5:40
News Story
States are already collecting more abortion data. And HIPAA won’t always keep it private.
As states pass laws mandating more information, experts warn of privacy concerns. (Getty Images)
Years before the Dobbs decision, providers like Dr. Kylie Cooper were already uncomfortable with some of the reporting requirements for abortion procedures in states where they practiced.
Cooper was a maternal-fetal medicine specialist for several years in Idaho before she reluctantly left the state in 2023 because of the near-total abortion ban that is now in place. But when abortion was still legal, she was required to fill out a form and submit it to the state with information about the patient and the procedure, including the physician’s name and when it occurred. While the law said that the information would be aggregated and could not identify individual patients, Cooper never felt sure about how it would be used or how secure the data would be kept.
“It was supposed to be anonymous, but they asked for patient identifiers on it, so I was like, ‘Could this get tracked back to them?’” she said.
In April, TIME magazine interviewed former President Donald Trump, who is the presumptive Republican nominee for president, about his goals in office if he is elected. He was asked whether he would be comfortable with states monitoring women’s pregnancies to determine whether someone may have received an abortion despite a ban. Trump responded that it didn’t matter if he was comfortable with it or not, because the U.S. Supreme Court’s Dobbs decision allowed states to dictate abortion policy.
Although it was posed as a hypothetical and limited to states with abortion bans, there are efforts underway at the legislative and congressional levels — and in the blueprint for the next Republican presidential administration — to track abortion and pregnancy data. Some have already become law, and some are pending in the U.S. Congress, including a bill that would mandate that the Centers for Disease Control and Prevention collect more abortion data from all 50 states. At the same time, there are renewed concerns about deceptive practices around data privacy at crisis pregnancy centers nationwide, which are receiving large infusions of taxpayer dollars from some state governments such as Louisiana, Arkansas and Kansas.
“I don’t think most people recognize the way that we are currently being surveilled in our health care system,” said Jennifer Driver, senior director of reproductive rights for a policy advocacy organization called State Innovation Exchange. “People need to be talking to their providers about what information is shared, how it’s shared, and start reading the forms.”
Patients misunderstand how protective HIPAA is, researcher says
Carmel Shachar, a Harvard law professor with research experience in data privacy and health policy, said people typically think of the Health Insurance Portability and Accountability Act — better known as HIPAA — as fully protective of medical records, but that’s not the reality.
“HIPAA is protective of what’s in your medical records, but it’s a little more like Swiss cheese than I think people understand. There are a lot of exceptions,” Shachar said.
Two of the big exceptions are for law enforcement, when it is conducting an investigation, and the other is for public health reporting, she said. Public health data reports can be positive in terms of understanding what’s happening in hospitals and clinics, but on the law enforcement end, the exception in the law could be used by state governments with anti-abortion laws to prosecute those seeking and facilitating care in other states. That’s the loophole that President Joe Biden’s administration sought to close with a recent rule that was enacted after the Dobbs decision to address patient privacy specifically around procedures related to reproductive care. It does not allow law enforcement to seek those records for that particular type of care if it was obtained in a state where it was legal.
But that hasn’t stopped one attorney in Texas from trying. Jonathan Mitchell, the state’s former solicitor general, has filed two petitions seeking legal action against women he says traveled out of state to obtain an abortion. Courts are still considering whether he can proceed with depositions against those women.
Meanwhile, 17 Democratic-led states and Washington, D.C., have passed laws protecting providers and patients from out-of-state investigations for reproductive health care and gender-affirming care. Governors in Arizona, Michigan, North Carolina, Pennsylvania and Rhode Island have also issued executive orders declaring that state agencies won’t cooperate in extraditions or investigations involving reproductive care.
Shachar said some laws are also made under the guise of public health reporting when they’re more about political tactics.
One example is a recent law passed in Kansas, where voters overwhelmingly rejected abortion bans in a 2022 referendum. Lawmakers overrode Democratic Gov. Laura Kelly’s veto at the end of April to pass House Bill 2749, which Kansans for Life asked a legislator to introduce. It requires providers to ask patients for the “most important factor” in their decision to terminate a pregnancy. Kansans for Life is the same group that led the failed referendum.
On May 20, the Center for Reproductive Rights and Planned Parenthood Great Plains announced it is challenging the law in court, adding it to an ongoing case from 2023, according to Kansas Reflector.
Although the bill says a patient can decline to answer the questions, Center for Reproductive Rights staff attorney Alice Wang said that isn’t enough, because it doesn’t require the provider to tell the patient they don’t have to answer. Especially now that patients are coming to Kansas for an abortion from states where the procedure is banned and criminalized, Wang said, the bill is designed to intimidate providers in particular, since they are the ones subject to criminal penalties, not the pregnant person.
“When patients are confronted with these questions, then that raises questions of what this deeply personal information is going to be used for in an atmosphere where anti-abortion extremists have already threatened to come after activities that should be perfectly legal,” she said.
YOU MAKE OUR WORK POSSIBLE.
