Reproductive Health Data Protection: Your Rights, Key Laws, and How to Safeguard Your Information

Overview of Reproductive Health Data Privacy Legislation

Reproductive health data protection in the United States is governed by a patchwork of federal rules, state statutes, and proposed bills. At the federal level, HIPAA sets baseline privacy standards for protected health information created or held by covered entities, while the FTC’s Health Breach Notification Rule (HBNR) applies to many health apps and connected devices that fall outside HIPAA. In April 2024, the FTC finalized amendments to the HBNR to better cover digital health technologies and clarify breach notice obligations for vendors of health apps and connected devices. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/index.html?utm_source=openai))

Several congressional proposals specifically target reproductive privacy. The My Body My Data Act would create national limits on collecting, using, and disclosing reproductive and sexual health information, with FTC enforcement; companion measures have been introduced in both chambers. The Reproductive Data Privacy and Protection Act would further restrict the ability of law enforcement and third parties to obtain reproductive data in many circumstances. Though not enacted as of March 15, 2026, these proposals signal the direction of federal policy. ([congress.gov](https://www.congress.gov/bill/118th-congress/senate-bill/1656/text?utm_source=openai))

States have moved quickly. Washington’s landmark My Health My Data Act (HB 1155) extends privacy rights—including deletion and consent—to personal health data not covered by HIPAA and treats violations as per se consumer protection violations. In addition, 22 states and the District of Columbia have enacted shield laws that limit cooperation with out‑of‑state investigations into lawful reproductive or gender‑affirming care, often including data‑sharing limits. ([atg.wa.gov](https://www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy?utm_source=openai))

Finally, Assisted Reproductive Technology Reporting is mandated under federal law. Clinics must submit annual data to CDC’s National ART Surveillance System (NASS) under the Fertility Clinic Success Rate and Certification Act of 1992; published reports use standardized success measures and protect underlying data under an Assurance of Confidentiality. ([cdc.gov](https://www.cdc.gov/art/php/nass/index.html?utm_source=openai))

Understanding the HIPAA Reproductive Health Rule

What HHS’s 2024 HIPAA modifications tried to do

HHS issued HIPAA Modifications for Reproductive Health in April 2024 to prohibit using or disclosing PHI to investigate or impose liability for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful where provided, and to bar disclosures that would identify persons for such purposes. The rule also created a presumption that reproductive care provided elsewhere was lawful and added an “attestation” requirement before certain disclosures (e.g., to law enforcement, courts, health oversight, or coroners) where PHI might relate to reproductive care. It further required updates to Notices of Privacy Practices. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))

What changed after the federal court ruling

On June 18, 2025, the U.S. District Court for the Northern District of Texas vacated most of the 2024 reproductive health privacy rule nationwide. HHS notes that, with respect to the Notice of Privacy Practices, only certain subsections were specifically vacated and that remaining NPP updates must still be implemented by February 16, 2026. The practical takeaway: the prohibition and attestation requirements are not in effect as of today (March 15, 2026), while limited NPP revisions remain on track. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))

What still protects your information under HIPAA

Even after the ruling, your reproductive health information held by HIPAA‑regulated entities remains protected by the baseline Privacy, Security, and Breach Notification Rules. You can request “confidential communications” (for example, asking a provider or health plan to send communications to an alternate address) and, in specific circumstances, require a provider not to disclose information to your health plan if you pay for the item or service in full out of pocket. Covered entities must also follow the “minimum necessary” standard and maintain safeguards aligned with HHS Health Information Security Guidance. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html?utm_source=openai))

Federal Court Impact on Data Protection

Recent court decisions profoundly shape reproductive data privacy and enforcement.

