[Skip to Navigation]
Sign In
JAMA Forum
June 30, 2022

Protecting the Privacy of Reproductive Health Information After the Fall of Roe v Wade

Author Affiliations
  • 1Department of Obstetrics and Gynecology and Center for Bioethics and Social Sciences in Medicine, University of Michigan Medical School, Ann Arbor, Michigan
  • 2Stanford Law School, Stanford, California
  • 3Department of Health Policy, Stanford University School of Medicine, Stanford, California
JAMA Health Forum. 2022;3(6):e222656. doi:10.1001/jamahealthforum.2022.2656

The Supreme Court’s decision in Dobbs v Jackson’s Women’s Health Organization, eliminating federal protection for abortion rights recognized since 1973 in Roe v Wade, will trigger the adoption and enforcement of numerous state laws banning or restricting abortion. The most pressing concerns for physicians and health care facilities are how to minimize these laws’ adverse effects on patients and provide quality reproductive health care within legal limits.1 Yet, another vital issue also merits attention: How can clinicians and facilities protect their patients—and themselves—from having reproductive health information used to incriminate them?

New abortion restrictions may clash with privacy protections for health information in 3 ways. And despite popular misconceptions about the breadth of the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) and other information privacy laws, current federal law provides little protection against these scenarios.

First, using a patient’s medical records to support legal action against those seeking, obtaining, or abetting an abortion may be possible. HIPAA protects individually identifiable health information in electronic records controlled by a “covered entity” (a clinician or facility, health plan, or health care clearinghouse) against disclosure without the patient’s authorization, but it contains notable exceptions. These include reporting child abuse or neglect to an “appropriate government authority”; responding to a court order, subpoena, or discovery request for information relating to a lawsuit; and giving information to law enforcement officials “as required by law.” Thus, HIPAA does not bar compliance with child abuse or neglect reporting requirements, nor will it shield entities that defy investigative demands for information for law enforcement or other legal purposes.

Nor do other legal rules predictably provide protection. Securing a search warrant in conformance with the Fourth Amendment requires only “probable cause” to believe the search will uncover evidence of a crime. Subpoenas can be quashed if they are unreasonable or overbroad, but these are notoriously loose requirements. Thus, law enforcement officials may be able to use a subpoena to obtain patients’ medical records related to abortions. State statutes generally designate confidential communications or other information arising within a patient-physician relationship as privileged and therefore inadmissible in legal proceedings. However, this privilege is not absolute, its scope varies greatly across states,2 and in many cases medical record information has been successfully used to substantiate a criminal charge, such as child abuse.3 Thus, there is substantial uncertainty about how courts will address assertions of physician-patient privilege relating to reproductive health care records. Indeed, when former Attorney General John Ashcroft sought hospital records of late-stage abortions when defending the Partial-Birth Abortion Ban Act of 2003, 3 reviewing courts all reached different decisions.4

A second privacy concern is the potential use of health care facility records to incriminate an institution or its clinicians for providing abortion services. Relevant records could include electronic health records, employee emails or paging information, and mandatory reports to state agencies. Furthermore, HIPAA permits disclosure of protected health information to a health care regulatory agency in connection with civil, administrative, or criminal investigations or disciplinary actions relating to a practitioner’s or facility’s health care provision—for instance, a state board of medical licensing investigating whether a physician provided illegal abortions.

Many clinicians may not realize that if they are using an institutional email address or server, their institution likely has direct access to information and communications stored there, which can be used to search for violations. State Freedom of Information Act (FOIA) laws also allow citizens to request “public records” related to an official function from employees of government hospitals and clinics. Although exceptions exist for information that would invade an individual’s privacy (eg, individual patient medical information), FOIA requests could sweep in email discussions regarding the provision of abortion care generally. As to mandatory reporting, most states require facilities to send detailed data on the volume and nature of abortion services provided, and some require the reason for providing abortions. Although patients’ names are removed, many potentially identifying characteristics remain. This information, too, is useful for law enforcement and may be subject to FOIA requests. In addition, state mandatory reporting laws for child abuse might be interpreted to cover abortions—particularly if life is defined as beginning at fertilization.

A third concerning scenario is that information generated from a person’s online activity could be used to show that they sought an abortion or helped someone do so. Much reproductive health information is collected and shared through websites and apps that are not HIPAA-regulated or protected by physician-patient privilege, such as period tracking apps (used by millions of US women) that collect information on timing of menstruation and sexual activity5 and on reproductive health information construed from shopping data. There are many instances of internet service providers sharing user data with law enforcement6 and prosecutors obtaining and using cell phone data in criminal prosecutions.7 Commercially collected data are also frequently sold to or shared with third parties. Even putatively deidentified data often contain sufficient information to reidentify individuals or facilities when triangulated with other data. Thus, pregnant persons may unwittingly create incriminating documentation that has scant legal protection and is useful for enforcing abortion restrictions. A 2021 Texas law awards citizens who file successful lawsuits against someone who performs or abets an abortion a $10 000 bounty, putting a direct value on pregnancy information. Some lawsuits have already been filed.

