Seventeen States Attack HIPAA and Reproductive Health Privacy

Issue Brief

March 2025

Reproductive Rights

Four lawsuits from anti-abortion extremists challenging the 2024 HIPAA Privacy Rule to Support Reproductive Health Care Privacy (2024 HIPAA Privacy Rule) are jeopardizing health privacy and threatening to put pregnant people at even greater risk of criminalization for their reproductive care. Invalidating the 2024 HIPAA Privacy Rule would leave patients without the safeguards they need to trust their health care providers with their confidential health information and ensure law enforcement cannot access it.

The Fallout from Attacks on Reproductive Health Privacy for Patients

If these challenges to the 2024 HIPAA Privacy Rule succeed, the implications for abortion access, patient-provider trust, abortion criminalization, and care coordination would be devastating:

A law enforcement officer in Texas (a state that bans abortion) could obtain the medical records of a Texas resident who traveled to receive abortion care in Colorado (a state that protects it), and try to build a case against them.
A patient who experiences a miscarriage and goes to the hospital for care would have reason to fear that their health care provider might wrongfully blame them for causing it and report them to the police.
A pharmacist that dispenses abortion pills to a patient could provide information about them directly to state investigators, even without a warrant or subpoena.
A patient who needs treatment for cancer or arthritis could be forced to suffer without the care they need because their doctor is afraid they’ll get sued for prescribing medication that could potentially interfere with a pregnancy.

Texas Attorney General Ken Paxton, Tennessee Attorney General Jonathan Skrmetti alongside 14 other Republican state attorneys general, Missouri Attorney General Andrew Bailey, and an anti-abortion doctor in Texas are suing the Department of Health and Human Services (HHS) to invalidate the 2024 HIPAA Privacy Rule and take protections against reproductive health criminalization away from patients. If these lawsuits succeed, patients and providers could be exposed to criminal investigations and liability for seeking or providing reproductive health care. Chaos and confusion around legal risks in the fallout could have a chilling effect on abortion access and further scare providers away from providing reproductive care.

These attacks on HIPAA take aim at a sorely-needed line of defense against abortion criminalization to intimidate people out of getting reproductive care. In the wake of Dobbs v. Jackson Women’s Health Organization, people throughout the country are living under the threat of surveillance and criminalization for their reproductive health decisions and pregnancy outcomes. Members of historically underserved and marginalized communities – especially low income, Black, and brown women – are more likely to be subjects of investigations and criminal proceedings related to reproductive health care.

2024 HIPAA Privacy Rule Protections

One of the driving forces for criminalization related to pregnancy status or outcomes has been health care providers unnecessarily reporting their patients to law enforcement, especially amidst confusion over reporting obligations under HIPAA’s law enforcement exception. In response, HHS’ Office for Civil Rights (OCR) finalized the 2024 HIPAA Privacy Rule on April 26, 2024, to prohibit the use or disclosure of protected health information for the purpose of investigating or criminalizing anyone for lawful reproductive care. This means that HIPAA-covered entities like doctors are barred from complying with law enforcement requests and legal process – including court orders, subpoenas, and warrants – if officials are seeking out medical records to prosecute someone for seeking, assisting with, or providing lawful reproductive care.

Challenges to the 2024 HIPAA Privacy Rule

Tennessee et al. v. HHS: Tennessee filed a lawsuit along with Alabama, Arkansas, Georgia, Idaho, Indiana, Iowa, Louisiana, Montana, Nebraska, North Dakota, Ohio, South Carolina, South Dakota, and West Virginia claiming that the 2024 HIPAA Privacy Rule is unlawful and harms the states’ investigative authorities.
Missouri v. HHS: Missouri filed a lawsuit claiming that the 2024 HIPAA Privacy Rule is unlawful and harms its investigative authority.
Texas v. HHS: Texas filed a lawsuit claiming that the 2024 HIPAA Privacy Rule is unlawful and harms the state’s investigative authority. The complaint also seeks to invalidate the 2000 HIPAA Privacy Rule.
Purl v. HHS: Dr. Carmen Purl, an anti-abortion physician in Texas, filed a lawsuit claiming that the 2024 HIPAA Privacy Rule is unlawful and prevents physicians from reporting child abuse. She wants to make child abuse reports to state authorities when young people have accessed abortion or gender-affirming care.

Risks from Invalidating the 2024 HIPAA Privacy Rule

If the 2024 HIPAA Privacy Rule is vacated and permanently enjoined, it would be a major blow to patient privacy, embolden reproductive health surveillance and criminalization, exacerbate fear and uncertainty among patients and providers around disclosures to law enforcement, and chill abortion access.

Blow to Privacy & Confidentiality: Too many people fear being reported to law enforcement for their reproductive health care decisions and pregnancy outcomes like miscarriage and stillbirth. Without the 2024 HIPAA Privacy Rule, patients will have less assurance that the information they disclose to their doctor will remain confidential and not be shared with law enforcement. Eliminating protections for reproductive health care information could deepen mistrust patients feel for their providers – especially among marginalized communities with a history of reproductive coercion, discrimination, and criminalization.
Embolden Abortion Criminalization: These lawsuits seek to embolden reproductive surveillance and expose abortion seekers, helpers, and providers to criminal investigations and liability. In the first year after Dobbs, at least 210 pregnant people faced criminal charges for conduct associated with pregnancy, abortion, pregnancy loss, or birth. In 121 of the 210 cases, information was obtained or disclosed in a medical setting. If these lawsuits succeed, these numbers would continue to rise unabated. And the risks of pregnancy criminalization and surveillance do not fall equally; those who are already vulnerable to over-surveillance by the state, including people of color, low-income people, and immigrants, will be disproportionately harmed.
Chaos & Confusion: Invalidating HIPAA would likely mean that providers would be permitted (though not required) to share patients’ protected health information with law enforcement, as was the case before the 2024 HIPAA Privacy Rule. Provider confusion around whether to respond to law enforcement requests could expose pregnant people to greater risk of legal action. Fear of criminalization might deter patients from seeking health care and being forthcoming about their symptoms or medical history. This chaos could also discourage providers from providing reproductive care altogether.
Undermine Reproductive Freedom: Without the 2024 HIPAA Privacy Rule, patients could face greater risk of being reported to law enforcement for their reproductive care. In particular, this leaves pregnant people who live in states that ban abortion and are forced to travel to receive reproductive care in protective states with less assurance that their health information will not be disclosed to state authorities back home who may try to investigate them. These risks can hold people back from accessing the reproductive care they need.

