Out, Not Outed: Privacy for Sexual Health, Orientations, and Gender Identities

Co-authored by: Judy Wang (FPF Intern), Jeter Sison (FPF Intern), Jordan Wrigley (FPF Data and Policy Analyst, Health & Wellness)

On National Coming Out Day, it’s important to recognize that Coming Out is a right of passage for many LGBTQ+ individuals and a decision that they should be empowered to make for themselves. 

Protections for health information are essential to ensuring the autonomy of an individual in choosing how to come out, to whom, and when. A person’s health information may facially reveal their sexual orientation and gender identity (“SOGI”). Alternatively, a person’s health information may not specifically include SOGI information, but SOGI information may be able to be inferred or extrapolated from other health information, especially in a personal profile that includes many different data points. 

Opportunities for Health Data and Services for LGBTQ Individuals

While uses of health data may carry heightened risk for LGBTQ+ individuals, it is also particularly critical for those same individuals to have access to safe, secure, and practicable physical and mental health services. A poll by LGBT Tech shows LGBTQ+ individuals use online and digital health resources extensively to navigate information and access to healthcare. The National Coalition for LGBTQ Health has found that “LGBTQ people are more likely to report poor physical and mental health than the general population, including increased incidence of HIV and other sexually transmitted infections (STIs), long term conditions such as arthritis and chronic fatigue, and elevated risk of depression, anxiety, and other mental illness.” In addition, LGBTQ+ youth have been found to face heightened risks for mental health issues, and are 300% more likely to suffer from symptoms of depression. Unfortunately, at the same time, LGBTQ+ adults are twice as likely to report having experienced a negative health care interaction. 

To address these health disparities, researchers have stressed the importance of collecting additional health information, including SOGI information. In addition, where LGBTQ+ individuals do not have local access to equitable health care resources, connected devices and services may provide new capacity for individuals to obtain valuable information about their health questions, engage with healthcare professionals, and even receive important physical and mental treatment. 

Specific categories of tech services and applications have been found to play an increased role in addressing the health and wellbeing needs of LGBTQ+ individuals. Some of these include:

• Mental health services: Through social media and mobile applications, the internet has been able to help connect LGBTQ+ people to accessible and appropriate LGBTQ+ mental health care. Platforms like National Queer & Trans Therapists of Color Network and LGBTQ Therapy Space connect LGBTQ+ people with specialized mental health care, resources, and community support. Mental health apps oriented towards the LGBTQ community provide a virtual format for accessing specialized, culturally competent healthcare.
• Gender-affirming online care: With half of all U.S. states having passed bans on gender-affirming care, now more than ever, safe and private ways to access gender-affirming care online are needed to protect the rights of transgender Americans. 39% of U.S. transgender youth live in states that have passed bans on gender-affirming care, preventing them from accessing medically necessary care and worsening the stigma and discrimination against all transgender youth and people.
• Dating & connections services: Dating and connections apps often play a crucial role in connecting LGBTQ+ users, especially in situations where it may be unsafe to do so in person. Compared to 28% of heterosexual adults who use dating apps, 50% of lesbian, gay, and bisexual adults have reported that they use dating apps. These apps have also provided an essential way for LGBTQ+ people to share and connect with others who face similar health challenges. For instance, HIV-positive LGBTQ+ people may use dating services to connect with other people living with HIV, a community of people who often face stigma while dating and in general.

Health Data Risks for LGBTQ+ People

While online health and wellbeing services can offer a lifeline to many LGBTQ+ individuals, they can also create new risks. For instance, improper uses of health information related to sexuality may undermine the autonomy of an LGBTQ+ individual. According to an article in the Oregon Law Review, data usage related to sexuality can result in pop-ups on an individual’s phone, creating worry and concern about potentially outing an individual in public or quasi-public situations. LGBTQ+ individuals are not always able to be safely out in public settings, with potential harms including impacts on employment, loss of housing opportunities, or jeopardization of personal relationships. 

These risks have increased as certain U.S. states have pursued and enacted laws to undermine the rights and freedoms of LGBTQ+ people and communities. Efforts to restrict gender-affirming care have gained traction in several states, and lawmakers in Oklahoma, Texas, and South Carolina have proposed legislation to prohibit such care for transgender individuals up to the age of 26. Additionally, multiple states have implemented policies barring the use of Medicaid or other state-sponsored insurance for gender-affirming treatments, regardless of the patient’s age. 