The list of reasons includes whether the patient already has “enough, or too many, children,” whether they cannot provide for another child, that the pregnancy was a result of rape or incest or that it threatens their health to be pregnant. The data must be reported biannually to the legislature.
Shachar said the reporting of abortion procedures is not in itself shocking, but asking for reasons why is alarming.
“It feels like it’s trying to lay the groundwork to separate out ‘good’ or ‘permissible’ abortions from ‘bad’ abortions,” she said.
One of the reasons listed is that “The child would have a disability,” but there is no reason in the list for a pregnancy with a fatal or severe life-limiting fetal anomaly. Organizations such as Susan B. Anthony Pro-Life America and Live Action often refer to severe fetal abnormalities as “disabilities,” even if the patient chose to continue the pregnancy and the infant died hours after birth.
According to the legislation passed into law in Kansas, except in cases of medical emergencies, every patient is to be asked what the “most important factor” was in their decision to terminate a pregnancy from a list of the following:
- Having a baby would interfere with the patient’s education, employment or career
- Patient cannot provide for the child
- Patient already has enough, or too many, children
- Patient’s husband is abusive to patient or their children
- Patient’s husband or partner wants them to have an abortion
- Patient does not have adequate support to raise a child
- The pregnancy is a result of rape
- The pregnancy is the result of incest
- The pregnancy threatens the patient’s physical health
- The pregnancy threatens the patient’s emotional or mental health
- The child would have a disability
If the patient declines to answer, that response would be recorded. Each biannual report shall include:
- Number of times each reason listed was described as most important
- Number of times a patient was asked about the reasons listed and declined to answer
- Patient’s age, marital status at the time of the abortion, country of residency, race and highest level of education completed
- Whether in the month before the abortion the patient received services, financial assistance (excluding financial assistance for the abortion), or other assistance from a “nonprofit organization that supports pregnant women”
- Whether the patient reported experiencing domestic violence in the past 12 months
- Whether the patient is living in a place they consider to be safe, stable and affordable
- Whether the patient made a report of physical, mental or emotional abuse or neglect
- The method of the abortion performed
Abortion survey bill advances in New Hampshire legislature
While Kansas’ law is one of the most recent, it is not a new concept. According to the Guttmacher Institute, 15 states already require providers to gather information about a patient’s reason for seeking an abortion, with varying degrees of specificity. Many of those states now have near-total abortion bans or six-week bans, which is before many people know they are pregnant.
In Oklahoma, before its ban went into effect, reporting requirements included a list of 40 reasons that could be identified, whereas the Kansas list is 11 reasons. Seven other states that asked for reasons in their reporting requirements now have a near-total abortion ban or severe restrictions, including Arizona and Florida.
A similar reporting bill is advancing in the New Hampshire legislature, where abortion is still broadly legal, and another failed to pass in the Michigan legislature in 2023. In Indiana — a state with a near-total ban — an anti-abortion group is suing the state to make abortion records public information.
Another misunderstanding of HIPAA, according to Shachar, is that people can’t be identified through public health information as long as enough data points are removed.
“That theory is totally wrong,” she said.
She pointed to a story from 1997, one year after HIPAA became law, when a computer scientist named Latanya Sweeney was able to identify the medical records of the governor of Massachusetts at the time even though the dataset she was working from had been de-identified.
“It makes it more difficult to figure out who we’re talking about, but it doesn’t make it impossible, especially if someone is motivated to re-identify the data,” Shachar said.
Heritage Foundation outlines steps to federal abortion regulation
There are also national policy advocates prescribing the next actions to take in the fight over abortion rights. A document produced by conservative interest group the Heritage Foundation called Project 2025 details a wish list of priorities and approaches for many sectors of the federal government to be carried out by the next Republican president. The document, called “Mandate for Leadership, The Conservative Promise” is 920 pages and references abortion nearly 200 times.
Project 2025’s advisory board includes staff from the Alliance Defending Freedom, a religious conservative law firm that represented the clients at the center of the Dobbs decision overturning Roe v. Wade, and is arguing for the U.S. Supreme Court to restrict access to mifepristone, part of a two-step drug regimen to terminate a pregnancy. The firm’s senior counsel, Erik Baptist, is listed as a contributor to the document.
The board also includes anti-abortion groups such as the Family Research Council, the Family Policy Alliance and Susan B. Anthony Pro-Life America. As part of its overall guidance, the document calls for the next Republican president to remove all references to abortion and reproductive health and appears to suggest a nationwide abortion ban.
Driver, senior director of reproductive rights for State Innovation Exchange, said Project 2025 is the foundation for the recent state-level legislation.
“It would be na?ve to think this was not a design behind those with Project 2025,” Driver said. “Even if there’s not this conservative federal administration that comes, we’re already seeing Project 2025 elements and have for a long time at the state level.”
The plan states that federal abortion reporting data is “woefully inadequate.” California, Maryland and New Hampshire, where abortion access is broadly legal, do not submit abortion data to the federal government at all. The plan’s authors contend all 50 states must mandatorily report to ensure reliable public health and policy.