Who is behind this anti-abortion legal campaign?

Ken Paxton is a previously indicted felon and the far-right Attorney General of Texas with a long record of attacking abortion access and our democracy. He has attacked protections for emergency abortion access in EMTALA, supports Texas’ extreme total abortion ban, and recently sued a New York doctor for providing medication abortion to a Texas resident. He also led a lawsuit seeking to overturn the 2020 presidential election.
Tennessee Attorney General Jonathan Skrmetti asked the Supreme Court to expand its ruling in Dobbs to allow states to ban gender-affirming medical care in addition to abortion. He is currently defending Tennessee’s ban on gender-affirming care for transgender youth.
Dr. Carmen Purl is represented by Alliance Defending Freedom (ADF), which works to deliver strategically-chosen anti-abortion cases to conservative courts. ADF represented Missouri in the Dobbs case, which overturned Roe v. Wade, and represented the Alliance for Hippocratic Medicine in its challenge to the FDA’s approval of mifepristone.
Alliance Defending Freedom (ADF) zeroed in on the U.S. District Court for the Northern District of Texas Amarillo Division because Judge Matthew Kacsmaryk has a long record of delivering outcomes favorable to anti-abortion conservatives. He fast-tracked attacks on medication abortion Alliance of Hippocratic Medicine v. FDA and on birth control access in Deanda v. Becerra.

Attacks on 2000 HIPAA Privacy Rule

The right-wing legal campaign against HIPAA privacy protections does not stop with reproductive health information. The Texas Attorney General’s lawsuit also challenges the 2000 HIPAA Privacy Rule, and Judge Matthew Kacsmaryk requested briefing on the constitutionality of the 2000 HIPAA Privacy Rule in the Texas provider case. The 2000 HIPAA Privacy Rule set foundational national standards to protect people’s medical records and gave people more control when it comes to their health information. Importantly, it limits when a provider or health plan can disclose protected health information in response to a government investigation.

If the 2000 HIPAA Privacy Rule were invalidated, the aftershocks would significantly hinder the functioning of the health care system – throwing health information exchange and payment into disarray and undermining both health outcomes and health equity. Patients would lose confidence that their sensitive health information would be kept private, including from law enforcement. This seismic shift could erode patients’ trust in their providers, dissuade patients from seeking out care or being transparent about their health conditions, and deepen divides with communities that have experienced historical and ongoing mistreatment by the medical establishment, including among Black and brown people, disabled people, and LGBTQ people.

Impacts on Patients and the Health Care System

Weakening or throwing out HIPAA’s privacy safeguards would have health care industry-wide impacts as well as wreak havoc on patients’ ability to trust their providers and their experience navigating the system at large:

A patient could get doxxed if their neighbor who works at their local hospital accesses their private health information – without permission or penalty – and shares it with others.
A law enforcement officer could pressure a psychiatrist to share patient notes from therapy sessions without a subpoena.
A patient’s protected health information could be accessed, sold, and used by anyone along the many points of contact in the health care delivery and payment chain. It could be used for surveillance, commercial, research, and other uses without their knowledge or consent.

Next Steps

People deserve safety and confidentiality when accessing reproductive health care, and these lawsuits threaten privacy guardrails at a time that reproductive health patients need them more than ever before. Providers should never be pressured to report on the patients who entrust them with their care, but that would inevitably be the reality for far too many people without HIPAA protections. People are already scared to seek medical care after having an abortion or experiencing pregnancy loss, and they could have fewer protections against legal action if these anti-abortion extremists get their way. The right-wing legal campaign against HIPAA is designed to further erode people’s ability to make decisions about whether, when, and how to have children without fear of criminalization. Fighting back against these lawsuits is critical for the future of reproductive freedom and patient privacy.

Back to Reproductive Rights

2024 HIPAA Privacy Rule Protections

Risks from Invalidating the 2024 HIPAA Privacy Rule

Attacks on 2000 HIPAA Privacy Rule

Impacts on Patients and the Health Care System

Next Steps

News Room

More Ways to Give

Jobs & Internships

Blog

Racial Equity

At the National Partnership, we're all about making life better for women and families.

NPWF Condemns Trump Administration’s Threat to Close the Department of Education

National Partnership for Women & Families Asks Court to Protect HIPAA Reproductive Health Privacy Rule

NPWF President on Acting EEOC Chair’s Power Grab: “Attempting to Bully, Intimidate Law Firms Only Deepens Growing Mistrust”

NEWS: Texas’ first abortion arrests stem from monthlong attorney general investigation

Women’s share of the veteran workforce is at an all-time high – but Trump’s policies threaten their success

NEWS: Abortion pill prescriptions are now being tracked in parts of the US – with help from a little-known tech company

What’s the Wage Gap in the States?

The Wage Gap #IRL (In Real Life) for Women of Color: Groceries, Child Care and Student Loans