U.S. health laws don't always protect abortion information, but new bills could fill the gaps
Here are some federal and state measures that seek to fill in the gaps HIPAA doesn't cover in protecting reproductive health information.
A journalist reports near a crowd of abortion-rights activists in front of the U.S. Supreme Court after the Court announced a ruling in the Dobbs v Jackson Women's Health Organization case on June 24, 2022 in Washington, DC.
Nathan Howard | Getty Images
The Supreme Court's decision to overturn Roe v. Wade last month raised concerns that data collected by tech companies and clinics could be used to criminally charge people who seek abortions or experience pregnancy loss.
Although the federal law known as the Health Insurance Portability and Accountability Act, or HIPAA, protects patient privacy, health-care providers can still be compelled to disclose patient data under special circumstances, such as a subpoena or a court order.
There's also plenty of data that consumers generate in their everyday lives that would not be considered subject to HIPAA and could be used as evidence in court against people who allegedly sought abortions that violate state laws or against their providers. Legal experts note that search history, text messages, location data, and period-tracker apps could all potentially be used in court and in some cases already have been.
While some technology companies, such as Google and the menstrual-cycle tracking app Flo, have announced steps to better protect their users' reproductive health-related data, the security of consumers' data largely remains at the whims of the services they use in the absence of federal digital privacy law.
Still, some states, including California and Illinois, already have digital privacy laws that can help secure consumer data more generally. Additional state-level proposals aim to protect reproductive health data in particular, such as Connecticut's Reproductive Freedom Defense Act. That bill could help fill in some gaps in HIPAA while legislators in Congress continue to push for national privacy protections.
Here is an overview of some current laws and proposals that could protect the information of pregnant people both on and off the internet.
Health Insurance Portability and Accountability Act (HIPAA)
What it does: HIPAA is a federal patient privacy law passed in 1996 that prohibits health-care providers and insurers from disclosing patient information. It is overseen by the Office for Civil Rights within the Department of Health and Human Services.
Generally, HIPAA does not allow abortion clinics or health-care providers to reveal to law enforcement officials whether a person has had an abortion. If the state law prohibits abortion but does not "expressly require" people to report it, an abortion clinic that reports patient information to others would be in violation of HIPAA.
What information isn't protected under HIPAA: HIPAA cannot resolve all privacy concerns related to reproductive rights. According to recent guidance published by HHS, the law allows an abortion clinic to disclose who received an abortion in response to a court order or summons, which could become even more common in the post-Roe era.
HIPAA only applies to certain types of businesses and professionals. It can regulate only health insurers, health-care providers, data clearinghouses and business associates.
HIPAA can't protect some patient information gathered by anti-abortion organizations, such as so-called crisis pregnancy centers, that attempt to attract and redirect abortion-seekers. There are about 2,500 centers across the nation, according to Crisis Pregnancy Center Map, a project led by academics at the University of Georgia.
My Body, My Data Act
What it would do: The My Body, My Data Act is a federal privacy proposal that targets firms that collect reproductive health information. It would require companies to get user consent before collecting, retaining or disclosing reproductive health data unless the data is "strictly needed" to provide a service or product the user has requested. It would also require companies to delete users' information upon request. The Federal Trade Commission would have the power to enforce the regulations.
What gaps it would fill: While HIPAA mainly covers health-care providers, this bill focuses on regulating technology companies and apps that collect reproductive health data.
Rep. Sara Jacobs, D-Calif., a co-sponsor of the bill, told The Washington Post that as it stands, without such a law, it's possible for "a right-wing nonprofit organization [to] buy all of this data from the various period-tracking apps" and pinpoint every user "who should be pregnant right now but is not."
How likely is it to pass? Jacobs seemed to concede in her interview with the Post that the bill is unlikely to become federal law, given the Republican opposition to expanding abortion protections. But, she said, the federal bill could inspire and be a model for state-level actions.
