Data Protection

Health and Reproductive Privacy

Background

Health privacy and reproductive privacy implicate some of our most sensitive information that can reveal intimate characteristics about us.

Since the creation of the Hippocratic Oath around 400 B.C., protecting the privacy of patients has been a key component of the physicians’ code of conduct. However, over time, health information use has expanded into many organizations and individuals who are not subject to medical ethics codes, including employers, insurers, government program administrators, attorneys, and others. Additionally, advancements in technology have given rise to fitness trackers, wearable devices, extended reality technology, and other new gadgets that collect, process, and make inferences relating to health information. Data brokers use opaque algorithms to build profiles on individuals, including using health information. There are few settled rules regarding the sharing and use of health data collected and used for these purposes. 

As the use of health data has spread across more industries and technologies, regulatory protections for this highly sensitive and deeply personal information have grown fragmented and complex. For example, there are some protections that apply only to information held by government agencies, and others that apply to specific groups, such as school children. Some protections also apply to specific medical conditions or types of information, such as information related to HIV/AIDS or substance abuse treatment. 

The Health Insurance Portability and Accountability Act (HIPAA)

The first comprehensive set of federal regulations regarding health information, the Health Insurance Portability and Accountability Act (HIPAA), came into effect in April 2003. HIPAA includes portions dedicated specifically to the privacy and security of health data. The HIPAA Privacy Rule (45 CFR Parts 160 and 164) provides the “federal floor” of privacy protection for health information in the United States, while also allowing more protective state laws to continue in force. Under the Privacy Rule, protected health information (PHI) is defined very broadly. It includes individually identifiable health information related to a past, present, or future physical or mental health or condition, the provision of health care to an individual, and the past, present, or future payment for the provision of health care to an individual. The rights of an individual related to their PHI include:

  • Right to access, inspect, and copy PHI held by hospitals, clinics, health plans, and other “covered entities,” with some exceptions
  • Right to request amendments to PHI held by “covered entities”
  • Right to request confidential communications of PHI, e.g., having PHI transmitted to a different address or a different telephone number
  • Right to request restrictions on uses or disclosures, although the “covered entity” receiving the request is not obligated to agree to the request

In addition to the Privacy Rule, the complementary Security Rule includes standards for the protection of health information from misuse. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 also introduced modifications to the HIPAA standards. For one, the HITECH Act created a breach notification program for unsecured, electronic PHI. In April 2024, The Department of Health and Human Services published a final rule this week strengthening privacy protections for reproductive health information. The rule extends the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule by prohibiting regulated entities from using or disclosing personal health information for the “mere act of seeking, obtaining, providing, or facilitating reproductive health care.” This is an important reproductive privacy safeguard for millions of Americans, particularly in the wake of the U.S. Supreme Court’s decision invalidating the constitutional right to abortion in Dobbs v. Jackson Women’s Health Organization. As EPIC wrote in its comments to HHS, the collection and misuse of reproductive health information post-Dobbs can expose people to undue criminalization under newly-enacted state laws and deter others from seeking reproductive health services even where they are legal.

While these standards provide some protection for individuals, they are also limited in scope. HIPAA only applies to entities providing medical services, so several entities using health information for other purposes are not covered. 

REproductive Privacy

The right to make reproductive choices about one’s own body—free from commercial or governmental interference—is inherent to one’s dignity and autonomy. The Supreme Court’s reversal of the constitutional right to an abortion in Dobbs v. Jackson Women’s Health Organization and state legislative efforts to limit abortion access are all the more harrowing in light of the technological realities of today: a huge data broker industry that sells our location data and most sensitive information to private and government purchasers alike. The data broker industry also uses secret algorithms to profile nearly every person in ways that undermines their decisional and reproductive privacy. EPIC has worked for decades to defend privacy rights online, and will continue its advocacy in the face of the coming challenges. See EPIC’s statement about the Dobbs decision here

Law Enforcement Access of Personal Information Threatens Criminalization and Stigmatization

Criminalization and stigmatization related to pregnancy outcomes and abortion is not a new concept. However, in the immediate wake of Dobbs, these efforts were turbocharged: trigger laws criminalizing abortion for the patient and/or the provider went into effect, and many states began to enact new laws or enforce existing criminal laws against people seeking abortion care or even experiencing a miscarriage. Some states enacted statutes that permit private parties to seek civil penalties against abortion providers and others who may help a person seek or obtain an abortion. On a national level, an anti-abortion group sued the Food and Drug Administration to severely restrict access to mifepristone, a commonly used medication to end a pregnancy. Unfortunately, our lack of digital privacy protections only intensifies these ongoing, dangerous efforts to criminalize and limit access to abortion and reproductive health care.

