The Record: “Some CPCs are still misleading women about whether their confidential information is protected under the federal health privacy law, say data privacy, consumer protection and reproductive rights advocates. ”
WASHINGTON, DC – A new exposé from investigative outlet The Record reveals many Unregulated Pregnancy Clinics (UPCs), otherwise known as crisis pregnancy centers, continue to falsely imply that they are governed by the Health Insurance Portability and Accountability Act (HIPAA), despite clear federal guidance stating otherwise.
In November 2024, the Department of Health and Human Services (HHS) issued guidance confirming most CPCs are not subject to HIPAA because they do not electronically transmit health information for clinical care, and therefore do not qualify as “covered entities.” Following that guidance, Heartbeat International and NIFLA told member clinics to remove references to HIPAA from their materials. However, The Record details that many UPCs have failed to make these changes.
The article, based on a months-long review of UPC websites and intake forms, shows many clinics still include HIPAA references in privacy policies, signage, and consent forms. This practice misleads people into believing their sensitive health information is protected under federal law, when in reality it furnishes openly accessible “data mines” for anti-choice organizations like Heartbeat International and the National Institute of Family and Life Advocates (NIFLA). Additionally, Debra Rosen, Executive Director of Reproductive Health and Freedom Watch, warned that if government officials such as a state’s attorney general “wanted that information in order to prosecute women or their partners or whoever’s helping them get an abortion,” there’s nothing legally stopping them from coordinating with UPCs for that express purpose.
Read Below:
The Record: Despite changes, crisis pregnancy centers still attract scrutiny over HIPAA promises
- Some CPCs are still misleading women about whether their confidential information is protected under the federal health privacy law, say data privacy, consumer protection and reproductive rights advocates. It’s a claim backed up by spot checks of several CPC websites previously cited by those groups and revisited by Recorded Future News.
- The advocacy groups worry about CPC visitors who share their abortion histories and plans for current pregnancies — particularly given the increasing criminalization of abortion by state governments and the fact that Heartbeat in particular promotes a database that its own board chair has called a “data mine.” In recent months, the advocacy groups have been ratcheting up pressure on state attorneys general to rein in the CPCs that continue to claim HIPAA adherence, sometimes prominently, even after the HHS, Heartbeat and NIFLA guidance was issued. Data privacy, reproductive rights and consumer protection advocates jointly appealed to 15 state attorneys general to crack down on misleading HIPAA claims they found on dozens of CPC websites in late winter of 2024 and early spring of this year.
- The lack of clarity about what CPCs are doing with the data they collect, whom they may be sharing it with and why they collect so much is what drove the Electronic Frontier Foundation’s legal director, Corynne McSherry, to appeal to several of the state AGs for help, she said. “It’s a scandal, frankly,” said McSherry, whose organization focuses on data privacy and digital freedoms. “It’s so important for the AGs to do some investigation here because the fact is that ordinary humans don’t have the same ability to … go behind the curtain and figure out what’s going on, who’s communicating with whom [about women’s data] and how. EFF is not backing away from this fight and is exploring additional ways to ensure that CPCs protect client privacy.”
- Since Dobbs, some anti-abortion law enforcement officials have suggested that they would like to reach across state lines to access private health records. Such moves would threaten women’s safety, deter care and weaponize data to criminalize those seeking legal abortions beyond their state’s borders, according to Debra Rosen, executive director of Reproductive Health and Freedom Watch. CPCs are “sitting on a ton of data,” said Rosen. “That is not legally protected, and if any attorney general wanted that information in order to prosecute women or their partners or whoever’s helping them get an abortion, it would appear that it is totally available to them.”
- Many CPCs, which largely operate unregulated at the state or federal level, routinely collect deeply personal information — often including reproductive health information, details about past abortions, abortion intentions for current pregnancies and even the names of loved ones likely to support their pregnancy decisions, Rosen said. Abortion-rights advocates say that CPCs often intentionally leave women with the impression that they are full-scale medical clinics, even though those advocates say the facilities typically lack on-site medical directors. Rosen recently published an opinion article arguing that as a “sprawling system of pseudo-health care” providers, the centers operate without proper medical oversight yet feature staffers wearing white coats and performing ultrasounds on their websites.
# # #