers greater control over how their information is collected and shared and provide consumers with the right to request data deletion and opt out of its sale. However, without robust federal backing, enforcement of state laws is inconsistent across state lines, leading to a fragmented national regulatory landscape. While some states have taken proactive measures to safeguard consumer health data, others lack comparable protections, leaving millions of Americans exposed to potential privacy violations.

Until these regulatory gaps are addressed, health tech companies have the right-of-way to continue operating in a legal gray area. While their data remains free to be taken advantage of, consumers remain at risk of harmful privacy breaches. A combination of federal legislation, state enforcement and corporate accountability is needed to bring health data privacy into the modern era.

What types of health care should be available to citizens? Can state or federal governments restrict access to health care based on gender identity? While these questions may seem relatively easy to answer in today’s legal framework, judicial scrutiny recently turned to whether states may restrict or deny access to gender-affirming care for American minors in the United States v. Skrmetti case. After oral arguments in December 2024, a SCOTUS decision is forthcoming and may alter the legal framework around youth access to gender-affirming care.

Gender Dysphoria & Gender-affirmative Care

The World Health Organization defines gender-affirmative care to “include any single or combination of a number of social, psychological, behavioral or medical (including hormonal treatment or surgery) interventions designed to support and affirm an individual’s gender identity.” This care may be deemed medically necessary for an adolescent depending on age and gender classification. According to the Mayo Clinic, a person whose gender identity differs from their sex assigned at birth can experience gender dysphoria, which may be accompanied by other detrimental physical or psychological complications like harassment, anxiety, depression, and even suicidality. A study conducted by Stanford University School of Medicine demonstrated the importance of gender-affirming care for youths who experience gender dysphoria. This 2015 study, exhibiting one of the largest sample sizes of U.S. transgender adults, indicated that “transgender people who began hormone treatment in adolescence had fewer thoughts of suicide, were less likely to experience major mental health disorders and had fewer problems with substance abuse than those who started hormones in adulthood.”

UCLA School of Law’s Williams Institute shed light on concerning statistics regarding this matter, stating “237,500 transgender youth (ages 13-17) live in states that have passed laws banning access to gender-affirming care or where such a law was introduced or pending in the 2024 legislative session.” More than 75% of the transgender youth in the U.S live in states seeking to restrict access to gender-affirming care, indicating the substantial impact the Supreme Court would have with a decision in U.S. v. Skrmetti.

Senate Bill 1 & United States v. Skrmetti

In 2023, the Tennessee legislature enacted Senate Bill 1 (“SB1”), which facially appears to be a blanket ban on gender-affirming care for transgender youth. The ban may encompass medical care, such as administering hormone therapy and puberty blockers to assist youths experiencing the physical and psychological complications mentioned above. Since the enactment of SB1, litigation commenced on US v. Skrmetti, which will have an impact across the nation. The parents of transgender teens initiated the suit against the Tennessee Attorney General on their child’s behalf. The United States later joined as a party, challenging the ban. On December 4, 2024, the Supreme Court heard oral argumentson the case. The arguments addressed the constitutionality of SB1’s ban, which would prevent those of the LGBTQ+ community from accessing care, as well as the requisite standard of review when determining such constitutional compliance.

The Equal Protection Clause and How it Works

Understanding the Supreme Court’s intermediate scrutiny standard of review and the Equal Protection Clause is necessary to grasp this discussion on the Skrmetti oral arguments. Natalie Wexler’s essay supplied by the Supreme Court Historical Society provides a comprehensive background on the Equal Protection Clause and sex discrimination to supplement this discussion.

Intermediate scrutiny, commonly associated with United States v. Virginia, is a more onerous standard of review that commonly applies to issues concerning gender, a “quasi-suspect class.” When legislation draws lines on the basis of sex, as SB1 allegedly does, intermediate scrutiny applies, and the legislation must have a substantial relation to the achievement of an important governmental objective. With this standard of review in mind, one can better understand the arguments discussed below.

An Understanding of Skrmetti’s Oral Arguments

Skrmetti oral arguments began with statements from Elizabeth Prelogar, the Solicitor General from Washington D.C.’s Department of Justice. Her main point: SB1 makes clear that medications and gender-affirmative care may not be prescribed in Tennessee for the purpose of aiding a transgender youth in living or identifying as a different sex than what they were assigned at birth. Prelogar contends this is a facial sex classification which, upon remand to the Sixth Circuit, deserves a heightened level of scrutiny beyond mere rational relation.

Prelogar was met with several questions from the Justices pertaining to evidence gathered abroad that the harms may outweigh the benefits to gender-affirmative care. Nevertheless, Prelogar remained firm that categorical evidence exists, demonstrating the need for this type of care for youths in individualized cases. Other Justices offered questions about the severe complications with gender dysphoria and addressing suicidality. Ultimately, this led to Prelogar’s strength in pointing out the Tennessee legislature’s failure to show the ban served a legitimate state interest when juxtaposed against the severe health consequences suffered by impacted youths.

Following Prelogar, statements were heard on behalf of the Plaintiffs by Chase B. Strangio. Strangio, a well-respected lawyer for the ACLU with special expertise in the LGBTQ+ rights field, is the first openly transgender person to present oral arguments before the Supreme Court of the United States, setting the stage and breaking barriers for future LGBTQ+ attorneys to follow.

Strangio’s argument emphasized that regardless of what level of scrutiny the Court applies to SB1, whether it be rational basis, intermediate, or strict, the legislation should fail after a court’s analysis because it is “discontinuous” with the alleged state interest of protecting children SB1 purports to advance.

In response to Strangio’s arguments, the Justices expressed similar concerns to the arguments presented by Prelogar. Justice Barrett noted that it is neither common nor the place for the judiciary to delve deep into medical evidence and research. To this, Strangio countered that when a sex-based classification and the Equal Protection Clause are at play, it may be exactly the place, based on precedent, for the courts to examine a state’s tailoring of legislation allegedly meant to further a legitimate state interest.

Further concern surrounded a topic that often arises when debating gender-affirming care, specifically when minors are involved—regret and reversal. However, the evidence on this matter is conflicting, and for these reasons, it will not be discussed here.

Arguing on behalf of Tennessee’s ban and Attorney General Jonathan Skrmetti was Solicitor General J. Matthew Rice. Rice argued that the Sixth Circuit’s decision to reverse the preliminary injunctions, preventing SB1’s enactment, should be affirmed. Rice contended that SB1’s application hinges on medical purpose and has little to do with sex and sex discrimination requiring intermediate scrutiny. He emphasized the uncertainty and harm associated with the gender-affirming interventions discussed in SB1. Finally, Rice put forth the policy argument that politically elected lawmakers are in the best position to address this issue. This long-debated position may gather support from the Justices who had trepidation that it may be beyond the judiciary’s purview to investigate and assess such medical issues.

