The state of US reproductive privacy in 2025: Trends and operational considerations

The landscape of reproductive rights in the U.S. has changed dramatically since 2022 when the U.S. Supreme Court overturned Roe v. Wade in Dobbs v. Jackson Women's Health Organization.

In the years since, lawmakers and regulators at both the state and federal levels have taken a wide range of actions with respect to reproductive health privacy and abortion rights, with growing divergence between left and right leaning jurisdictions. These new laws and regulations impact a range of sensitive and health-related data. Importantly, new rules that may have been motivated at least in part as a response to Dobbs are frequently not limited to data related to having an abortion and can have much broader impacts.

The resulting 2025 health privacy forecast is a legally complex, politically charged and often directly conflicting array of laws that impact a wide variety of entities across a range of sectors. Impacted organizations must make a series of risk-based decisions that account for and anticipate thorny problems across federal and state-specific legal regimes.

To help navigate these complexities and to reduce risk in preparation for increased regulator and litigation activity, it is critical for organizations to prioritize the following compliance activities:

• Identify systems and databases that store and/or infer reproductive health information with special attention to areas of the product or service that may incidentally process this information, such as messaging features or website tracking technology.
• Based on your findings, set data minimization limits on reproductive health information, determine which reproductive or health privacy laws apply to which types of processing activities and establish a compliance strategy with a combination of organization-wide compliance controls and state-specific variation as needed.
• Review your patient and/or consumer notice, consent and authorization language, and update it where required.
• Establish an internal law enforcement access procedure and train relevant employees.

As the year progresses, the new presidential administration is expected to continue to focus on reproductive health policy issues through decisive policy changes and enforcement priorities with Democratic states responding by seeking to fill perceived gaps, as we've just seen with the New York legislature's passage of the New York Health Information Privacy Act.

We'll also be watching litigation trends closely. While we've yet to see individual or class enforcement of Washington state's My Health My Data Act, when such litigation does come, it is likely to come in droves and, like the current wave of California Invasion of Privacy Act litigation, have significant impact.

The fractured abortion rights landscape in the U.S.

Since the fall of Roe v. Wade, states have moved in opposing directions on abortion rights. A group of Republican-led states, including Alabama, Florida, Georgia, Idaho, Indiana, Texas and West Virginia, have restricted access to abortion care, typically by means of laws that criminalize the provision of such care.

A subset of these states have also enacted so-called "bounty laws," which allow private citizens to seek financial remuneration from providers who they allege have given abortion care in violation of the state's law.

Meanwhile, other states such as Arizona, California, Colorado, Maryland, Michigan, Missouri, Montana, New York, Ohio and Vermont have passed new measures, including state constitutional amendments, to protect access to abortion services.

While state abortion bans typically contain exceptions for medical emergencies, the scope of such exceptions is often unclear, discouraging the provision of abortion care even in the face of life-threatening emergencies. Efforts to clarify when medical exceptions do and do not apply have been met with resistance.

Texas' abortion ban, which took effect 25 Aug. 2022, prohibits the performance, attempted performance or inducement of an abortion, with a limited exception for medical emergencies. In Zurawski v. State of Texas, the Texas Supreme Court refused to clarify the scope of this medical emergency exception to the state's abortion ban.

One result of uncertainty around the scope of state abortion bans is that, in states with bounty laws, any company holding data about individuals' reproductive health care, pregnancy care or received health services could have the data subpoenaed or otherwise become subject to litigation.

Restrictions on processing, disclosing broad data types — including reproductive health information

In response to the potential for increased requests for access to reproductive health information, lawmakers and regulators at the federal level and in abortion-protective states have passed laws seeking to restrict access to and the availability of such data.

These laws fall into two main categories. Shield laws aim to protect physicians operating in states where abortion care is less restricted from being prosecuted by out-of-state law enforcement for providing lawful reproductive care, as well as to protect patients seeking care in that state.

Consumer health privacy laws seek to minimize the commercial processing and availability of health-related data and to restrict the geotargeting of health care facilities.

Federal and state shield laws

Entities regulated by the Health Insurance Portability and Accountability Act had to comply with the bulk of the Department of Health and Human Services Office for Civil Rights' new Privacy Rule To Support Reproductive Health Care Privacy by 23 Dec. 2024.