How can clinicians and health care facilities protect their patients and themselves? First, when counseling patients of childbearing age about reproductive health issues, clinicians should explain the risks of generating pregnancy-related information online. For tips on minimizing their digital footprint, patients can be referred to expert organizations. Clinicians also should not presume that more clinical documentation is always better for managing medicolegal risk. Recording less information may be more protective and prevent information from being used in unwanted ways—for example, not speculating about whether a miscarriage was spontaneous when a patient presents in the emergency department with vaginal bleeding. When documenting reproductive health encounters, clinicians should ask themselves: “What information needs to be in the medical record to assure safe, good-quality care, buttress our claim for reimbursement, or comply with clear legal directives?”

Using email and texting with awareness that messages may be seen by others is also important. Clinicians should avoid word choices that could be construed as evidence of illegal activity. Generally, legally complex conversations are best conducted in person or by phone. And if abortion-related patient information is sought by state law enforcement officials, a facility’s legal counsel should be consulted about asserting physician-patient privilege and determining whether the disclosure is mandated, or just permitted, by law. This professional privilege must be actively asserted to protect evidence from being admitted, and physicians and their counsel are better positioned to advocate for it than patients.

Ultimately, broader information privacy laws are needed to fully protect patients and clinicians and facilities providing abortion services.8 California recently expanded protections for commercially collected personal information9 and has been enforcing protections related to reproductive health data. Comprehensive federal digital privacy legislation is reportedly inching closer to bipartisan agreement in the Congress. As states splinter on abortion rights after the Dobbs Supreme Court decision, the stakes for providing robust federal protection for reproductive health information have never been higher.

Back to top
Article Information

Published: June 30, 2022. doi:10.1001/jamahealthforum.2022.2656

Correction: This article was corrected July 19, 2022, to change the word “Information” in the second sentence in the second paragraph to “Insurance.”

Open Access: This is an open access article distributed under the terms of the CC-BY License. © 2022 Spector-Bagdady K et al. JAMA Health Forum.

Corresponding Author: Michelle M. Mello, JD, PhD, MPhil, Stanford Law School, 559 Nathan Abbott Way, Stanford, CA 94305 (mmello@law.stanford.edu).

Conflict of Interest Disclosures: Dr Spector-Bagdady reported receiving grants from the National Institutes of Health; receiving personal fees from Duke University, the Patient-Centered Outcomes Research Institute, Tufts University (Wellforce), Baylor University, Ohio State University, the American Society for Reproductive Medicine, and the University of Pennsylvania; and receiving nonfinancial support from American Society for Bioethics and Humanities. Dr Mello reported serving as an advisor to Verily Life Sciences on a product designed to facilitate safe return to work and school during COVID-19.

Harris  LH.  Navigating loss of abortion services—a large academic medical center prepares for the overturn of Roe v Wade.   N Engl J Med. 2022;386(22):2061-2064. doi:10.1056/NEJMp2206246PubMedGoogle ScholarCrossref
Thomson Reuters. Maintaining privacy of health information: 50 state surveys. Updated October 2021. Accessed June 16, 2022. https://legal.thomsonreuters.com/en/products/westlaw/50-state-surveys
Physician-patient privilege as extending to patient’s medical or hospital records, 10 ALR 4th 552 (2022).
Silfen  M.  I want my information back: evidentiary privilege following the partial birth abortion cases.   J Health Law. 2005;38(1):121-135.PubMedGoogle Scholar
Fowler  LR, Gillard  C, Morain  SR.  Readability and accessibility of terms of service and privacy policies for menstruation-tracking smartphone applications.   Health Promot Pract. 2020;21(5):679-683. doi:10.1177/1524839919899924PubMedGoogle ScholarCrossref
Chin  C. What privacy in the United States could look like without Roe v Wade. Published May 25, 2022. Accessed June 28, 2022. https://www.csis.org/analysis/what-privacy-united-states-could-look-without-roe-v-wade
Bushwick  S. Yes, phones can reveal if someone gets an abortion. Published May 13, 2022. Accessed June 28, 2022. https://www.scientificamerican.com/article/yes-phones-can-reveal-if-someone-gets-an-abortion/
Cohen  IG, Mello  MM.  Big data, big tech, and protecting patient privacy.   JAMA. 2019;322(12):1141-1142. doi:10.1001/jama.2019.11365PubMedGoogle ScholarCrossref
Price  WN  II, Kaminski  ME, Minssen  T, Spector-Bagdady  K.  Shadow health records meet new data privacy laws.   Science. 2019;363(6426):448-450. doi:10.1126/science.aav5133PubMedGoogle ScholarCrossref
1 Comment for this article
Jean Crawford, MD | Industry
I wish to express to Kayte Spector-Bagdady, JD, MBE, et al my warm, heart-felt appreciation for the candor in which they discuss the perils of the HIPAA enactment. And may I add, it is about time this is brought to the forefront of healthcare and the ever growing problem of patient confidentiality.

HIPAA in actuality is the absolute and direct antithesis of what it purports itself to be to the unwitting public and unfortunately many of those who practice medicine. I have realized this since its inception, and as usual it is the pesky small print near the end
of the document that nearly no one reads where the true purpose of the legislation is summarized in a very succinct sentence or two. I have also complained to Senators, the general public, patients, and other practitioners, apparently to no avail.

If anything good can come from the recent decision to overturn Roe vs Wade, perhaps the true danger of medical records that contain potentially "labeling/naming" medical information and that can be easily accessed (in fact all medical information has the potential to be "labeling" in one context or another), in the current political climate may cause patients and medical healthcare professionals to heed your warnings and  your apt concerns; at the very least to respond appropriately while at the ballot box.

I thank you once again, keep it up!


Jean Crawford MD