Rice bolstered his argument that SB1 turns on medical purpose by using the example of puberty blockers. This led to a major point of contention between Rice and the Justices on the verbiage of SB1, which frames the purpose of the legislation as protecting the youth and encouraging them to appreciate their gender assigned at birth. Of course, this exact language may also further Prelogar and Strangio’s argument that a clear, facially sex-based classification is at hand, implicating intermediate scrutiny.

Final Thoughts and What to Expect

A Supreme Court decision on United States v. Skrmetti is expected around June of 2025. A major concern of the Justices is where the constitutional allocation of authority lies, which will play a large part in the Justices’ decision. Will the decision simply determine the level of scrutiny applicable to SB1, with an order vacating and remanding to the Sixth Circuit? Or will the Court go a step further and strike the ban altogether? Sarah Parshall Perry, a Senior Legal Fellow at the Edwin Meese III Center for Legal and Judicial Studies, titled her commentary, “Oral Arguments Indicate SCOTUS Justices Are Likely To Uphold Tennessee’s Ban on Gender Medicine for Minors.” Thus, indicating her belief that the Justices will be swayed by their suspicions regarding experimental care for minors.

SB1 being upheld would have broad impacts. The 75% of transgender youth living in states where bans have either been imposed or pending would likely lose the access that, in their minds and the minds of their parents and physicians, they desperately need.

Concern with the outcome of the decision spans the political spectrum. If this youth ban is found constitutional, it may lead to analogous decisions upholding similar bans for adults as well. Moreover, it may mean that nothing is stopping other branches of government from crafting similar sweeping declarations, executive orders, or bans on certain gender-related health care procedures, and using Equal Protection arguments to uphold them.

While the Nation waits for the Skrmetti opinion, all we can do is speculate and ponder the ripple effect this may have on the future of the Equal Protection Clause alongside the health care system.

The health care sector is increasingly victimized by targeted cyberattacks. The stakes are uniquely high when a health system finds itself at the center of a cyberattack; the consequences can be severe for both the health system and the patients it treats and serves. The problem is well-known, yet a fix has been elusive. Current laws neither sufficiently protect health systems and patients from these attacks nor adequately compensate those harmed. This analysis explores the deficiencies in both current and proposed legislation and explores what more is required to address the growing risks that accompany cyberattacks on health systems.

Cyberattack Basics.

A cyber incident or cyberattack is “an event occurring through a computer network that actually or imminently jeopardizes the integrity, confidentiality, or availability of computers, information or communications systems [or] physical or virtual infrastructure controlled by computers or information systems…” Cyberattack perpetrators seek health information valuable on the black market; such information “contains details that can be used to access bank accounts or obtain prescriptions for controlled substances.”

Between 2018 and 2022, there was a 107% increase in the number of data breaches reported to the Office for Civil Rights (OCR) that affected 500 or more individuals. The number and size of data breaches steadily rose from 2021 to 2023, with 45.9 million records breached in 2021 and 133 million records breached or otherwise impermissibly obtained in 2023.

It is not surprising that recent years have seen numerous, far-reaching health care cyberattacks. The Kaiser Foundation Health Plan, Inc. suffered a cyberattack in 2024 that resulted in a breach of over 13 million records. In 2023, Welltok, Inc. was the victim of a cyberattack resulting in over 14 million records were impermissibly exposed. The top of the list cyberattack is the attack that targeted Change Healthcare, Inc.; over 100 million records were breached.

Holes within Current Laws and Guidance.

Current laws and guidance have been ineffective in quelling the rise of cyberattacks. The Department of Health and Human Services (HHS) has stressed that “there are measures known to be effective to prevent the introduction of ransomware and to recover from a ransomware attack.”

Under the Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule, covered entities and business associates must implement measures and procedures “that they believe are reasonable and appropriate to respond to malware and other security incidents.” Although HIPAA is a federal law to which covered entities and business associates must follow, the rise in cyberattacks indicates that HIPAA may need strengthening because cyberattacks persist.

The persistence of successful cyberattacks makes clear that guidance, though helpful, is not enough: legislation is necessary if true reform is the ultimate goal. Because “health care and public health sector assets are increasingly the targets of malicious cyberattacks,” the Healthcare Cybersecurity Act (HCA) of 2022 was an effort to mitigate this prevalent problem. The 2022 HCA was meant to introduce reforms that would revitalize the health care sector. It did not pass, but it was reintroduced in 2024 with additions.

Originally known as Senate Bill 3904, the 2022 HCA requires the Cybersecurity and Infrastructure Security Agency (CISA) to coordinate with HHS to improve cybersecurity in the health care sector. The coordination between CISA and HHS would develop products to specifically meet the needs of health care entities, as well as share information that relates to “cyber threat indicators and appropriate defensive measures.” The Secretary of HHS would be required to provide training to health care and public health asset owners and operators, particularly on cybersecurity risks and how to mitigate them.

The 2022 HCA also emphasized that the Secretary of HHS must update the Health Care and Public Health Sector Specific Plan (Plan); the Plan would include an analysis of the impact of cybersecurity risks, an evaluation of the challenges that the health care sector faces, an evaluation regarding best practices, an assessment of relevant cybersecurity workforce shortages, cybersecurity challenges related to the COVID-19 public health emergency, and an evaluation of the most timely ways that CISA and HHS can communicate and establish recommendations to the health care sector.

Proposed Legislation Will Not be Enough to Safeguard Health Systems.

On July 11, 2024, Senators Jacky Rosen (D-NY), Todd Young (R-IN), and Angus King (I-ME) introduced the Healthcare Cybersecurity Act of 2024. When announcing the bipartisan bill, the Senators cited the Change Healthcare cyberattack as motivation behind introduction of the bill, emphasizing that the attack severely interrupted the functionality of hospitals. The 2024 HCA adds a few provisions to supplant the 2022 HCA.

First, the 2024 HCA calls for the appointment of a liaison with cybersecurity qualifications and expertise. The liaison would be charged with numerous responsibilities, including offering technical assistance on best practices relating to cybersecurity, facilitating cyber threat information sharing, and coordinating with CISA and HHS during cybersecurity incidents, among other related tasks. The liaison must “submit a report that describes the activities undertaken to improve cybersecurity coordination” between CISA and HHS. Ultimately, the liaison is meant to help CISA and HHS coordinate with one another to be able to respond to cyberattacks quickly.

Second, the 2024 HCA would require that the Director of CISA establish criteria to determine what constitutes a high-risk covered asset. A covered asset under the HCA of 2024 is a “healthcare and public health sector asset, including technologies, services, and utilities.” In this context, a high-risk covered asset would be a healthcare asset that may be susceptible to high levels of harm due to its sensitive nature. Further, the Secretary of HHS must develop a list of high-risk covered assets for HHS to use when “prioritiz[ing] resource allocation to high-risk covered assets to bolster cyber resilience.” This section is meant to identify high-risk covered assets so that not only is the federal government aware of their status, but also so that the high-risk covered assets may be prioritized in the event of a cyberattack.

