Reproductive Health and Data Privacy: State and Cross-Border Protections

The U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization (2022) overturned the right to abortion established in Roe v. Wade (1973). In response, some states enacted strict abortion bans, while others strengthened reproductive health and patient privacy protections, including support for out-of-state patients in accessing abortion.

Given the patchwork of state reproductive health and data privacy laws, it’s critical to understand the limits of disclosing protected health information (PHI) and whether your rights have been violated. If you have questions about your reproductive health and data privacy rights, talk to a healthcare attorney in your area if you feel your rights are at risk or if you need to learn more.

Understanding Protected Health Information (PHI)

Protected health information (PHI) is sensitive information that healthcare providers, insurers, and other covered entities are required to protect under the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA establishes strict rules for how healthcare providers, insurers, and other entities handle this sensitive data. PHI can be names, addresses, dates of birth, and Social Security numbers. It refers to any individually identifiable health information, including demographic data relating to:

• The person’s past, present, or future physical or mental health condition
• The provision of healthcare to the individual, or
• Payment for those healthcare services

HIPAA applies to regulated entities subject to the Privacy Rule. Covered entities can include healthcare providers, health plans, healthcare clearinghouses, and business associates.

Limits on Disclosing PHI for Non-Medical Investigations

HIPAA provides robust protections for PHI, but there are exceptions that allow disclosure without patient consent. Scenarios where PHI might be requested for non-medical purposes include:

• Court orders
• Subpoenas
• Investigations related to public health activities
• Cases involving victims of abuse, neglect, or domestic violence
• Law enforcement purposes
• Judicial and administrative proceedings

Data Protection Risks Due to Exceptions

Federal law recognizes that some disclosures of PHI are necessary, without an individual’s authorization. These exceptions can create risks for patients seeking reproductive healthcare in states with restrictive laws.

Texas and Indiana are examples of states where PHI might be requested for legal investigations related to abortion care. Attorneys general in such states may seek to access personal data for enforcement purposes.

At the other end of the spectrum, California and New York have enacted laws to limit PHI disclosures for non-medical investigations. These measures offer stronger protections for patients and providers.

The Office for Civil Rights (OCR)

There are mechanisms in place to protect sensitive health information. The Office for Civil Rights (OCR), a division of the U.S. Department of Health and Human Services (HHS), plays a critical role in enforcing HIPAA.

OCR ensures that the healthcare providers, insurers, and other regulated entities comply with HIPAA’s rules for PHI, and is responsible for:

• Investigating HIPAA violation complaints
• Issuing guidance to clarify privacy protections
• Taking enforcement actions against entities that fail to protect sensitive data

OCR can impose penalties on organizations that improperly disclose PHI, including information relating to abortion care, sexual health, or contraception.

Evolving HIPAA Protections for Reproductive Health Privacy

In 2024, the Biden Administration, through the OCR, released the HIPAA Privacy Rule to Support Reproductive Healthcare Privacy Final Rule.

• Purpose of the Final Rule. The Final Rule modified the HIPAA Privacy Rule and sought to strengthen privacy protections for PHI related to reproductive healthcare following the Dobbs decision. The Final Rule aimed to protect patients living in states where abortion is banned and who have to travel to receive care.
• Legal challenges. In 2025, the U.S. District Court for the Northern District of Texas issued an order declaring many parts of the HIPAA Final Rule unlawful and vacated most of it. However, the court did preserve modifications to the Notice of Privacy Practices (NPP) requirements and required compliance by early 2026.
• Current status of the Final Rule. Under the Final Rule, PHI cannot be disclosed by covered entities for purposes such as investigating or imposing liability on people who seek or provide lawful reproductive healthcare. To enforce this, the rule revises NPPs to reflect these protections, among other requirements.
• Actions under the Trump administration. Following the federal court’s decision striking down the regulations designed to protect patients from having their PHI turned over to law enforcement for seeking lawful reproductive care, the Trump administration has taken no action to defend the regulations.

Legal Gray Area for Cross-Border Telehealth Providers

The increasing prevalence of telehealth services has made it easier for patients to access cross-border reproductive healthcare. Patients in restrictive states can seek care from providers in states with broader reproductive care options. This, however, has created challenges for patients and providers facing conflicting state laws.

For example, California, Colorado, and Connecticut are states where providers may face legal risks when offering reproductive telehealth services to patients in states with a high level of reproductive restrictions, such as Texas.

Providers can face potential consequences, including criminal liability and civil lawsuits, if they offer abortion services to a patient in a state with heavy restrictions. Providers must navigate these challenges carefully, which often requires legal advice to ensure compliance with both state and federal laws. And although legal risks are higher for providers, patients in states with strict abortion bans can potentially face legal risks as well.

Protections and Advocacy Efforts

In response to these heightened legal risks post-Dobbs, some states have enacted laws protecting reproductive healthcare data and preventing its misuse in non-medical investigations. These include:

• Shield laws. Statutes, regulations, or executive orders that prohibit entities in the state from cooperating with out-of-state investigations related to reproductive health services.

• Broad health privacy laws. Laws that limit both the collection and disclosure of reproductive health information.
• Laws that prohibit virtual tracking. Also known as a geofence, some states require healthcare systems to implement technological safeguards that prohibit tracking around healthcare facilities.
• Laws governing health information systems. Requiring covered entities to develop technological capabilities that restrict the disclosure of reproductive health data.

Advocacy groups also continue to push for stronger protections and provide resources for patients and providers to safeguard PHI.

Data Privacy Challenges in Cross-Border Reproductive Healthcare

In today’s digital age, social media and digital tools can expose patients’ sensitive data related to sexual health and contraception. Digital tools used in telehealth (apps, online consultations) can create privacy vulnerabilities.

Covered entities must take cybersecurity measures to protect personal data in telehealth platforms. These risks can include:

• Data sharing with third parties, such as tech companies or insurers
• Social media and digital footprints
• Cybersecurity risks

Patients must be educated about protecting their digital privacy. You must avoid sharing sensitive information on social media and understand the privacy policies of telehealth platforms.

How to Report HIPAA Privacy Violations

If you think a HIPAA-covered entity or its business associate violated your health information privacy rights or violated the Privacy, Security, or Breach Notification Rules, you may submit a complaint with the HHS Office for Civil Rights.

Complaints can be submitted online at the HHS website. OCR investigates violations and enforces penalties to ensure compliance with HIPAA rules.

Get Legal Help Today

Healthcare has become increasingly criminalized across the country, and patients must be able to trust that their healthcare providers will keep their medical information private.

Policymakers at the federal and state levels are dealing with the importance of balancing access to reproductive healthcare with robust data privacy safeguards. If you have questions about your reproductive health and data privacy rights, talk to a healthcare attorney in your area for legal advice.