With the U.S. Supreme Court's decision in Dobbs reversing long-standing rights to abortion access, workers and volunteers for reproductive health clinics must reevaluate the risks they face (also known as a threat model) and take steps to safeguard their personal information–including information they have submitted to the government.

In 2020, nearly 17% of abortions performed in the United States occured in California, according to data from the Guttmacher Institute, and that number is projected to grow substantially as California endeavors to become a safe haven for pregnant people coming from potentially dozens of states that restrict abortions. Consequentially, it is also reasonable to expect that anti-abortion activists will continue to use California’s public records laws to obtain and release personal information of health care workers at reproductive health clinics. Public records are among the most common sources of information that lead to doxxing and similar harassment of individuals.

EFF has provided many guides to protecting one's data in the online world. In this new guide, we'll cover how health care workers in California can use AB 1622, a law passed in 2019 that allows them to request protections for the data they must submit to the government from being released under the California Public Records Act. We include a letter template that clinics can submit to government agencies requesting data protection for their employees.

We will also provide information about California's Safe at Home Program, which allows individuals to request a proxy mailing address from the Secretary of State's office that they can use in place of their home address, including on government records.

Balancing transparency and accountability with worker privacy can be difficult when it comes to the certification documents and other records that health professionals must submit to the government. Patients have a right to know whether their health provider is licensed or has faced disciplinary measures for unsafe conditions or other violations. But health care workers also have a right to privacy, and personal information disclosed via public records laws can potentially lead to harassment, violence or other forms of intimidation.

For EFF, balancing government transparency and personal privacy—two of our core mission areas—can also be difficult. In this context, the privacy and safety rights of health care workers are compelling. From both a privacy and transparency perspective, we believe these privacy protections could have been more effectively structured, however we support health care workers exercising their rights under the law as it exists now. We think the public's interest in ensuring transparency into state agencies' oversight of health care facilities is not hindered by these narrow exemptions to public records laws.

Before we dive into the guide, there are two important caveats.

First, these laws generally only protect data that could be released to the public in response to public records requests, although the Safe at Home program does offer additional layers of privacy. However, under both programs, law enforcement agencies would still be able to obtain this personal information through legal process, such as a search warrant.

Second, both of these options require you to be your own best advocate for your rights. That may include multiple follow-up emails and calls to an agency or organization and repeatedly reminding officials of their obligations under the law. 

AB 1622 - An Opt Out in the California Public Records Act

What It Does

AB 1622 says that four specific top-level state agencies dealing with healthcare are not required to provide certain categories of personal information belonging to reproductive health care workers in response to requests under the California Public Records Act. The rub is that these protections are not automatic—the workers have to send a letter asking for their information to be protected from disclosure.

The information covered by the law includes: "social security number, physical description, home address, home telephone number, statements of personal worth or personal financial data filed pursuant to subdivision (n) of Section 62541, personal medical history, employment history, electronic mail address, and information that reveals any electronic network location or identity."

The four agencies are the State Department of Health Care Services. the Department of Consumer Affairs, the Department of Managed Health Care and the State Department of Public Health.  The California Medical Board, Board of Registered Nursing, Physician Assistant Board, Board of Pharmacy, and other health care professional regulatory bodies are part of the Department of Consumer Affairs and therefore subject to this law. We recommend sending an additional letter to the relevant board that is responsible for the health care professional's licensing. 

Who Is Covered 

The text of the statute says that it applies to "employees, volunteers, board members, owners, partners, officers, or contractors" of a reproductive health services facility, which is defined as the "office of a licensed physician and surgeon whose specialty is family medicine, obstetrics, or gynecology, or a licensed clinic, where at least 50 percent of the patients of the physician or the clinic are provided with family planning or abortion services." Contractors include individuals or entities that contract with a facility for patient care services. 

How to Get the Protections

It's worth repeating: these protections aren't automatic. A health worker and their employer must specifically request it in writing via a letter. And the law doesn't make it simple.

  • The letter must be on the facility's official letterhead. 
  • The text of the letter must have the request for privacy protection clearly separated from other text on the page. 
  • The privacy protection request must be signed and dated by both the worker and the facility's executive officer or their designee.
  • The facility must retain a copy of the letter. 

The details are crucial: any misstep in the exact formatting required by the law may mean that the request isn't valid, and thus personal information may be disclosed in response to a public records request or by a court hearing in a public records lawsuit.

We have created a sample letter that we believe meets the requirements of the law, but we can’t guarantee success. Again, you will need to be your own best advocate. We have included the addresses for each of the agencies on the letter, but the letter must be sent to each of the agencies directly. 

The protections take effect once the individual submits the letter to the agency. 

Limitations

These privacy protections aren't guaranteed or permanent.

Like most exemptions to the California Public Records Act, the provisions protecting the disclosure of personal information under AB 1622 are discretionary. This means that the law does not mandate withholding the information, only that the California Public Records Act "does not require disclosure of any personal information." This discretion means that agencies now or in the future could opt not to withhold information.