Although some vouch that the 2024 HCA is a “critical step forward in safeguarding our nation’s healthcare infrastructure,” others are unconvinced that the HCA will be as impactful as hoped. Many believe that the 2024 HCA is redundant of actions that are already being undertaken. Steve Cagle, CEO of health care cybersecurity firm, Clearwater, stated that former President Biden’s “National Security Memorandum on Critical Infrastructure, Presidential Policy Directive 41, HHS’s 405d program, and cybersecurity training already offered” all achieve the same initiatives that the 2024 HCA attempts to accomplish. Some argue that what is truly needed is “accountability, email protection, vulnerability management, risk analysis, and experienced security staff to guide programs.”

It seems that those who do not have faith in positive effects of the 2024 HCA argue that, from small-scale organizations to large-scale corporations, basic security controls must be in place first. Without basic controls, federal legislation may not positively contribute to avoiding cyberattacks or even mitigating the risks of cyberattacks.

Conclusion: What Will Work? Will Anything Work?

The health care sector continues to fall victim to the steady rise of cyberattacks that not only disrupt operations, but also affect the patients served. Although the 2024 HCA may be a sign of progress, its impact may be limited without implementation of basic security controls across all sizes of health systems. The Change Healthcare cyberattack illustrates that even a large corporation with seemingly robust resources is vulnerable if it relies on inadequate, reactive security measures.

Although the 2024 HCA strives to curate better strategies in response to cyberattacks, a shift towards proactive security measures within health systems is required to effectuate positive change. Instead of reacting to cyberattacks when they occur, health systems should engage in proactive cybersecurity, where they invest to improve their cybersecurity before an attack occurs. Reactive cybersecurity measures make it more likely that a cyberattack will be successful since adequate security measures are not in place prior to the cyberattack. On the other hand, proactive cybersecurity initiatives anticipate future issues so that an entity is prepared when a cyberattack occurs. Specific examples of proactive cybersecurity measures include workforce training, ongoing risk assessments, third-party risk management, and more. Current law focuses too much on reacting to cyberattacks rather than preventing them. If future law shifts toward a proactive approach, it could better equip health systems to prevent cyberattacks, ultimately improving patient safety and trust. Until foundational measures are addressed, and proactive cybersecurity initiatives are implemented, neither laws nor initiatives, existing or proposed, will be adequate to protect the vulnerable atmosphere that engulfs health systems from the sphere of cyberattacks.

Under the banner of anti-discrimination, recently established advocacy group Do No Harm (DNH) seeks to eliminate diversity initiatives in healthcare. DNH believes that diversity, equity, and inclusion (DEI) practices are plain discrimination against certain demographics of patients, medical students, and healthcare workers, which ultimately harms patient health outcomes. This belief contradicts current healthcare and public health goals of utilizing diversity-conscious practices to promote equity and mitigate disparities in healthcare. Legitimization of DNH’s mission would further politicize equity in medicine and frustrate preexisting efforts to eliminate health disparities.

Background

Retired physician Stanley Goldfarb founded DNH in 2022 to fight for “the elimination of all discrimination in healthcare.” As a national association comprised of like-minded patients, medical professionals, and policymakers, DNH primarily utilizes media, lobbying, and litigation to target pediatric gender-affirming care and DEI practices.

DNH pursues litigation over initiatives like diversity fellowship scholarships, DEI hiring practices, and clinical care practices specialized to meet the needs of racial and ethnic minorities. DNH believes that tailoring healthcare opportunities to racial minorities, women, and other minority groups discriminates against all other “non-minority” groups. DNH grounds its arguments in various combined readings of Title VI of the Civil Rights Act of 1964, Section 1557 of the Affordable Care Act (ACA), and the Equal Protection Clause of the Fourteenth Amendment. These federal provisions prohibit discrimination on the basis of race, color, ethnicity, and sex, and typically resolve cases involving discrimination against a racial, religious, or gender minority. Spurred by changes implemented by the U.S. Supreme Court, DNH wants to use these federal provisions to protect non-minority groups from discrimination.

In the 2023 decision from SFFA v. Harvard, SCOTUS said that “[e]liminating racial discrimination means eliminating all of it”, reinforcing a statement from an 1886 case that the Equal Protection Clause applies “without regard to any difference of race, of color, or of nationality”. The Court held that colleges and universities are now prohibited from considering race as a factor in admissions. After this decision, groups like DNH began filing claims with intent to expand the scope of SFFA v. Harvard to non-university parties, including medical schools and healthcare workplaces.

Like other industries, healthcare evolved over time and gradually implemented diversity-conscious practices to address identified disparities. Medical schools and healthcare employers established policies and opportunities for traditionally underrepresented groups to enter the medical field. Proponents of health equity believed DEI would lead to more accurate, bias-checked medical opinions and treatment decisions, and that a diverse range of physicians caring for a diverse patient population would improve patients’ overall experience and trust in the healthcare system.

DNH discredits diversity initiatives in its own compiled report, which discusses a lack of hard evidence that diversity-conscious practices improve clinical outcomes and “debunks” the methodology of select pro-DEI research. Advocates of diversity initiatives defend the practice by pointing to records of positive subjective patient experiences and a social need to remedy historical inequity in the profession. DNH opposes those exact ideas: first, that diversity in the healthcare workforce results in improved patient health outcomes; and second, that medicine is a practice where equal opportunity matters more than, or as much as, training “the best and the brightest”.

Recent Action by Do No Harm

In March 2024, House Representative Greg Murphy introduced the EDUCATE Act, which proposes a ban on federal funding for medical schools that “force students or faculty to adopt specific beliefs, discriminate based on race or ethnicity, or have diversity, equity, and inclusion (DEI) offices or any functional equivalent.” DNH founder Dr. Goldfarb supported the Act, saying, “If we fail to stop [DEI ideology in medical schools], we risk a generation of physicians ill-equipped to meet the needs of their patients.” Endorsement of the EDUCATE Act reflects DNH’s fear that medical schools are prioritizing diversity and equity over quality medical training, to the detriment of patient health outcomes. The status of the Act has not changed since its referral to the Committee on Health, Education, Labor, and Pensions.

In June 2024, DNH filed a complaint in federal court, challenging a policy of the American Association of University Women (AAUW) that limited eligibility for its fellowship program to women applicants of ethnic minority groups. The court dismissed the case after AAUW agreed to drop race from criteria for consideration of the fellowship. In its August 2024 statement, AAUW acknowledged that “recent Supreme Court decisions have changed how we must fight for equity”, likely referring to SFFA v. Harvard.

In August 2024, DNH filed a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), urging an investigation into the Cleveland Clinic. Since 2019, Cleveland Clinic’s Minority Stroke Program“tailor[ed] treatment and prevention services to Black and Latino patients, including medical referrals and post-stroke care” to address the disparity that “Black men and women are at least two times as likely as white Americans to die from strokes.” DNH alleged that the minority-focused programming violates non-discrimination mandates under Title VI and Section 1557 of the ACA. In September 2024, OCR announced it would investigate the complaint.