The rule prohibits covered entities or their business associates from using or disclosing protected health information to criminally, civilly or administratively investigate or sue a person for "seeking, obtaining, providing, or facilitating reproductive health care" that was lawful where it was provided, or to identify someone for such prosecution.

On 26 Nov. 2024, the OCR entered into a settlement agreement with Pennsylvania's Holy Redeemer Hospital, as part of which the office signaled the Biden-Harris administration's commitment to protecting reproductive privacy, in advance of its new rule's enforcement date.

Adding to the complexity, however, a Texas District Court judge preliminarily enjoined HHS from enforcing the Reproductive Privacy Rule against a Texas-based doctor 23 Dec. 2024. It remains to be seen whether HHS will appeal the ruling, but federal prosecutors under President Donald Trump have already begun to turn away from issues they were prioritizing under the Biden-Harris administration.

On 24 Jan. 2025, the federal government dropped criminal charges against a Texas-based physician for allegedly sharing PHI, which was related to patients' access to gender affirming care at the hospital where she worked, with the press.

States including California, Colorado, Connecticut, Hawaii, Illinois, Massachusetts, New Jersey, New Mexico, New York, Rhode Island, Vermont and Washington have passed laws with elements in common with HHS's Reproductive Privacy Rule, commonly referred to as shield laws.

These laws take many forms, but, in general, they limit the disclosures health care providers, service plans, and other in-scope entities and individuals may make to out-of-state or foreign law enforcement about a patient obtaining or a physician providing abortion services that were lawful in the state where they were provided.

As with the HHS Reproductive Privacy Rule, challenges to state shield laws have begun to emerge. On 13 Dec. 2024, Texas Attorney General Ken Paxton announced his office is suing a New York-based doctor for allegedly providing abortion pills to a Texas resident in violation of the state's abortion ban and other Texas laws. The lawsuit will be a direct test of New York state's shield laws.

Consumer health privacy laws

The most prominent post-Dobbs health privacy framework is Washington state's My Health, My Data Act, which took full effect last year. The MHMDA establishes a novel framework to regulate the collection, processing and transfer of consumer health data, a term the law defines to include a broad range of personal information, including information that has not traditionally been treated as health data under the law.

The MHMDA requires entities of all sizes to maintain a health-data specific privacy notice, seek nonbundled opt-in consent for any processing or sharing of health data beyond what is necessary to provide a product or service requested by the consumer, and honor broad consumer rights to access and delete their health data.

The MHMDA requires entities to obtain authorization, which is even more burdensome than obtaining opt-in consent, for the sale — defined broadly to include exchanges of data for "valuable consideration" — of health data. The law also restricts the geofencing of health care facilities to collect health data, track or identify facility visitors, or to send consumers health-related communications or advertisements.

The act is enforceable by the Washington state attorney general as well as by individual plaintiffs or classes of plaintiffs through a private right of action. While the MHMDA has yet to be enforced, a recent Washington State District Court decision could create a path for class-action lawsuits.

In the same calendar year when the Washington legislature passed the MHMDA, Connecticut and Nevada enacted similar, but not identical, health privacy laws. Neither of those laws is enforceable through a PRA and the attorneys general in Connecticut and Nevada have yet to enforce these laws.

We will be watching closely to see whether the change in administration at the federal level influences the attorneys general in these three states to step up reproductive privacy-related enforcement in response to a perceived gap in federal activity.

The New York legislature also passed an extraordinarily restrictive health privacy bill, the New York Health Information Privacy Act. While modeled after the MHMDA in many respects, the New York bill arguably expands further, to the processing of personal data related to health. Prior to enactment, the NY HIPA is subject to amendment or veto by Gov. Kathy Hochul, D-N.Y.

The NY HIPA would govern the processing of regulated health information, defined as "any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual," including "location or payment information that relates to an individual's physical or mental health or any inference drawn or derived about an individual's physical or mental health that is reasonably linkable to an individual, or a device."

Like the MHMDA's definition of consumer health data, this open-ended definition regarding information "processed in connection with" the health of a person could be interpreted broadly to include a wide range of data related to health and wellness.

The NY HIPA would require burdensome and difficult-to-scale authorization for a wide range of processing activities beyond those strictly necessary to provide a specific consumer-requested product or service, with only narrow exceptions. The act would create strong data subject rights and notice requirements and provide for enforcement by the New York Attorney General's Office, "in addition to any other lawful remedy available." The NY HIPA would also allow for attorney general rulemaking.