• Dobbs v. Jackson Women’s Health Organization (June 24, 2022) ended federal constitutional protection for abortion, spurring divergent state approaches to access and data. ([supremecourt.gov](https://www.supremecourt.gov/docket/docketfiles/html/public/19-1392.html?utm_source=openai))
• FDA v. Alliance for Hippocratic Medicine (June 13, 2024) dismissed challenges to mifepristone on standing grounds, leaving FDA’s approvals intact and affecting how regulators and courts approach evidence in reproductive health disputes (though not directly changing data‑privacy rules). ([supremecourt.gov](https://www.supremecourt.gov/opinions/23pdf/23-235_n7ip.pdf?utm_source=openai))
• Carmen Purl v. HHS (June 18, 2025, N.D. Tex.) vacated most HIPAA reproductive privacy amendments; NPP timing remains partially in effect. Expect ongoing appeals and additional guidance. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))
• Courts are also testing the reach of state “shield laws” and data‑sharing. For instance, a New York court dismissed Texas’s attempt to enforce a judgment against a physician under New York’s shield law, while other matters spotlight how law enforcement has sought location or license‑plate data tied to abortion investigations. ([apnews.com](https://apnews.com/article/e1d6d561c098084258575fb9f647ac1b?utm_source=openai))

Best Practices for Protecting Personal Reproductive Data

Data Minimization Strategies you can use

• Share only what is strictly necessary for your care. Ask providers to follow HIPAA’s minimum‑necessary rules for non‑treatment disclosures and to limit internal access on a need‑to‑know basis. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/minimum-necessary-requirement/index.html?utm_source=openai))
• For apps and wearables, avoid services that aggregate data from multiple sources unless you truly need the feature. Prefer tools that store data locally, allow deletion, and avoid third‑party trackers.
• Turn off precise location and background activity for health apps, and periodically clear search, maps, and browser histories linked to sensitive topics.

Follow Health Information Security Guidance

• Use strong device security: screen locks, automatic updates, and passcodes for notes or photos. Enable encrypted messaging with providers when available.
• Ask providers about their security risk analysis and safeguards under the HIPAA Security Rule, and request confidential communications (for mailed EOBs or appointment reminders) to an alternate address when appropriate. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html?utm_source=openai))

Special note on Assisted Reproductive Technology Reporting

If you use IVF or other ART, clinics must send de‑identified, standardized data to CDC’s NASS under federal law. Published success‑rate reports are clinic‑level; underlying data are protected by an Assurance of Confidentiality under Public Health Service Act §308(d). That said, always review clinic consent forms to understand what is reported and how your information is safeguarded. ([cdc.gov](https://www.cdc.gov/art/php/nass/index.html?utm_source=openai))

Role of Federal and State Agencies in Data Privacy

Multiple agencies share responsibility for reproductive data privacy. HHS’s Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules and investigates complaints against covered entities and business associates. The FTC enforces the updated Health Breach Notification Rule and uses its consumer‑protection authority to police misleading health‑data practices by apps and platforms. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/how-ocr-enforces-the-hipaa-privacy-and-security-rules/index.html?utm_source=openai))

State Attorneys General enforce state consumer‑privacy and health‑data laws; Washington’s My Health My Data Act is a prominent example, with per se consumer‑protection liability for violations and explicit rights to deletion and consent. ([atg.wa.gov](https://www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy?utm_source=openai))

CDC administers Assisted Reproductive Technology Reporting, while DOJ enforces clinic access protections under federal civil‑rights statutes. Together, these agencies frame both privacy and access for reproductive care nationwide. ([cdc.gov](https://www.cdc.gov/art/php/nass/index.html?utm_source=openai))

Legal Protections for Clinic Access and Data

Clinic access and safety are safeguarded by federal law. The Freedom of Access to Clinic Entrances (FACE) Act makes it unlawful to use force, threats, or physical obstruction to interfere with people seeking or providing reproductive health services; DOJ regularly prosecutes violations. ([justice.gov](https://www.justice.gov/crt/freedom-access-clinic-entrances-places-religious-worship?utm_source=openai))

Clinic data practices remain governed by HIPAA and state law. Even after the 2025 court decision, covered entities must honor “confidential communications” requests and apply minimum‑necessary policies for non‑treatment disclosures. These tools help reduce unnecessary exposure of reproductive care details in payer communications and other channels. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html?utm_source=openai))

Many states have adopted Clinic Access Protection Laws in the form of shield statutes that curb cooperation with out‑of‑state investigations into lawful care and limit sharing of sensitive information (including clinic‑held or state‑held data). New York’s shield framework, for example, restricts domestication of out‑of‑state subpoenas and bars entities from assisting certain investigations. ([guttmacher.org](https://www.guttmacher.org/state-policy/explore/shield-laws-sexual-and-reproductive-health-care?utm_source=openai))