Discussion

DNH’s litigation efforts against pro-DEI organizations indicate that any program with DEI initiatives is susceptible to equal protection challenges and discrimination claims. Data, studies, and research in support of one side or the other are frequently met with scrutiny by the opposing side. For example, DNH itself lauded research that “debunked” an influential study on racial concordance and newborn mortality that was often cited by scholars and administrators to justify DEI-conscious admissions at medical schools. The public is adversely affected by apparent discord among medical scholars and health policymakers, with one study attributing a lack of trust in public health agencies to perceptions of political influence within the agency, which risks undermining public health efforts. Further politicization of equity and other healthcare goals frustrates actual progress towards improving health for all.

Updates are slow in this area of health, law, and equity. The ongoing focus and frequency of DNH activity should put organizations on notice to carefully consider existing DEI practices and prepare to either defend or drop diversity-conscious language from any program goals and requirements. Choosing to defend risks the possibility of a court applying the SFFA v. Harvard prohibition on race considerations to this specific healthcare context, or even extending the reach of SFFA v. Harvard to DEI-centered fellowships, research programs, and pipeline programs in every industry, not just healthcare. No court has definitively ruled on the merits of a claim alleging discriminatory diversity-conscious healthcare and medical school programming. Like the AAUW case described above, most cases are dismissed for procedural reasons without judicial comment on discrimination and DEI. However, every lawsuit DNH files against pro-DEI organizations is a step in that direction.

Here in Illinois, DNH has not filed any lawsuits alleging discriminatory practices by healthcare corporations and medical schools. In August 2022, DNH did file an administrative complaint with the Department of Education, Office of Civil Rights (Chicago OCR) against Loyola University Chicago Stritch School of Medicine (Loyola), calling out an internship program that “intended to encourage medical students from racial and ethnic groups that are underrepresented in medicine to consider pursuing a career in academic surgery” in violation of Title VI. Eligibility requirements for the program included the criterion of “African American/Black, Hispanic/Latinx, American Indian/Alaska Native, Native Hawaiian/Pacific Islander”. Chicago OCR dropped its investigation in February 2023 because Loyola removed the contested criterion from its eligibility requirements. Now, the program “invites outstanding students who self-identify as underrepresented in Surgery from a social, economic, or educational perspective” to apply.

In October 2024, DNH Senior Fellow Mark Perry submitted a complaint to Chicago OCR on behalf of DNH against Midwestern University over its dental school scholarship program, which is open to students from “underrepresented minority groups”. According to Perry, the program violates Title VI and is “not legal”. Other than a November 2024 news clip on the DNH site, no further updates are currently available on this matter. Perhaps like Loyola and the AAUW, Midwestern University will eventually rephrase or omit the challenged language from its program requirements.

Other than scholarship programs, minority-focused clinical care and research programs are prime targets for DNH attention. The University of Illinois at Chicago College of Medicine currently runs the Institute for Minority Health Research, which aims to promote research and other interventions to “improve the health of vulnerable minority populations living locally, nationally, and internationally.” DNH could attack the Institute for its apparent catering to “minority populations” over non-minorities, similar to its argument in the Cleveland Clinic investigation.

DNH continues to submit complaints against organizations with DEI practices, condemning claims that minority representation in healthcare contributes to improved patient health outcomes. By pursuing its goal of ending discrimination against non-minorities in healthcare, DNH is polarizing what could be a collaborative discussion on the optimal ways to improve health. “Equity” is now a politicized term rather than a fundamental principle of health and medicine. If any judicial or legislative action legitimizes the goals of DNH and specifically applies SFFA v. Harvard and equal protection to this healthcare context, DEI healthcare and medical programs risk total invalidation —something to keep an eye on in the upcoming years.

Patient privacy is one of the staples of health care, and one that is increasingly posing a major concern to patients. The knowledge that the information is so exclusive and only accessible to a trusted number of people is an essential part of treatment, as it makes patients more willing to share and gives doctors a better understanding of their health. In the wake of the Supreme Court’s ruling in Dobbs vs. Jackson’s Women’s Health Org., there has been growing uncertainty and fear regarding the future of a Constitutional right to privacy, with healthcare being a central issue. More recently, however, patient privacy has faced further challenges: it is being breached through cyberattacks.

In February 2024, Change Healthcare, which is affiliated with UnitedHealth Group, a large scale company with a wide reach across many healthcare sectors across many different sectors of the health-care system, was hacked by a ransomware group. This led to issues with billing. Some providers and hospitals were unable to bill for their services, leading to loss of revenue. Other problems resulting from the cyberattacks including an inability to discharge patients from hospitals and security issues in a world of digitized patient records.

This is not the only example of cyberattacks in the healthcare industry. Also in February 2024, Lurie’s Children’s Hospital in Chicago fell victim to a hack that prohibited hospital staff from accessing patient records and patient-doctor communication. Additionally, the popular ancestry-tracking website 23andMe was hacked in December of 2023. While 23andMe is not necessarily associated with the healthcare industry, 23andMe accounts hold user’s DNA information including family trees and user-health information associated with their accounts, further breaching health privacy.

This raises important questions about how patients can feel safe in continuing to share their information with providers and hospitals. How does a patient know if their information is safe, or will stay safe? Appointments can fall into a routine, where the patient is brought into the exam room to answer questions about themselves and their lifestyle without much thought about what might happen to that information. Some of the questions may seem more related to the appointment than others, but all that information is notated and accessible to the care team in hospital records, more digitally accessible in today’s world than ever before.

There are laws and regulations that physicians must follow in regard to patient privacy, but they may not be enough to instill confidence in patients following the cyberattacks, prevent them from happening, or take the responsibility off of patients’ shoulders. What can patients expect from their healthcare providers, and what do patients have to take upon themselves to protect their medical privacy?

There are a number of authorities that physicians turn to regarding patient privacy, some in the legal field and some not. Under federal law, the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) places several restrictions on the use and disclosure of individual patient information and medical records. Therefore, hospitals and hospital employees are legally prohibited from sharing sensitive patient information (with some exceptions involving public health). Additionally, the Privacy Rule under HIPAA sets criminal penalties for those who unlawfully obtain individually identifiable medical records, so hacking aside, it is possible that there are individual criminal punishments in store if the cyber-attackers are caught. However, this does not provide much quell growing concerns about the safety of patient records, as criminal punishment after the fact does not prevent hackers ahead of time – it only provides possible support after the cyberattack takes place if the hackers are caught and prosecuted.

The American Medical Association (AMA) Code of Ethics has policies set in place to protect patient privacy. The AMA determines that doctors are to notify patients if there is a major privacy breach on their medical records. Therefore, in theory, patients should not have to worry about cyberattacks happening completely without their knowledge. However, this also does not do much to protect patient data ahead of time or give personal legal recourse after falling victim to a cyberattack.

Beforehand, professionals say patients can also monitor their privacy themselves. General security protections can help avoid cyberattacks, like complicated passwords and monitoring medical billing activity can keep them aware. This faces the same problems as the other protections and does not actively give any guarantee of safety or legal recourse if a cyberattack does happen.