Meanwhile, similar laws have been introduced but so far not passed in several states, including Maine and Michigan. These laws have faced significant opposition but could be more likely to pass in response to aggressive enforcement of abortion restrictions in other states or to a pull-back of federal efforts to protect abortion-seekers and their doctors.

Reduce risk by developing a structured compliance plan before issues arise

All organizations navigating this fractured legal environment will need to keep up with litigation outcomes, along with new legislation and regulations as they are passed into law.

Meanwhile, they should implement a compliance plan to address the areas of most significant risk. A key aspect of such a plan that all organizations should consider is data minimization.

Before collecting health-related data, and especially reproductive health data, query whether such collection is operationally necessary or merely nice to have. If and where less health information can be collected — or this data can be collected only in deidentified formats — there is an opportunity to reduce the legal risk an organization faces.

Likewise, consider how long such data needs to be retained or whether it can be deidentified after a defined period. If the organization no longer has the data, the compliance obligations and risks associated with that data can become a nonissue. 

Data usage limitations are equally important. To the extent possible, limiting use of reproductive health data — or any health data — to the primary purpose of providing the requested service to the patient or consumer can help reduce risk. For companies that monetize data through advertising, excluding such data — including inferred data — from advertising systems and uses can minimize one significant area of risk.

Also, good data security practices such as encryption and strict access controls can reduce the risk of accidental misuse, disclosure or access to such data by an unauthorized party — any of which could lead to harm and liability. 

In addition, further steps should be considered depending on which of the laws your organization is subject to. There are three main categories of entities that need to plan especially carefully for compliance: HIPAA-covered entities and their business associates, entities impacted by state abortion bans and shield laws — including companies that process reproductive health information likely subject to the resulting litigation — and entities operating or providing services in states with consumer health privacy laws in place.

HIPAA-covered entities and business associations

Is your entity subject to HIPAA? If so, you must comply with the Reproductive Privacy Rule by having an established procedure in place for identifying and responding to covered access requests. 

Impacted employees should be trained on an internal escalation and response process.

Covered entities should also update their notice of privacy practices by February 2026 to comply with the rule's requirements and have a template attestation letter on file.

Entities operating in states with abortion-specific laws

Entities should complete an assessment of applicable state laws to understand the risks involved with cross-state data sharing. Consider internal policies and procedures to ensure any access request received is valid and applicable and the procedures for response comply with applicable law.

Entities should not disclose health information without making sure they have received any required consent or authorization. Under shield laws, certain disclosures may always be forbidden, while others may require hyperspecific documentation to be lawfully made.

For example, Washington state's shield law requires entities to obtain an attestation made under penalty of perjury from parties requesting information through legal process about health services that were lawfully provided in the state. This attestation must state the request is not being made as part of the investigation or enforcement of another state's law that would impose liability for proving or receiving such health services.

Companies processing reproductive health data should also consider more stringent internal data practices, such as storing reproductive health information in separate databases with extremely strict access controls, to minimize legal risk.

Entities operating in states with consumer health privacy and/or shield laws

The first step for entities operating in states with consumer health privacy laws in place is to get familiar with the scope of those laws and the personal data the organization processes. Does the entity collect, process and share data related to health? If so, does it do so incidentally or as part of its core product and service offerings? How is this data collected, where is it stored and who is it shared with?

Once you understand the baseline, consider categorizing and, where appropriate, storing data related to health separately from other data and applying different policies to such data as may be required by applicable law.

Washington state's MHMDA and Nevada's consumer health privacy law each require entities to obtain consent for any collection — defined to include "process in any manner" — or sharing of consumer health information beyond collection or sharing that is necessary to provide a consumer requested product or service.

The MHMDA also requires covered organizations to maintain stand-alone consumer health privacy policies. It is important to review these notices on an annual basis to make sure they are accurate and clear.

A risk-based approach

Considering the highly complex, rapidly evolving and politically charged nature of this area of privacy law, it is critical for impacted organizations to approach compliance with these laws with thoughtfulness and care.

Evaluating and implementing the suggested key compliance steps can be an important part of a risk-based approach to meeting the obligations of these reproductive and health privacy laws and regulations.

Kate Black, CIPP/US, and Mike Hintze, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP, are partners and Felicity Slater, CIPP/US, is an associate at Hintze Law.