Health and Location Data Protection Act
What it would do: This federal bill, introduced by Sen. Elizabeth Warren, D-Mass., and other Democrats in June, would ban data brokers from selling location and health-care data.
The bill would give the FTC power to enforce the standards around selling health and location information. It would also give state attorneys general and individuals the power to sue over alleged violations. The bill also promises $1 billion in funding to the FTC over the next decade to carry out its work, including the enforcement of this law.
What gaps it would fill: While the My Body, My Data Act mainly deals with the collection of health data, Warren's bill focuses on regulating the sale of location data. The proposal came after Vice reported that data brokers such as SafeGraph were selling location data of people who visited abortion clinics.
How likely is it to pass? The bill would likely need some Republicans on board to have a chance at passing, which is a tall order given the party's general opposition to expanding abortion protections.
State laws and proposals
Pennsylvania's Protection of Pregnant Individuals' Information Act
What it would do: This bill, introduced in May by Democratic state Rep. Mary Jo Daley, would prohibit so-called crisis pregnancy centers from disclosing nonpublic health information they've collected without explicit authorization.
What gaps it would fill: Recent reports have highlighted the data risks involved in visiting a crisis pregnancy center. Some pregnant people seeking abortions don't realize the centers may not offer abortion services and instead try to dissuade visitors from ending their pregnancies.
Federal lawmakers have called on Google to make it clearer to consumers that such centers, which often have websites designed to look like those of abortion clinics, do not offer abortions. Since these centers are often not licensed medical providers and offer free services, they are not bound to federal health privacy laws, Time reported, based on conversations with privacy lawyers.
The Pennsylvania bill could make it harder for these anti-abortion centers to disclose information that otherwise falls in this unprotected area.
How effective would it be? The bill still allows clinics to disclose nonpublic health information without authorization if the clinic is required to comply with national, state or local laws, or a court order or investigation. This could potentially undermine the effectiveness of the protections.
Sanctuary state laws and proposals
What they would do: These types of bills, passed or introduced in several Democratic stronghold states, would make it easier for pregnant people seeking abortions outside of their own states to do so by safeguarding their information within so-called sanctuary states. That means if a person in Texas seeks a legal abortion in Connecticut, for example, it could be harder for Texas authorities to obtain information on that procedure.
The legislation differs slightly from state to state. Generally, these types of bills seek to prevent certain agencies or providers in their states from having to hand over sensitive reproductive health information to another state seeking to prosecute an alleged abortion under its own laws.
Which states have them: Two such proposals that have already been signed into law by Democratic governors are Connecticut's Reproductive Freedom Defense Act and New Jersey's Assembly Bill 3975 / Senate Bill 2633.
Similar bills have been introduced in California, Massachusetts and New York.
What gaps they would fill: As of July 7, nine states have already outlawed abortion, and four states may soon pass laws to ban abortion, according to Politico. Many people in these states may choose to receive abortion services in safe harbor states such as Connecticut while still facing legal risks in their home states.
That means this type of legislation could shield travelers from states that have outlawed abortion from liability for receiving such services in a state that has legal abortion services and safeguard laws.
How effective they would be? While these laws will protect information on legal procedures that happen in the states where they exist, patients who live in states with restrictive abortion laws will still have to be mindful of where else their medical records may be held.
"Imagine that you are in Alabama, and you come to Connecticut and get an abortion, and then you go see any other doctor in Alabama. We're increasingly in a world where your medical record may just kind of follow you back to Alabama," Carly Zubrzycki, a health law professor at the University of Connecticut School of Law, told the Verge.
Also, some of the measures include certain exceptions that could allow information to be handed over. For example, New Jersey's law allows exceptions under valid court orders or in cases where child or elder abuse is suspected in good faith. But in the latter case, it says reproductive health-care services that are legal in New Jersey should not be considered abuse.
WATCH: Bipartisan lawmakers debate new framework for privacy legislation