In all, with medical privacy and rights being called into question after Dobbs, cybersecurity concerns are escalating fears and insecurity in a digital world. The preventative measures available may only affect the extent of the hack and provide the patient with notice if they are targeted, but there are not sufficient measures and protections ahead of time or legal recovery after the fact. After a cyberattack, patients may feel violated and scared, but the ability to bring a successful lawsuit or see a criminal indictment may be slim. Going forward, patient privacy needs to take priority, and the health law field across the board must take more steps to help digital medical records remain protected in a time where some privacy in healthcare faces an uncertain future.

Illinois and its Health Insurance Coverage for Infertility Treatments

By Gina McCammon

Many people ask themselves, “Do I want children?” And this can lead to a series of related questions like, “How many kids do I want?” “How old do I want to be when I start my family?” “Should I be a parent?” For some, biology is on their side, and they don’t have to worry about fertility. Others must grapple with infertility and confront the possibility that even if they answer “yes” to wanting children, it might not happen, at least not without assistance. With today’s medicinal technology, people who face infertility can look to treatments like fertility drugs, intrauterine insemination (IUI), in-vitro fertilization (IVF), and cryopreservation. However, these procedures can come with a high cost. Now the question is not just how much does raising a child cost, but how much will getting pregnant cost? Depending on the state, health insurance can help cover the cost of such treatments. In Illinois, where does health care coverage stand with reproductive health treatments like IUI and IVF?

Ten to fifteen percent of heterosexual couples are diagnosed with infertility following one year of unsuccessfully trying to conceive. If a couple seeks treatment, they undergo testing to determine the source of the problem (refer to Figure 1). Treatment revolves around the source, if the medical professional can detect one. Options usually include cycles of IUI or IVF. IUI is the placement of specially prepared sperm directly in the uterus. IVF is a more complicated set of procedures that places specially prepared embryos in the uterus. Within those treatments is a lengthy list of steps and requirements to receive the actual service like: pre-IVF screening, physician consultations, egg retrieval procedures, fertilization, etc. They are separated by the chosen clinic into Included Services and Excluded Services, meaning the prices depend on the clinic and the presented prices do not allocate a total cost because unaccounted charges like unexpected appointments and tests are omitted. On top of that, a majority of patients require more than one cycle of treatment according to National Library of Medicine.

Figure 1 sourced from: KFF

For one complete cycle of IVF, it can cost anywhere between $10,000 to $15,000, averaging about $12,000. Again, this does not include the Excluded Services and varies on the clinic and jurisdiction. Thus, patients bear the burden of researching clinics that fit their needs and their wallet. But as noted on the Advanced Fertility Center of Chicago website: “Do not equate cost with quality . . .” A clinic may cost less and their success rate may be lower, but that does not necessarily mean that a clinic that costs more has a higher success rate. Infertility treatments are an investment of time and money, and it’s best to make an informed, educated investment.

Twenty-one states have some infertility insurance coverage laws (see Figure 2); Illinois is one of them. Under Illinois’s plan, group health policies that cover more than twenty-five employees and offer pregnancy-related benefits must provide infertility treatment. Specifications include that the covered individual has been unable to get or stay pregnant, or has not had a successful pregnancy by assistance of less costly infertility treatments covered by the health insurance plan. The covered individual has yet to have four completed egg retrieval procedures and, if they have had a live birth from an egg retrieval procedure, they then have two more egg retrieval procedures available under the coverage. All procedures must be performed at medical centers that follow either the American College of Obstetric and Gynecology or the American Fertility Society vitro fertilization standards.

The Illinois state law for infertility insurance is comparatively progressive and works to ensure that persons diagnosed with infertility are not left to pay completely out of pocket. However, the costs of IVF and IUI extend beyond the coverage available with the Excluded Services, the varying prices of the clinics, the normal need of multiple completed cycles of treatment, and the fact that not every person qualifies for coverage.

Figure 2 sourced from: Resolve

The Access to Infertility Treatment and Care Act addresses this problem for all states. The federal legislation works to enforce group health care plans or health insurance issuers who offer group insurance to follow Illinois’s approach to support infertility treatments. What the proposed Act asks of Congress is to acknowledge that infertility is a medical disease recognized by the World Health Organization, the American Society for Reproductive Medicine, and the American Medical Association. Infertility affects a large number of American citizens. The Act also emphasizes how infertility deserves health insurance coverage because it compares to other serious diseases and conditions covered by health insurance. As the legislation states, “The ability to have a family should not be denied to anyone on account of a lack of insurance coverage for medically necessary treatment.”

Impressively, Illinois has infertility coverage that outshines most of the states. If the Access to Infertility Treatment and Care Act is enacted by Congress (and signed into law by the President), Illinois residents will see an increase in coverage for infertility treatments because the law will extend beyond group health insurance policies with at least twenty-five persons. The bill’s passage would cause an inevitable increase in utilization of IUI and IVF treatments and other infertility treatments because they would become more accessible and affordable to a wider population.

The next possible step to increase access to infertility treatment would be to incorporate infertility coverage into Medicaid. Medicaid reaches a wider number of U.S. citizens and would help lower income individuals access infertility treatments. As of 2024, no state Medicaid program covers IUI or IVF. New York has some coverage for diagnostic services and treatment, while eight other states provide diagnostic services, but no state provides comprehensive treatment according to KFF.

The Access to Infertility Treatment and Care Act prevents drastic variation from state to state and, if it is enacted by Congress, offers the possibility of greater access to infertility treatments and a possible expansion of Medicaid coverage. Increasing accessibility means more people can exercise their right to explore the question of “Do I want children?” knowing that resources are available to them, supported by their health insurance, and with less financial burdens.

Zurawski v. State of Texas

Pro-choice advocates and supporters have been concerned about how the health and wellbeing of women will be affected following the decision of Dobbs v. Jackson Women’s Health Organization. Zurawski v. State of Texas, the first lawsuit brought against a state on behalf of individuals denied abortion care since Roe was overturned, highlights the difficulties women and providers have been forced to endure as a result of these legal changes.

Zurawski was filed by the Center for Reproductive Rights and seeks to clarify the scope of Texas’s medical exception under its state abortion bans. Healthcare providers have experienced confusion regarding when abortion can be legally provided due to ambiguous medical exception requirements, and this has severely impacted the lives of women in need of emergency care. The seven original plaintiffs included five women who were denied medically necessary abortion care, and two obstetrician-gynecologists. Since the outset of the case, a growing number of women have been denied abortion care in Texas, and thirteen more women have joined the case.

Current Abortion Laws in Texas

After Dobbs, a trigger ban went into effect in Texas that prohibited providing an abortion and set out civil, criminal, and professional penalties for abortion providers who violate the law. While this abortion ban has narrow exceptions to save the life of a pregnant patient, it is unclear when physicians are allowed to provide care under the medical emergency exception. Despite repeated requests, the state has failed to provide any significant guidance or clarification to doctors on this issue.

