Telemedicine Data Privacy and the Mifepristone Debates
By Katie Gu
Mifepristone’s shifting legal terrain may soon raise new privacy considerations regarding telemedicine data collection, security, and disclosure.
The Mifepristone Debates
Mifepristone is the first medication of a two-part drug regime that accounts for approximately half of legal abortions in the United States. Since its original U.S. Food and Drug Administration (FDA) approval in 2000, mifepristone generally has remained available under specific conditions of use defined under its Risk Evaluation and Mitigation Strategy (REMS) Program.
During the pandemic, changes to mifepristone’s REMS requirements allowed increased prescription access in some states via telemedicine and mail dispensing. For example, in December 2021, the FDA permanently lifted its general in-person dispensing requirements for mifepristone.
New challenges to nationwide mifepristone access were introduced this year. On April 7, 2023, Judge Matthew J. Kacsmaryk of the Northern District of Texas issued a preliminary ruling invalidating the FDA’s original approval of mifepristone. On the same day, Judge Thomas Rice of the Eastern District of Washington issued a directly opposing ruling ordering the FDA to make no changes to the availability of mifepristone. Five days later, the United States Court of Appeals for the Fifth Circuit reinstated significant restrictions against mifepristone access (e.g., reinstating requirements for in-person dispensing and preventing mail dispensing). In the latest chapter, the U.S. Supreme Court granted a full stay on Judge Kacsmaryk’s ruling on April 21, allowing mifepristone to remain on the market under existing FDA regulations until at least May 2023.
Federalism Issues
Beyond federal regulations, state laws and medical board regulations also affect the availability of mifepristone via prescription and dispensing requirements.
While some states have direct telemedicine abortion bans, other states have introduced different forms of telemedicine abortion restrictions. For example, several states (including Florida and Ohio) require an in-person counseling requirement prior to mifepristone prescription. Others (including Arizona) require at least two in-person visits prior to prescription. Further, a state’s Medical Practice Act, Medical Code, and Medical Board Position statements may also contain regulations and provisions governing the practice of telemedicine.
Conflicts between state restrictions on telemedicine abortion and FDA REMS guidelines will soon lead courts to assess preemption challenges regarding mifepristone access, prescription, and dispensing guidelines.
Telemedicine Privacy Implications
Amid ongoing mifepristone debates, new data privacy considerations will soon arise for patients seeking, physicians prescribing, and telemedicine platform companies facilitating telemedicine abortion.
The legality of telemedicine abortion is subject to the telemedicine laws of the patient’s state, rather than that of the health care provider. Currently, several states specifically require the authentication of a patient’s location prior to the provision of telemedicine. Others only require the verification of a patient’s location, while others simply require the authentication of a patient’s general identity (without specific reference to a patient’s location). These requirements may help protect physicians from liability in circumstances where patients may misrepresent their physical location in a state with telemedicine abortion restrictions in order to gain access to mifepristone.
Privacy policies surrounding the collection, monitoring, and disclosure of user location data will play an increasingly important role in assessing telemedicine provider liability. Most telemedicine consultations use cloud-based communication platforms for providing services. Private exchanges between providers and patients on telemedicine platforms generate data that can be monitored by or disclosed to third parties upon request. Telemedicine platforms generally disclose their data collection and usage policies via company Privacy Policies, Privacy Statements, and/or Terms of Service. For example, Zoom’s February 2023 Privacy Statement states that it collects user “IP address (which may be used to infer general location at a city or country level)” which can be used to comply with applicable law or respond to valid legal process. In other words, Zoom’s user location data can likely be used for investigations of potential violations of telemedicine regulations as stipulated by state law or state medical board regulations. Similarly, Teladoc Health’s Privacy Policy states that the telemedicine platform collects a user’s IP address automatically, which can be used to respond to law enforcement requests and court orders.
Calls to safeguard patient privacy might advocate for data anonymization and the limitation of data collection, retention, and disclosure. However, these advocacy efforts may conflict with new state laws requiring patient authentication or location verification prior to the delivery of telemedicine.
Thus, patient location data will likely become increasingly relevant to the enforcement of state laws and regulations of telemedicine abortion. The mifepristone debates add renewed urgency to conversations surrounding data privacy, telemedicine, and reproductive healthcare post-Dobbs.