After Texas ruling, states seek to fill reproductive health data privacy gaps

In June 2022, the Supreme Court's decision in Dobbs v. Jackson Women’s Health Organization eliminated the constitutional right to abortion. In the wake of this decision, HHS began hearing from communities that patients needed additional protections for patient confidentiality so they could obtain reproductive healthcare without compromising their privacy. 

In response, HHS issued a final rule in April 2024 that amended the HIPAA Privacy Rule to protect individuals seeking lawful reproductive care. The rule prohibited the use or disclosure of protected health information (PHI) when it is sought for the purposes of imposing criminal, civil or administrative liability on an individual who is obtaining or providing legal reproductive healthcare. 

However, in June 2025, a Texas federal judge declared the rule unlawful and vacated most of its provisions, with the exception of select amendments within the rule regarding substance use disorder treatment data.  

Without the rule's federal protections for reproductive health data, state laws are filling some regulatory gaps, experts say. Select state data privacy laws containing enhanced privacy provisions that apply to reproductive health data should be considered by healthcare organizations and companies that handle this data from a compliance perspective. 

Ruling leaves gaps in reproductive health data privacy at federal level

In his ruling, Texas U.S. District Judge Matthew Kacsmaryk wrote that "HIPAA confers authority to promulgate regulations protecting 'individually identifiable health information.'" 

"But it confers no authority to distinguish between types of health information to accomplish political ends like protecting access to abortion and gender-transition procedures" Kacsmaryk continued "Thus, HHS lacks the authority to issue regulations that enact heightened protections for information about politically favored procedures." 

The ruling struck down the short-lived federal protections for reproductive health data, though covered entities are still beholden to HIPAA's other provisions.  

It also created confusion surrounding compliance, attorneys from the law firm Troutman Pepper Locke suggested in an October 2025 article published on the firm's website. 

"The goal here was to protect people's access to this reproductive healthcare without fear of persecution. That was really kind of the known motivation behind that rule. So, it was always going to be challenged," Kaitlin Clemens, associate at Troutman Pepper Locke and one of the article's authors, said in an interview with Healthtech Security.  

"So, when the Texas ruling came out and the deadline passed for HHS to appeal, you have these companies that are really kind of in this no man's land of, okay, well what do we do now? Do we have to abide by this rule? What do we do next?" 

Clemens and her colleagues suggested that, in the absence of federal oversight, entities dealing with reproductive health data should turn their focus to state laws, where applicable. 

"You have an interconnected web of privacy laws. You have an interconnected web of data breach statutes for every single state. Also, there are federal regulations. Really, the biggest misconception is, well, if I'm not a covered entity under HIPAA, I don't have anything to worry about," Clemens said.  

"And you no longer get into this exclusionary world where you say, okay, I'm not covered by that, so I'm good. Now, you need to do a deep survey into which states you need to comply with. If they apply to you at an entity level, are you operating in that state? There's a lot of different questions that you can have that are going to impact the organization." 

States to watch 

Several states have enacted privacy laws in recent years that touch on reproductive health data privacy to varying degrees. California, Washington, Virginia and New York are states to watch on this front, Clemens and her co-authors stated. 

"So, the patchwork of laws, it just seems to grow and multiply," Dave Navetta, partner at Troutman Pepper Locke and co-author on the firm's article, said in an interview.  

"We start off with comprehensive state privacy laws that are intended to cover all kinds of personal information. And then we get to specific types of data like biometric data, personal information around AI and automated decision making and reproductive health. So, we start to splinter into millions of nodes." 

In California, Assembly Bill No. 352 amended the state's Confidentiality of Medical Information Act and introduced hefty administrative fines for improper disclosure of medical information. The bill carved out specific protections for reproductive health data.  

Washington's My Health My Data Act (MHMDA), which went into effect in April 2023, bolstered health data protections for Washington residents by giving individuals the right to withdraw consent and request data deletion. 

In addition to requiring explicit consent to share health data for Washington residents, the MDMHA sought to protect the data of individuals who travel to Washington to seek gender-affirming and reproductive care. 

Virginia's Senate Bill 754, which took effect in July 2024, amended the Virginia Consumer Protection Act to bar any entity that obtains reproductive and sexual health information from processing that information without consent. This bill includes non-healthcare organizations, such as small businesses, nonprofits, search engines or any company that uses geolocation data, creating new compliance considerations for non-HIPAA-covered entities. 

"Especially in Virginia, they cover small businesses, nonprofits. It is the little guys that really need to have their ears perked up to say, okay, well, we didn't think we touched any of this data, but maybe we have a search bar where you can search for the nearest abortion clinic," Clemens noted. "Suddenly, you're put into that realm and you need to be really careful." 

In January 2025, New York's Senate and Assembly passed the New York Health Information Privacy Act, a health data privacy law that aims to govern companies that sell and collect health data. If signed into law by the Governor, the provisions will apply to any entities that process regulated health information pertaining to New York residents, as well as New York-based entities that control the processing of regulated health information. 

"Even a few years ago, you would be able to take that exclusionary approach and say, okay, check the box. I'm done. Wash your hands of it," Clemens noted. "But with these states stepping up and filling in and saying, okay, it's not only medical information. We're going to talk about reproductive health information. You can see that targeted approach." 

Compliance in an age of uncertainty 

With states taking a more prescriptive approach to reproductive health data privacy, compliance complexities are adding up. What's more, entities that aren't subject to HIPAA but still handle sensitive health data could find themselves in trouble if they are not complying with these state laws. 

"It's really hard to be a hundred percent compliant with every single law, every single day. Data is so fluid, it's constantly moving," Navetta said. "Borders don't make a difference whatsoever. So, then you have to start reading tea leaves where the real risks actually reside." 

Understanding which laws an entity needs to comply with and how regulators might approach enforcement is crucial to a successful compliance program. 

"I think what regulators are going to care about is situations where that reproductive health information is kind of collected, aggregated, and then sold or made available to groups or regulators or even law enforcement who may use it to go after people," Navetta reasoned. "That's the thrust of these laws ultimately." 

Navetta and Clemens suggested speaking with counsel and maintaining an understanding of what state laws your organization is subject to. While future federal legislation is not out of the question, state-level laws are being enacted in real time, and should be carefully considered. 

"I think before you see an overarching federal regulation, you're going to see more state laws filling in the gaps," Clemens predicted. 

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.