Reproductive Health Data Privacy: What Now?
September 26, 2025
Overview
The recent court ruling vacating the Biden-era HIPAA Privacy Rule to Support Reproductive Health Care Privacy removes a layer of protection around reproductive health data, and in its wake, the onus will be on states and localities to implement protections. Currently, state-level safeguards for reproductive health data remain a patchwork of legal protections in some parts of the country, and not in others.
It has been a tumultuous time for reproductive health data privacy over the last three years. Since the Dobbs v. Jackson Women’s Health Organization (2022) decision, in which the U.S. Supreme Court held there is no right to abortion under the U.S. Constitution, we have seen states and the previous Administration step in to bolster privacy protections for reproductive health data. We also saw a wave of litigation challenging the Biden-era HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the Rule). That Rule prohibited the use or disclosure of protected health information (PHI) for prosecutions and investigations of individuals stemming from the mere act of seeking, obtaining, providing or facilitating reproductive care. This article takes a closer look at a much-changed reproductive health data privacy legal landscape and asks “what now?”.
Federal protections for reproductive health data have flatlined. On June 18, 2025, a federal judge in the Northern District of Texas issued a ruling in Purl v. Department of Health and Human Services (HHS) vacating the Rule. HHS did not timely file a notice of appeal in the case by the August 18, 2025 deadline—signaling, to all intents and purposes, its abandonment of defense of the Rule.
The only lifeline left for the Rule was an appeal of the decision to nullify the Rule filed by the cities of Madison, Wisconsin and Columbus, Ohio, and Doctors for America. These would-be defenders of the Rule argued before the District Court that HHS was not adequately defending it and sought to enter the case to defend the Rule. The District Court disagreed and refused their entry into the case. Ultimately, on September 4, 2025, Madison, Columbus and Doctors for America withdrew their appeals of both the decision to deny them entry into the case and the final judgment.
Although the Rule no longer shields PHI related to reproductive health, long-standing HIPAA provisions limiting use and disclosure of PHI still apply to reproductive-health-related PHI. The basic premise of the HIPAA privacy rule—that an authorization is generally required to disclose PHI unless an exception applies—is still in place.
These exceptions to the authorization requirement, such as disclosures for law enforcement, health oversight and where required by law, include limitations and prerequisites that must be met prior to use or disclosure of PHI by a covered entity or its business associate. Although disclosure in some cases may be mandated by other law, these HIPAA provisions permit, rather than require, disclosure.
State-level safeguards for reproductive health data remain a patchwork of legal protections in some parts of the country, and not in others. States like California, Connecticut, Delaware, Illinois, Massachusetts, New Jersey, New Mexico and New York, and the District of Columbia (DC), have passed reproductive health data privacy laws before and after Dobbs. These laws add protections, such as prohibiting disclosures of reproductive health data to investigators and prosecutors, or in civil, legislative or administrative proceedings. This state-by-state approach, however, leaves obvious holes in coverage, and a risk that reproductive health data may legally leave a state with protective laws, rendering the data vulnerable to access by actors adverse to reproductive health in states without sufficient protections.
The privacy of consumer reproductive health data remains of great concern. This type of health data in the hands of app makers and other non-HIPAA covered entities, is generally not protected by HIPAA. A couple of states have passed comprehensive health data privacy laws. Washington passed its My Health My Data Act, seen as a model health data privacy act, that adds protections for reproductive health data. Nevada soon followed, with its own comprehensive consumer health privacy law. We have not, however, seen an avalanche of comprehensive state health data laws.
Finally, 20 states also have comprehensive consumer privacy laws that may offer protections for reproductive health data. California, for example, provides consumer protections around “sensitive personal information” that includes information concerning a consumer’s health and “sex life.” And, Virginia amended its Consumer Protection Act to prohibit obtaining, disclosing or selling reproductive health data without the consent of the consumer, effective July 1, 2025.
Conclusion
Roll back of the HIPAA repro Rule removes a layer of protection around reproductive health data and, in its wake, the onus will be on states and localities to implement protections. We may, therefore, continue to see state-level interventions in the foreseeable future.
This post was written by Stephen Murphy, J.D., Director, Network for Public Health Law —Mid-States Region.
The Network promotes public health and health equity through non-partisan educational resources and technical assistance. These materials provided are provided solely for educational purposes and do not constitute legal advice. The Network’s provision of these materials does not create an attorney-client relationship with you or any other person and is subject to the Network’s Disclaimer.
Support for the Network is provided by the Robert Wood Johnson Foundation (RWJF). The views expressed in this post do not represent the views of (and should not be attributed to) RWJF.