In the current digital age, law enforcement, prosecutors, and civil litigants have unprecedented access to incriminating information about pregnant people. Relevant data collection can come from search query histories, health and fitness apps, period tracking apps, and many other sources. Location information recorded by an app on a cellphone can be particularly incriminating, revealing that a person visited an abortion clinic or left a state to seek abortion care. Pregnancy status and health information can also be inferred from analyzing seemingly innocuous data points, like information from an online grocery order, or hovering a cursor longer than usual on a certain video.

Law enforcement can access this data in multiple ways. As people are constantly tracked online and seek information from search engines and social media, they develop a detailed digital footprint. Law enforcement can seek to obtain these records through normal legal processes like a subpoena or a warrant. There are some federal laws that restrict disclosure of certain types of information like health information in the Health Insurance Portability and Accountability Act (HIPAA), financial information in the Gramm-Leach-Bliley Act, and certain telecommunications information in the Stored Communications Act. However, these laws all have exceptions for law enforcement, leaving covered entities responsible for responding to criminal investigations, warrants, and sometimes civil subpoenas. Outside of legal processes, law enforcement can purchase data from data brokers on the largely unregulated open market. Data brokers can use machine learning tools to analyze large pools of data for inferences or correlations that reveal pregnancy status or abortion-related information. While data brokers may typically compile or sell this information for targeted advertising purposes, there is nothing stopping law enforcement, or private persons initiating civil lawsuits against abortion providers, from purchasing this information as well.

Digital privacy for pregnant people or anyone seeking reproductive health care has become extremely consequential. For providers and patients, the effects of criminalization are severe. In addition to actual imprisonment, there are social and financial consequences to having a criminal record or fines, and for providers, the potential revocation of their medical license. Because even the threat of these consequences is so serious, doctors cannot provide abortion care or treatment related to miscarriage in many states. As a result, pregnant people or people seeking reproductive health care suffer severely limited health care options.

Data Brokers Collect, Process, and Retain Information that Harms Abortion Seekers

Commercial and government entities collect vast amounts of personal information about individuals, including location data. Location data can reveal the most sensitive characteristics about a person, including: religion, sexual orientation, sexual activities, gender identity, health conditions, union membership, and political affiliation. Phones and devices generate location data which is collected by various entities and may be sold to data brokers, advertisers, or the government. Data brokers use secret algorithms to build profiles on every consumer based on their online activities, often without the consumer’s knowledge. Using profiles to target advertisements to pregnant people is not new. For example, Target reportedly sent maternity and pregnancy related advertisements to a teenager before she told her family she was pregnant. As the article, Target Knows You’re Pregnant, explained “all Target customers are assigned a Guest ID. Associated with this ID is information on ‘your age, whether you are married and have kids, which part of town you live in, how long it takes you to drive to the store, your estimated salary, whether you’ve moved recently, what credit cards you carry in your wallet and what Web sites you visit.’” Analyzing this data, combined with a customer’s purchase history, could produce a “pregnancy prediction” score, which includes an estimate of the customer’s due date. Post Roe, these types of profiles could be weaponized against individuals who seek abortions in states where abortion is illegal.

Data brokers play a pervasive role in the location data market. Data brokers buy, aggregate, disclose, and sell billions of data points on Americans, including their location data. Data brokers build profiles on every American from vast, pervasive data collection. They operate with effectively no oversight or regulation. Data brokers also collect information about an individuals’ purchases, where they shop, and how they pay for their purchases. They also collect people’s home addresses, their utility records, their driver’s license information, and their vehicle license plates. In addition, data brokers collect health information, including period tracking information. Brokers also collect information from the sites individuals visit online and the advertisements that they click on, and make inferences from this data. And, thanks to the proliferation of smartphones and wearables, data brokers collect and sell real-time location data.

The Role of Tech Companies in the Degradation of Reproductive Privacy

Big Tech fuels the commercial surveillance system. As commercial surveillance increases, the threats to privacy—including reproductive privacy—follow suit. For example, the explosion of Generative AI (GAI) in recent years poses a threat to health privacy. GAI systems are fed data that is scraped indiscriminately from the internet or collected by online platforms. Hospitals’ websites may transmit individuals’ health information via tracking technologies: Facebook’s pixel was found on 1/3 of the top hospitals’ websites which had sent patient data to Facebook. People’s sensitive health information, including pregnancy status, may be used to train a GAI system. When this happens, the outputs that the system produces may contain some of the information that was fed into the system, revealing a person’s private health information. Because GAI is often built on indiscriminately scraped information, it frequently produces inaccurate results. ChatGPT incorrectly described medication abortion as dangerous with an increased risk of complications. Reportedly, pregnant people have searched for abortion clinics only to see advertisements for crisis pregnancy centers that try to prevent abortion. Without meaningful limitations on the collection, use, and retention of personal information, surveillance capitalism will continue to threaten reproductive privacy and autonomy.