In addition, the law does allow people to file a public records request for employment history information and, if it is rejected, they can petition a court to release the information. The judge will consider each case individually and can order disclosure of the information if "the public interest served by disclosure of employment history information clearly outweighs the public interest served by not disclosing the information."

When an employee leaves their job, the clinic has 90 days to report the separation to the agencies that received the original privacy protection request. If an employee has worked there for less than a year, their data is only protected for 6 months after they leave. If they have worked there for more than a year, their data can be protected for a full 12 months.

Another potential headache: clinics may find the process here burdensome, especially if they have to manage notifications for hundreds of employees.

EFF did reach out to the agencies named in the law to learn more about how they are carrying out the law. Unfortunately, in most cases we did not receive satisfying responses and if you are seeking these protections, you may need to apply additional pressure. You should be prepared to use this blog post to explain AB 1622 to them. 

Safe At Home - Confidential Mailing Addresses

California has a program that allows reproductive health care workers and patients facing threats to obtain a confidential snail mail address that they can use to protect their privacy.

The Safe at Home Program, also known as California's Address Confidentiality Program, was primarily developed for people experiencing domestic violence or stalking, and that remains the program's primary use, with 72% of the 4,858 enrollees in 2021 applying for that category of protection.

However, reproductive health workers and patients are also covered by the law, and during the pandemic Gov. Newsom issued an executive order to include all health care workers facing threats. 

What Safe at Home Does

If you are accepted into the Safe at Home program, you are given a P.O. Box that is monitored by the California Secretary of State's office and a program identification card. You can use that address instead of your home on a wide matter of official documents, including your driver's license. You can have common types of mail sent to this address, and the Secretary of State will forward them onto you (with a natural delay of course for processing). In 2021, the Secretary of State processed 81,159 pieces of mail on behalf of enrollees.

The Safe at Home program is most effective for people who have recently moved or are in the process of moving to a new address. If your existing address is already out on the internet, the program will be a bit limited in its efficacy.

In addition to confidential mail forwarding, you can also use the address as your agent for process serving and confidential vote registration. State and local agencies are required by law to accept your address, and that includes law enforcement. The exceptions are for birth, death, fetal death, marriage, and divorce certificates, which will still require your home address.

Once you're registered, you may be eligible for services from other agencies, including records suppression at the California Department of Motor Vehicles and the ability to apply for a confidential name change with the California Superior Court. However, these do require separate processes not covered in this guide. 

Who Is Covered

The Safe at Home program is available to reproductive health care service providers, employees, volunteers and patients. The definition broadly includes any "person who obtains, provides, or assists, at the request of another person, in obtaining or providing reproductive health care services, or a person who owns or operates a reproductive health care services facility."

That said, in order to be eligible for the program you need to be comfortable attesting–and have a facility operator who is willing to attest–that you or the facility has received violent threats or acts within the last year and that you fear for your safety. While applicants are encouraged to provide documentation of these threats, the agency does not mandate it. Proof of employment, however, is required.

If you have experienced stalking, you can apply for the program without invoking the reproductive health care-specific requirements.

How to Get the Protections

To use this program, you must apply through a Safe at Home designated enrolling agency. Because this program primarily serves people who have experienced domestic violence or stalking, the enrolling agencies are largely victim's services providers, including many private non-profits. A list is available here. While these agencies have been offered training on how the law applies to reproductive health, you may find that you need to explain the process or insist upon the individual case worker follow the legal requirements.

Unfortunately, the Safe at Home program is not free. There is an application fee of $30 for reproductive health care workers plus an annual $75 fee for the service. These fees do not apply to reproductive health care patients or their families. 

Key Points As You Spread the Word

When sharing this information with others in the reproductive justice space, there are a few key points to convey to reproductive health audiences.

Both the California Public Records Act privacy protections and the Safe at Home program are limited in their scope and do not provide comprehensive protection for people. It's worth reiterating that these two protections are not effective in preventing government agencies from using legal process to access personal data to enforce abortion bans. In addition, the efficacy of these programs depend on the competency and the will of the people administering the programs. We can't say this enough: applicants must be prepared to advocate for themselves and to educate government officials.

These protections do not impact the huge amount of digital data that a person generates every day with their devices and through their online activities. Reproductive health professionals should take additional steps to protect their privacy, and we've provided some digital security tips specifically tailored for abortion support providers.

If you are presenting this guide in trainings, you should recognize that these measures are laden with bureaucratic hurdles. For example, the Safe at Home program requirement that you meet with a victim's assistance counselor at a designated facility adds an additional layer of red tape and travel that may discourage applicants, especially those living in rural areas. The administrative costs also may be prohibitive for some people.

With that in mind, these options may be useful to people facing extreme risk models, particularly stalking, doxxing, and online threats. However, doxxing often happens before a person realizes their threat model is severe. You may also find our general guide on mitigating the risk of doxxing helpful.

However, both of these systems are currently underutilized, and it may require a number of new applicants to turn up flaws in these programs.  If you encounter problems or have advice on how to improve these directions, please email dm@eff.org.

Relevant Links:

  • 1. "Statements of personal worth or personal financial data required by a licensing agency and filed by an applicant with the licensing agency to establish their personal qualification for the license, certificate, or permit applied for."