The Texas Medical Board proposed new guidance for medical exceptions in 2024, but reproductive rights advocates were disappointed by the lack of specificity the guidance provided and conditions that could qualify. The Center for Reproductive Rights argues that physicians should be allowed to exercise their own good-faith judgment regarding which patients qualify under the medical exception, rather than allowing politicians to make those decisions. Pro-life advocates, however, argue that doctors could willfully misinterpret the laws, giving physicians greater discretion to open the door to medically unnecessary abortions in non-emergency situations.

The Impact on Women

The lead plaintiff, Amanda Zurawski, was a thirty-five year-old resident of Austin, Texas when she was denied a medically necessary abortion. Amanda’s pregnancy had proceeded without incident until she was diagnosed with an “incompetent cervix” at seventeen weeks. Her physician explained that her baby would not survive because her pregnancy was still many weeks before viability. Amanda was sent home, and her water broke that night. She returned to the emergency room and was diagnosed with preterm pre-labor rupture of membranes. All her amniotic fluid had drained, so the emergency room staff kept her overnight in hopes that she would go into labor on her own. By morning, however, she had not gone into labor, her baby still showed cardiac activity, and she had yet to show signs of acute infection.

The hospital informed her that, under Texas’s abortion ban, there was no other medical care that it could provide. Before Dobbs, a patient in Amanda’s condition would have been offered an abortion given these medical circumstances, but hospital workers were unsure if providing an abortion without acute signs of infection would fall within the emergency medical exception under the state’s abortion ban.

Amanda was told that delivery could take hours, days, or weeks, and her doctor urged her to stay within a fifteen-minute radius of a hospital in case her health deteriorated quickly. Furthermore, the closest legal abortion provider was eleven hours away in New Mexico, so she was unable to travel there.

Amanda spent two days at home grieving her inevitable loss and fearing for her own health. On the third day, she went for a check-up at her obstetrician’s office where her vitals were found to still be stable. On the drive back home, Amanda developed chills and started shivering. At home, she had a temperature of 101 degrees and stopped responding to her husband’s questions: She was showing signs of sepsis.

Amanda’s husband took her to the emergency room, and by the time she was admitted, her temperature had peaked at 103.2 degrees. The medical team confirmed that she was septic, administered antibiotics, and finally decided that inducing labor would not violate Texas’s abortion bans. Amanda delivered the child, and her baby passed away.

By that night, Amanda’s fever had relented, but she had developed a secondary infection, chorioamnionitis, and septic shock. This second round of sepsis required a three-day stay in the intensive care unit for treatment. During this time, her family flew in from across the country in fear that it would be the last time they would ever see her.

Though Amanda was eventually discharged and returned home, her suffering continued. The infections caused severe scar tissue to develop in her uterus and on her fallopian tubes. During a procedure to remove the scar tissue, her physicians were able to clear her uterus and one fallopian tube, but the other fallopian tube remains permanently closed. In order for Amanda to become pregnant again, she was advised to undergo in vitro fertilization, which is invasive and provides uncertain success. Other plaintiffs in this case explained they went through similar experiences due to the Texas abortion bans.

Intersection with Katie Cox Decision

On November 28, 2023, the Supreme Court heard oral arguments on the State’s appeal of the district court ruling of Zurawski. At the hearing, Texas Assistant Attorney General Beth Klusmann said that in order to challenge the law, an actively pregnant woman seeking an abortion would have to bring the suit, even though it was impractical to ask a woman facing a medical crisis to come to court.

The Katie Cox case was filed by the Center for Reproductive Rights a week after the November hearing. Ms. Cox volunteered to be the plaintiff they needed to challenge these laws because she was currently experiencing a pregnancy that threatened her health and future fertility.

At the district court hearing, a lawyer for the Texas attorney general’s office argued that Cox did not meet all the elements to qualify for a medical exception, and that the exception would have to be broadened to include Cox’s condition. The judge, however, disagreed, and granted Cox’s motion to allow her to have an abortion. The judge emphasized that Cox desperately wanted to be a parent, and it would be a miscarriage of justice for this law to cause her to lose the ability to have children.

Within hours after the decision, Texas Attorney General Ken Paxton sent a threatening letter to the hospital where Cox’s physician worked and where she agreed to perform Cox’s abortion. He reminded the hospital that they were not protected from felony prosecution or private lawsuit if they allowed the abortion to occur on their property. Paxton also filed a petition asking the Texas Supreme Court to overturn the district court decision. The next day, the Texas Supreme Court put a hold on the ruling permitting Cox’s abortion. Cox remained pregnant until her condition deteriorated over the weekend, while awaiting a decision from the Texas Supreme Court, and she finally had to leave the state to receive an abortion.

The court eventually held that Cox did not qualify for an abortion in Texas under the medical exception because she was not facing a “life-threatening physical condition” as the law required. The question of what conditions and circumstances constitute a “life-threatening physical condition” remains unanswered, but the Zurawski case provides some hope that this question will be answered.

Criminalization

Under Texas law, physicians can face fines of at least $100,000, up to ninety-nine years in prison, and revocation of their state medical licenses if they are found to have violated abortion the state’s abortion laws. The threat of legal action, combined with unclear guidelines on what constitutes a medical exception, are instilling fear and deterring Texas physicians from performing abortions in cases where the procedure is crucial for treating dangerous pregnancy conditions. As a result, women like Amanda and Katie have experienced severe physical harm and mental anguish.

Contrary to the popular stated purpose of fostering life, abortion bans are making it less likely that women who want children will be able to do so safely and survive their pregnancies. Medical professionals are not able to practice properly and fulfill their ethical duties to patients without facing ruinous risks to their liberty and livelihood. This type of criminalization will only cause more harm to pregnant people, already in a vulnerable position. Without a harm reduction framework and policy changes, these harms will likely continue to escalate.

The state should provide clearer guidelines or allow doctors to have total discretion over medically necessary abortions without fear of prosecution to prevent more women from experiencing pregnancy related trauma.

The Zurawski case is currently pending decision from the Texas Supreme Court and will be decided by June of 2024.

With the rapidly changing landscape around women’s reproductive health in the United States, securing safe and effective birth control has become an imperative for American women. There are a handful of options available to them, including, but not limited to, birth control pills, hormonal patches, and femidoms. However, intra-uterine devices (IUDs) are thought to be the most effective long-term birth control option, as they last for three to five years. IUDs can only be inserted or removed by a healthcare practitioner. The IUD insertion procedure causes moderate to severe discomfort and can be especially painful for women who suffer from endometriosis. Even though an IUD insertion is an invasive procedure, there are no standard pain reduction measures in place. The fear of procedural pain could discourage women from using this birth control method, which would prevent them from benefitting from this otherwise safe birth control method.