Google plays a uniquely powerful role with respect to reproductive privacy because of how popular its search engine and map applications are. Many people rely on the tech giant for information about obtaining an abortion and how to arrive at their appointments. In July 2022, shortly after the U.S. Supreme Court invalidated the constitutional right to an abortion in Dobbs v. Jackson’s Women’s Health Organization, Google publicly promised to take new steps to protect users’ location data. In particular, Google said that it would delete location records that revealed whether a user had visited certain types of medical facilities soon after each visit. These facilities include counseling centers, addiction treatment facilities, domestic violence shelters, fertility centers, weight loss clinics, surgery clinics, and abortion clinics. Google promised that the change would go into effect in “the coming weeks” after the announcement.

But in November 2022, research by Accountable Tech showed that Google had failed to follow through on its policy change. In May 2023, follow-up reporting confirmed that failure. And nearly a year and a half after its initial promise to protect users’ location data, further research and reporting confirmed that Google had retained location data revealing visits to abortion clinics in about 50% of experiments conducted by Accountable Tech. The disconnect between Google’s public promises and its actual handling of users’ location data prompted EPIC and Accountable Tech to file a complaint with the Federal Trade Commission in January 2024. The groups urged the Commission to investigate Google, impose civil penalties, order the company to disgorge wrongfully retained location data, and enjoin Google’s unlawful location data practices.

Despite the failure to fulfill its 2022 location data promises, Google announced another update to its location data practices in December 2023. Once the changes take effect, the announcement promises that a user’s Location History timeline will be stored on the user’s device and that the default auto-delete control period for location data will shrink to three months from the previous period of 18 months. Google also promises to give users the option to delete activity related to specific places from Maps. As with the July 2022 announcement, Google provided no date certain for when the updates will take effect.

Unfortunately, we live in a legal reality where individuals must rely on pinky promises from tech companies to protect their most sensitive health information. We need meaningful comprehensive limits on the collection, use, and retention of our personal information to protect our health privacy.

Privacy Rights Deserve More Protections Than “It’s Up to the States”

The erosion of privacy rights by the Supreme Court in its Dobbs decision has had a ripple effect on other health care related choices. For example, Alabama’s Supreme Court held that embryos created through in vitro fertilization (IVF) were considered children. Until the Alabama legislature narrowly overrode the court’s decision through legislation, the court’s decision meant that a person in Alabama who destroyed an embryo—a typical practice when IVF treatments are finished—could have been liable for wrongful death. Anti-abortion advocates have advocated for this type of fetal personhood standard, which carries the disastrous effect of criminalizing abortion care and IVF. People who cannot to conceive children for myriad reasons, like cancer patients or same-sex couples, suddenly became afraid that they could not undergo IVF treatment or move embryos to another state for fear that they would be destroyed in transport. The decision was widely unpopular, prompting the Alabama legislature to pass a law protecting IVF patients and providers from liability. Yet fears remain in Alabama and for IVF patients across the country surrounding the uncertainty of the safety and accessibility of the practice in the future.

State legislatures have also been emboldened by Dobbs to restrict access to gender-affirming care. 24 states across the country have enacted laws that prevent access to gender-affirming care to transgender youth. Similar to the trend in reproductive health care, state legislatures and courts have encroached upon the private medical decisions between a patient and their doctor with respect to gender affirming care. The Dobbs decision has enabled states to usurp decision-making from patients. These harmful and invasive bans limit an individual’s ability to make their own medical decisions and discourage youth from seeking out health care from a professional. This leads to health risks—including depression, anxiety, and suicidality—and encourages youth to obtain information about their health and bodies elsewhere, which may be inaccurate or harmful. Physicians in states that have banned gender-affirming care must worry about criminalization and may practice in fear or stop providing some treatments entirely. These invasions of privacy are a dangerous trend. When legislatures and courts overstep to make medical decisions on behalf of an individual, it opens the door to more and more extreme invasions of privacy, including limits on gender affirming-care for adults and “bathroom bills,” which prohibit transgender people from using bathrooms that correspond with their gender.