Practical Tips for Safeguarding Your Health Information

• Ask for confidential communications: request bills, EOBs, and appointment notices be sent to an alternate address or portal; use secure messaging when available. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html?utm_source=openai))
• Consider paying out of pocket for specific services and requesting that your provider not disclose those items to your health plan, when legally available; remember this does not override disclosures required by law. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/3026/under-hipaa-may-an-individual-request-that-a-covered-entity-restrict-how-it-uses-or-discloses-that-individuals-protect-health-information/index.html?utm_source=openai))
• Choose privacy‑forward apps: read policies for data sharing/sale, verify deletion controls, and avoid apps that sync from multiple sources unless necessary; the updated HBNR treats many health apps as covered for breach‑notice purposes. ([ftc.gov](https://www.ftc.gov/business-guidance/resources/health-breach-notification-rule-basics-business?utm_source=openai))
• Limit identifiers in communications: avoid including full names or details in subject lines; confirm the recipient and method before sending sensitive information.
• Minimize location trails: disable precise location for health‑related apps; consider turning off ad‑ID personalization; routinely clear map and web histories related to care logistics.
• Know your records: ask providers what data they retain, who can access it, and how long they keep it; verify whether business associates (billing, EHR vendors) have access and what safeguards they use under Health Information Security Guidance. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html?utm_source=openai))

Conclusion

Reproductive Health Data Protection now relies on core HIPAA rights and security practices, strengthened FTC rules for health apps, targeted state laws like Washington’s My Health My Data Act, and clinic access protections such as the FACE Act. Because the HIPAA Modifications for Reproductive Health were largely vacated on June 18, 2025, you should lean on existing HIPAA tools (confidential communications, minimum necessary, out‑of‑pocket restrictions), evaluate app practices carefully, and track evolving shield laws and court rulings to keep your information—and your options—protected. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))

FAQs

What laws protect reproductive health data privacy?

For medical records held by covered providers, health plans, and their business associates, HIPAA governs privacy, security, and breach notification. Many consumer health apps fall under the FTC’s Health Breach Notification Rule, updated in 2024 to clarify coverage of health apps and connected devices. States add layers—Washington’s My Health My Data Act regulates non‑HIPAA personal health data—and numerous states and DC have shield laws that restrict cooperation with out‑of‑state investigations into lawful care. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/index.html?utm_source=openai))

How does the HIPAA Reproductive Health Rule impact data protection?

HHS’s 2024 rule would have barred using or disclosing PHI to investigate or impose liability for lawful reproductive care and required attestations before certain disclosures. However, on June 18, 2025, a federal court vacated most of that rule nationwide. Limited Notice of Privacy Practices updates still apply with a February 16, 2026 compliance date, but the prohibition and attestation provisions are not in effect as of March 15, 2026. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))

What are the best practices for safeguarding reproductive health information?

Use Data Minimization Strategies (share only what’s necessary), request confidential communications, and—where appropriate—pay out of pocket and ask your provider not to disclose specific items to your health plan. For apps, favor services that allow deletion, avoid third‑party trackers, and store data locally; remember that the FTC’s updated HBNR covers many apps outside HIPAA. For ART patients, know that clinics must submit de‑identified statistics to CDC’s NASS, with confidentiality protections. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/minimum-necessary-requirement/index.html?utm_source=openai))

How do federal court decisions affect reproductive data privacy laws?

Court rulings shape—and sometimes halt—policy changes. Dobbs (2022) led to divergent state regimes and cross‑state enforcement questions. In 2024, the Supreme Court rejected challenges to mifepristone on standing grounds. Most consequential for data rules, on June 18, 2025, the Northern District of Texas vacated HHS’s reproductive HIPAA amendments; certain NPP updates still proceed. Courts are also testing state shield laws and data‑sharing practices tied to abortion investigations. ([supremecourt.gov](https://www.supremecourt.gov/docket/docketfiles/html/public/19-1392.html?utm_source=openai))