Currently, the most common form of pain relief offered to women undergoing IUD insertions is ibuprofen, which is administered pre-procedure. However, another approach that has begun to gain traction is the use of parenthetical blocks, which are nerve blocks used during obstetric and gynecologic procedures. In this procedure, the analgesic lidocaine is administered locally, as an alternative to full anesthesia. However, some clinicians fail to raise the use of parenthetical blocks as an option to reduce pain of IUD insertion. Different women experience pain differently, and this may be due to cultural differences, personal experiences, or prior gynecologic conditions, such as endometriosis. As a result, the pain can often be downplayed by clinicians, exacerbating patients’ fear of pain and reducing their trust in their physician.  Complications can arise if a patient is not informed about the level of pain to expect during the procedure, especially if the patient moves during the insertion. If the patient opts for the use of a parenthetical block during their procedure, they must wait for at least seven minutes for it to be effective. The added time can help to reduce a patient’s anxiety levels, making them less likely to move around during the insertion. While other pain management procedures for IUD insertion are yet to be explored, the use of parenthetical blocks like lidocaine suggests that it is promising.

Pain management in birth control has large social implications in the twenty-first century. Research has shown that Black, Hispanic, and Asian communities face more unplanned pregnancies because they either do not use contraceptives at all, or use less effective methods. A 2008 study out of California found that women with public insurance or no insurance were unlikely to use high-efficacy birth control methods like IUDs or birth control pills. The study pointed to another problem which does not appear in statistics: provider-level knowledge about contraception. When comparing anticipated pain on a visual analog scale against different racial groups, African Americans had a median anticipated pain score of 68 compared to White participants, who had a median score of 51. The study suggested that anxiety surrounding the procedure could be reduced if the clinician advocating for and performing the procedure was able to assure patients and speak to its benefits.

With modern medical advances, it is concerning that a standard pain management protocol does not exist across the country for IUD insertion. While parenthetical blocks are a step in the right direction, most studies suggest that counseling in local clinics will help reduce the barriers to IUD use. A good way to do so would be to incorporate conversations about different forms of birth control in school curriculums at the high school level. Furthermore, making patients aware of all their options regarding pain management should be mandatory for clinicians. Physicians should also clearly communicate the extent of pain a patient should anticipate during the procedure. The hope is that like for other gynecological procedures, a standard protocol for IUD insertion will be implemented soon.

Promising a future of stronger protections and more effective treatment for patients with substance use disorders, the U.S. Department of Health and Human Services (HHS) has modified 42 CFR Part 2 (“Part 2”) to better align with the Health Insurance Portability and Accountability Act (HIPAA). Effective as of April 16, 2024, with a two-year deadline for entities subject to the regulations to comply, the new rule allows health care professionals access to necessary, but previously restricted, patient information and enforces new safeguards to patient privacy.

Part 2: 

The the health care records of any patient involved in substance use disorder programs or activities, including treatment, rehabilitation, and research, that is conducted, regulated, or assisted by any department or agency of the United States. Before the newly enacted modifications, privacy regulations under Part 2 were more stringent than those under HIPAA. These stricter regulations were intended to encourage those with a substance use disorder to seek treatment by decreasing the possible fear of legal or discriminatory repercussions that could result from an information disclosure. In practice, this system made it too difficult for providers to provide effective care, as access to important patient information was restricted. This new rule seeks to increase the privacy of substance use disorder patients while giving health care providers the proper tools to best treat patients with behavioral health challenges.

Key Changes:

1. Consent Requirements

While Part 2 previously prohibited substance use disorder patients’ records from being redisclosed (with few exceptions), under the new rule, substance use disorder patients can provide a one-time, general consent for the future uses and disclosures of their information for treatment, payment, and health care operations. This change will ensure that Part 2 health care providers have access to any and all necessary information when treating those with a substance use disorder, allowing the health care practitioner to view the patient’s entire health history and give a more holistic view of their patients.

Additionally, the substance use disorder information in a patient’s medical record received from a Part 2 program will no longer need to be segregated from the rest of the medical record once general consent is granted. While this change could benefit Part 2 programs by lowering the administrative burdens associated with segregating records, Part 2 providers will need to continue segregating records for patients yet to provide general consent.

In following HIPAA’s protections regarding psychotherapy notes, this general consent under the newly modified Part 2 will not include the disclosure of clinician notes kept separate from a patient’s treatment and medical records during substance use disorder counseling. These notes will require specific consent from the patient due to their special nature.

2. Breaches and Penalties 

HHS has also heightened its enforcement authority by replacing previous criminal penalties for Part 2 violations with the same civil and criminal enforcement authorities that apply to HIPAA violations. This change will greatly increase the repercussions for violating the new rule, as previous criminal penalties were rarely enforced by the U.S. Department of Justice.

Furthermore, Part 2 has adopted HIPAA’s Breach Notifications Rule  and the HIPAA Notice of Privacy requirements. These expanded prohibitions on the use and disclosure of patient records in civil, criminal, administrative, and legislative proceedings intend to reduce patient fear and encourage patient privacy.

While Part 2 continues to prohibit the use of substance use disorder patient information from investigative agencies without permission by court order, the new rule has adopted a Safe Harbor provision, which limits civil or criminal liability for investigative agencies that act diligently and follow certain steps if they find that they have received Part 2 records without court order permission.

By specifying and strengthening penalties under Part 2, HHS has taken a proper step in enduring that the information of patients with substance use disorders will be safeguarded.

3. Patient Requests

Included in the many benefits that substance use disorder patients gain from these modifications is the newly granted right to obtain an accounting of disclosures. From now on, each disclosure that is made with the patient’s consent will include a copy of the consent, and/or an explanation of exactly what the consent allows. In addition to this, patients can also request restrictions on some disclosures, including the option to opt out of communications regarding fundraising. In the event of a Part 2 violation, patients now can file a complaint directly with the HHS Secretary and with the Part 2 program.

Providing Part 2 patients with more rights than previously seen before, HHS has given patients with substance use disorders the chance to see a future with more personal autonomy in decision making, and more power in ensuring that their privacy is protected.

What Does This Mean for the Health Care Industry:

Amidst these new modifications to Part 2, health care organizations and providers will need to prepare for change in an effective and safe matter. To do this, proper training and education will be necessary to avoid any accidental breaches of patient privacy. Additionally, health care organizations will need to update their policies and procedures to comply with these new rules while monitoring patient records to ensure that privacy is protected during this training period.

TikTok, the wildly popular video sharing platform, has an algorithm that will occasionally push a video captioned “Pranking my kid!” or “Parenting hack!” No one watching the video will wonder if the kid(s) consented to filming and sharing their life to the Internet. However, people need to start considering the ways in which an influential online identity impacts a child’s mental health and social development.

Social media revolutionized global connection, information delivery, and creative expression. Many would argue that these sites and apps brought immense good to the world, but social media also introduced new problems. Some parents are profiting by turning their children into social media influencers, a practice that could be damaging to youth mental health. It is difficult to regulate any content, let alone content created by parents featuring their own children. However, it is possible to regulate the labor of monetized child influencers, and this is currently the most accessible approach to curbing harms brought by social media to youth mental health.