Restrictions on access to abortion care have long inflicted the greatest harms on marginalized communities, a problem which a majority of the Supreme Court exacerbated in the Dobbs decision. The harms of Dobbs are felt most acutely by Black, Latino, and Indigenous people, people with low incomes, transmen, nonbinary folks, immigrants, youth, and people living with disabilities. Incarcerated persons and people on probation or parole are subjected to further barriers, including delay and the humiliation of asking permission to obtain an abortion. The Prison Policy Institute found that 82% of women on probation or parole nationwide are impacted by abortion and supervision restrictions. In other words, “the ability to seek abortion care out-of-state is left not to the pregnant person, but to the discretion of a correctional authority, typically their probation or parole officer.” States continue to erode privacy rights virtually unchecked, threatening the safety of everyone, but the burden falls hardest on the most vulnerable people.

Patchwork Attempts to Protect Reproductive Privacy

While courts have made decisions to strike down or uphold abortion-related laws, and state legislatures have worked to pass laws criminalizing or protecting abortion, people across the country have been left in a confusing legal patchwork. Reproductive health care advocates, abortion funds, and activists have worked tirelessly to help people obtain abortion care across the country. Meanwhile, states, policymakers, and government agencies have passed confusing and often contradictory rules, legislation, and policies. This leaves people across the country scrambling for care, uncertain of what actions are legal where they live, and anxious of what rights will be eroded next. For example, the Department of Health and Human Services published a rule that extends the HIPAA Privacy Rule to protect reproductive privacy by prohibiting covered entities from using or disclosing personal health information related to lawful reproductive health care. While parts of this updated rule are promising, EPIC has explained that this rule falls short of adequately protecting abortion patients across the country by limiting the scope of its protections to lawful care. This leaves people in states where the reproductive care they are seeking has been criminalized without the protection of the HIPAA Privacy Rule.

While many states have worked to ban abortion, some states have enacted shield laws that aim to protect abortion seekers and physicians. Unfortunately, one strong state law cannot provide help for people elsewhere in the country struggling to obtain abortion care—which is why we need comprehensive protections. Washington recently enacted its pioneering health privacy law, the My Health, My Data Act. EPIC’s Suzanne Bernstein analyzed the current legal landscape and the effect of Washington’s law, available here. She wrote:

Although Congress has yet to pass a comprehensive privacy law, over a dozen states have passed comprehensive privacy laws, and there is momentum for other states to enact similar laws. While these laws vary in many ways, basic state-level regulation of how companies manage data collection, retention, and sharing with third parties can be a boon to safeguard reproductive privacy. In addition to comprehensive state privacy bills, Washington state has enacted the landmark My Health My Data Act, which specifically governs health data privacy. This law also prohibits geofencing around any entity that provides health care services, like an abortion clinic or reproductive health care facility. Geofencing is the use of technology like Wi-Fi or cell tower data to create a boundary around a physical location or to locate a consumer within that boundary. This provision of the law could play an important role in limiting the collection and use of location data for criminalizing abortion care or other reproductive health care. Following Washington, Nevada also passed a health privacy law, illustrating the momentum to protect consumer health data, including reproductive information.
 

The Federal Trade Commission has taken steps to protect location information and health information in the past few years. The Commission updated its Health Breach Notification Rule to make clear that developers of health applications, connected devices, and other similar products must comply with the Rule. The Commission has made great strides in using its Section 5 authority to combat unfair and deceptive consumer health privacy violations. Actions against KochavaFlo Health and Premom signified the Commission’s commitment to reproductive health privacy, while the recent FTC settlement with GoodRx emphasized that it is unlawful to disclose consumers’ personal health information to third parties without authorization. The FTC’s enforcement actions against BetterHelp and Vitagene demonstrated the breadth of personal information that should be considered health data, targeting violations of mental health and genetic privacy, respectively. And the Commission’s recent use of the Health Breach Notification Rule authority illustrates the FTC’s determination to use all available enforcement authority to protect consumer health privacy.

Today’s technological realities and legal landscape have combined to have disastrous effects on abortion access and reproductive privacy. Reproductive privacy is freedom and individuals deserve to make these choices without intrusions from companies or the government. EPIC will continue to advocate for protections for our data that can reveal pregnancy status and pregnancy outcomes, and will continue to work to enshrine and protect the privacy right to access abortion health care and to make one’s own reproductive health care decisions.  

Recent Documents on Health and Reproductive Privacy

EPIC's Experts on Health & Reproductive Privacy

Support Our Work

EPIC's work is funded by the support of individuals like you, who help us to continue to protect privacy, open government, and democratic values in the information age.

Donate