“Because liberal states have now become sanctuaries for abortion tourism, (the agency) should use every available tool, including the cutting of funds, to ensure that every state reports exactly how many abortions take place within its borders, at what gestational age of the child, for what reason, the mother’s state of residence, and by what method,” the plan states.
Project 2025 suggests rescinding HIPAA rule regarding abortion investigations?
Republican South Carolina Rep. Ralph Norman introduced a bill in Congress in January 2023 — about nine months after the Heritage Foundation established Project 2025 — that would require the Centers for Disease Control and Prevention to fulfill those data-tracking plans. It’s titled the “Ensuring Accurate and Complete Abortion Data Reporting Act of 2023,” and contains the exact language used in Project 2025’s outline. The bill has 29 co-sponsors and the support of the anti-abortion organizations on Project 2025’s advisory board. It has not advanced in the Subcommittee on Health. In a statement, Norman said current data collection “severely underestimates the number of abortions taking place” and tax dollars are being allocated to family planning programs without clear data.
Mandatory factors for reporting would include the pregnant person’s age, race, ethnicity and state of residence, the “abortion method type,” the person’s marital status, and the number of times they have been pregnant, including the number of previous live births, induced abortions and miscarriages.
Those factors — except for the number of previous abortions and miscarriages, which was less common — have been part of the data the CDC collected for many years, but the reporting was voluntary. What’s new is that the required data would also have to indicate “whether the child survived the abortion.” The agency head could also add questions at any time, according to the bill text. All states would have to report this data or lose federal Medicaid funding for family planning services.
The document’s authors also call for the federal government to rescind the HIPAA rule protecting those who seek abortion procedures in legal states from law enforcement action. Project 2025 calls the rule a “politicized statement in favor of abortion and against Dobbs.”
Crisis pregnancy centers imply they are subject to HIPAA law, but most are not
Amid the passage of new laws like the one in Kansas, an organization called the Campaign for Accountability filed complaints in April with attorneys general claiming that crisis pregnancy centers in five states — Idaho, Minnesota, New Jersey, Pennsylvania and Washington — are using deceptive language about HIPAA. Crisis pregnancy centers are often formed as nonprofit organizations with a stated mission to support pregnant women who are unexpectedly pregnant and a goal of dissuading them from seeking an abortion. Many of the centers have been criticized for promoting or providing false information related to abortion, such as claims that having an abortion increases a person’s risk of cancer or future fertility issues, or that the abortion pill is dangerous.
The centers almost always offer their services for free, which means they do not bill insurance providers and are therefore not subject to penalties under the federal HIPAA law for disclosing a patient’s health information. However, some of the centers claim on their websites that they are required by law to keep health information protected.
One of the clinics named in a complaint filed with the attorney general’s office in Pennsylvania uses the same type of language in the notice of privacy practices portion of the website. There are links to the federal HIPAA informational page, with one reference stating a person can file a complaint with the HIPAA office if they feel their data privacy was violated. Another section states the organization is “required by law to maintain the privacy and security of your protected health information” with a link to the HIPAA website.
The Pennsylvania clinic is part of a network of crisis pregnancy centers called Heartbeat International, one of two organizations targeted by the complaints, with Care Net being the second. Heartbeat has more than 2,000 affiliates in the U.S., and Care Net has 1,200.
Heartbeat International told States Newsroom in an email that while the organization could not speak for individual affiliates, all affiliates in the network adopt a commitment to hold client information in “strict and absolute confidence” and is only disclosed when required by law or “when necessary to protect the client or others against imminent harm.”
“Pregnancy help centers provide that protection to their clients, even when the law does not explicitly require them to do so,” said Andrea Trudden, vice president of communications for Heartbeat International. “Confidentiality is of the utmost importance to pregnancy help centers, and the forms women sign before receiving services provide them legal protection of their confidential information. Pregnancy, abortion, STDs/STIs, and other circumstances that might bring a woman to a pregnancy help center or abortion facility should be handled with the greatest confidentiality.”
Trudden added that the Next Level CMS system uses the same software platforms used by hospitals and doctor’s offices nationwide.
Michelle Kuppersmith, executive director of the Campaign for Accountability, said some of the centers state they can disclose health information for “moral reasons.” Heartbeat International also maintains a data management system called Next Level CMS for all of its centers, which it says follows privacy standards according to HIPAA law.
“Our fear is that the data collected at these centers are laddering up to much more sophisticated operations,” Kuppersmith said. “Every single woman who is thinking about going to one of these places because it seems like a friendly place should know that their personal health information is not required by any federal medical law to be protected, and they should be enormously careful what information they give to these places.”
GET THE MORNING HEADLINES.
Our stories may be republished online or in print under Creative Commons license CC BY-NC-ND 4.0. We ask that you edit only for style or to shorten, provide proper attribution and link to our website. AP and Getty images may not be republished. Please see our republishing guidelines for use of any other photos and graphics.
Kelcie Moseley-Morris
Kelcie Moseley-Morris is States Newsroom's national reproductive health reporter.