In May 2023, the U.S. Surgeon General released an Advisory on Social Media and Youth Mental Health. The Advisory compiled research and statistics on the matter and addressed the benefits of social media use among youths, like building positive community, sharing information, and creating space for self-expression. The rest of the Advisory studied the potential harms of social media use. Exposure to extreme, inappropriate, and harmful content can create risks of fatality, physical injury, body image issues, and low-self-esteem. In addition, excessive use of social media can create risks of insomnia, addiction, attention deficits, depression, and anxiety.

Next, the Advisory identified five groups—policymakers, social media companies, researchers, parents, and youths—and provided recommendations to each group on effectuating maximum benefits and minimal harms from social media, and “creat[ing] safer, healthier online environments for children.”

Recent lawsuits have claimed that the lack of safe, healthy online environments for children is a consequence of profit-motivated social media companies prioritizing engagement over safety. Social media companies have been condemned for the addictiveness of their platforms, including the constant, compulsive engagement of children which has led to negative effects on their physical and mental health. The goal of these lawsuits has been to hold these companies accountable for knowingly, intentionally, and deceptively designing algorithms that harmed youth mental health.

Social media companies certainly hold some of the blame for their part in this crisis, but they are hardly the sole perpetrators. Content creators—particularly parents who monetize videos or images of their children—must also be taken seriously for their role in harming youth mental health beyond the screen.

The U.S. Surgeon General’s Advisory recommends that parents mitigate the potential harms of social media by modeling responsible social media behavior to their kids. However, variation of social media use by parents, caretakers, and guardians makes it difficult to determine exactly what it looks like to “model responsible social media behavior” and protect children from harms.

In her 2017 article entitled Sharenting: Children’s Privacy in the Age of Social Media, law professor and children’s privacy expert Stacy Steinberg addresses the social media behaviors of parents who share content of their children online, using the term “sharenting” to describe this behavior. Sharenting serves as an outlet for parents to express their true feelings on the realities of raising children, particularly the hardships brought on by raising children with chronic mental health or developmental needs. By sharing these stories, parents build supportive communities of similarly situated parents and advocate for greater awareness and education around the raising of children with mental and developmental needs.

The dark side of sharenting lies in parental oversharing that invades a child’s privacy, agency, and safety. Some parents go viral for videos of them disciplining their children, for example, where a child is forced to stand in public with a sign describing his misbehavior. These parents are trying to effectuate behavior changes in their child through public shaming. Once shared, some in the online community approve of the disciplinary video, finding the post entertaining and authentic. However, others point out that this kind of online discipline is disrespectful and humiliating to a child. Unlike traditional offline forms of discipline, a viral video leaves a digital footprint beyond the child’s control.

Parents who share content of their kids with little regard for short-term and long-term repercussions may be just as harmful to youth mental health and development as the social media platforms. While litigation has the potential to protect children from the harms dealt by social media companies, it is a less viable option when the offender is a child’s own parents. Other methods must be used to protect children from their parents’ harmful use of social media.

Steinberg suggests a public health model of child protection. The public health model proved effective with the secondhand smoke campaign, where pediatricians warned parents of the dangers of secondhand smoke and encouraged parents to not smoke around children. When parents continued to do so, some state legislatures enacted laws to prohibit the discouraged behavior. The public health model prevails by identifying a crisis and disseminating appropriate warnings and education to the public, with state legislature available as a fallback measure.

Steinberg proposes a draft of the public health model for protection of youth mental health, organized by the best practices to be advised to the public. It mirrors the Advisory, listing educational points for parents like giving their child veto power over online posting, considering the effect that sharing has on the child’s current and future sense of well-being, and sharing anonymously.

For some parents engaged in sharenting, anonymous posting defeats the entire purpose of sharing because anonymity is counterproductive when the goal is to build a career as an influencer.

Melanie Fineman has discussed commercialized sharenting in her 2023 note Honey, I Monetized the Kids: Commercial Sharenting and Protecting the Rights of Consumers and the Internet’s Child Stars. She argues that commercial sharenting has negative effects on child influencers, or “kidfluencers,” and that more support for regulations of commercial sharenting might be earned by reframing the issue as “foster[ing] misleading content online” or “implicat[ing] child labor concerns.”

Sharenting fosters misleading content because parents often instruct their children to talk and react for the camera in ways that prioritize profit and engagement over authenticity. One mother told her Internet-famous twins to “say Oshkosh!” when asked about their favorite brand at an Oshkosh promotional event, though the twins later indicated they did not know what Oshkosh was. Followers on social media were influenced to support Oshkosh because of the twins’ uninformed endorsement, but the endorsement only occurred because Oshkosh incentivized their mother to do so.

Sharenting also implicates child labor concerns. A kidfluencer’s advertisements or sponsorships on social media could bring is so much money that running the account becomes a full-time job and income source for the parent. Content featuring the child becomes the key to the parent’s commercial success, increasing the risk of parents exploiting their children and harming their mental health.

An apt comparison might be child reality TV stars from shows like Toddlers and Tiaras or even Kendall and Kylie Jenner in their earliest years on Keeping up with the Kardashians. Children develop a different sense of self when they’re put in the public eye from a young age, lacking the agency to control their own image. Dissolving the boundary between portrayed character and personal self puts the child in a position to believe he or she is a commodity in the parents’ eyes, always expected to perform in a money-earning, content-worthy manner and creating pressure, stress, and negative mental health outcomes in the child.

Exploiting a child’s presence on social media for the parents’ financial gain is a difficult issue to address due to legal protection of parental rights. A parent’s right to control and shape their child’s life historically outweighs the child’s rights to privacy or autonomy. Thus, the law is unlikely to compel parents to stop sharenting and grant children autonomous control over their own digital footprints. Limitations also exist in regulating what is posted, rather than who is posting. Steinberg notes that a parent’s social media posts may be considered free speech protected by the First Amendment, and therefore, insulated from state regulation. However, states are permitted to regulate the monetization of a child on social media and mitigate damages of commercial sharenting by approaching the matter as a labor issue.

Fineman describes California’s Coogan Law, which ensures that a portion of money earned by child actors be put in a trust until the child turns eighteen. The intent is to protect children from exploitative employment, where earnings are spent by parents and not the child. It returns a degree of control to the child, diminishing the risk of the child believing he or she is a commodity in the parents’ eyes. Coogan’s Law has since been mimicked in other states like New York, New Mexico, Louisiana, and Illinois.

Illinois is the first state in the nation to pass legislation amending its Child Labor Law to include protections for child influencers on social media. The amended act defines vlogs, family, and online platforms, and mandates that profits from online content featuring a child’s name, image, or likeness must be directed to a trust fund account for the child. Children will have the right to sue their parents for failing to direct profits to the trust fund in violation of the amended Child Labor Law.

The amended Illinois act goes into effect on July 1, 2024, so it remains to be seen whether it successfully mitigates the harms to child influencers posed by commercial sharenting. In the meantime, the public health model could serve as a means of protecting the mental health of child influencers by disseminating education to parents and raising awareness of the privacy, health, and safety risks of sharenting.