New Legal Protections for Health Data

When collected inside a health care environment, such as a telehealth service, health data, including SOGI information, is subject to protections under the Health Information Portability and Accountability Act (HIPAA) and related laws or regulations. However, these protections do not extend to similar information collected outside of that context. Filling that space, eighteen U.S. states (as of the writing of this post) have passed comprehensive privacy laws that apply more broadly, and each of them include “sexual orientation” as a category of sensitive data or sensitive personal information subject to special protections. However, of these 18 laws, only one (Maryland) affirmatively includes “gender-affirming treatment” in its scope of sensitive information, although three of the states (Oregon, Delaware, and New Jersey) do explicitly include “status as transgender or non-binary.” 

In addition to comprehensive privacy laws, two states have implemented health data privacy laws – Washington (My Health, My Data Act (MHMD)) and Nevada (SB 370). Both laws have definitions for “consumer health data,” and include a non-exhaustive list of qualifying categories of information, including “gender-affirming care” information. Additionally, both laws define “consumer health data” as “health information derived or inferred from non-health data,” which could include data usages that unintentionally reveal information about a user’s sexual orientation or gender identity. 

At the federal level, the Biden Administration has initiated the Federal Evidence Agenda on LGBTQI+ Equity, directing the collection of SOGI data in federal surveys and forms. The Federal Evidence Agenda on LGBTQ+ Equity follows the recommendation of implementing appropriate security and privacy safeguards with “Guideline 1: Ensure relevant data are collected and privacy protections are properly applied.” However, without comprehensive privacy legislation at the federal level, there is a lack of guidance regarding collecting and sharing data while protecting user privacy. 

Additionally, in 2024, the U.S. Department of Health and Human Services (HHS) issued a rule designed to prevent discrimination based on gender identity or sexual orientation by healthcare providers and insurers that receive federal funding. Unfortunately, recently, a federal judge in Mississippi issued a preliminary injunction against the rule, citing the Supreme Court’s decision to overturn Chevron deference to administrative agencies.  A recent Supreme Court decision also blocked the enforcement of a new rule from the Biden Administration that would protect transgender students from discrimination in education. The new rule included sexual orientation and gender identity within its discrimination protections for the first time. 

Current best practices and recommendations

It is imperative for the collectors of health data about LGBTQ+ individuals, and in particular sexual orientation and gender identity (SOGI) data, to work toward a safer and more equitable use of SOGI data with meaningful privacy safeguards in mind. 

SOGI data is inherently complex. Given its revelatory nature, SOGI data should be treated with heightened sensitivity. In 2022, FPF and LGBT Tech published a report on the Role of Data Protection in Safeguarding Sexual Orientation and Gender Identity Information. Organizations should apply regulatory safeguards robustly and approach SOGI information with appropriate care and respect for its contextual sensitivity. This can be done, for instance, by requiring consent for the use and collection of SOGI data and considering limitations before data is sent to third parties, particularly if it will make that data publicly accessible in a way that could increase the risk of outing someone. Organizations should implement appropriate security and privacy safeguards to protect any SOGI data in proportion to the sensitivity of the underlying data. They should also note that the sensitivity should be considered individually and in the community context.

Additional reports provide more information and can increase knowledge and understanding of the challenges and risks associated with the collection and use of health information for LGBTQ+ people. This includes a 2024 report by LGBT Tech that recommends that platforms adopt multifaceted strategies that prioritize user protection, inclusivity, and community empowerment. A  research brief from the Center for Democracy and Technology in 2022 is also relevant, that explains how LGBTQ+ students are increasingly targeted by policies and practices that threaten their privacy in schools, with 29 percent of LGBTQ+ students reporting that they or someone they know has been outed by school-sponsored monitoring technology. 

Conclusion

Coming Out Day is about having control over information. The decision to come out should be up to the discretion of the individual coming out. On Coming Out Day, and every day, robust privacy and data protection rules, policies, and practices are crucial to empower LGBTQ+ people to decide when and where to share their SOGI data.