Following the overturn of Roe v. Wade, the privacy of healthcare data has been subject to multiple legislative adjustments. According to a conference paper ‘Teen Reproductive Health Information Seeking and Sharing Post-Roe’ from the 2024 Proceedings on Human Factors in Computing Systems held in Honolulu, “Since the Dobbs v. Jackson Supreme Court decision that overturned the right to abortion guaranteed by Roe v. Wade, teens (as well as anyone who can become pregnant) are facing further restrictions and uncertainty around abortion access and related healthcare information.”
The fear of data misuse or subpoena by law enforcement in restrictive states has increased caution in data sharing practices. Providers may limit the amount of reproductive health information documented or shared electronically to protect patient privacy.
However, this can impact the continuity and quality of care. The lack of comprehensive federal protections for reproductive health data outside traditional healthcare settings complicates data sharing further. Studies show that reproductive health data is particularly vulnerable because it can be exploited for legal actions against individuals, making secure and minimal data sharing necessary in clinical practice.
FemTech apps, which include period trackers and fertility monitors, present critical privacy challenges. The above mentioned conference paper states, “The abortion bans that are increasingly adopted in States in the U.S. have raised concerns about privacy and have had chilling effects on technology use for people who are, or may become pregnant.”
Many apps collect extensive personally identifiable information (PII) and sensitive health data without clear, informed user consent. Privacy policies are often lengthy, vague, or contradictory, bundling consent for data sharing with general terms of use, which undermines meaningful user control.
According to the study ‘Privacy and Security of Women’s Reproductive Health Apps in a Changing Legal Landscape’ by Texas A&M University’s Shalini Saini and Nitesh Saxena, “Our research reveals that many of these apps gather personally identifiable information (PII) and sensitive healthcare data. Moreover, around 85% of the app privacy policies examined lack explicit mention of security measures, despite the sensitivity of health data. Furthermore, our analysis identifies that 61% of the code vulnerabilities found in the apps are classified under the top-ten Open Web Application Security Project (OWASP) vulnerabilities.”
Many apps share data with third parties such as advertisers and data brokers without explicit user permission, violating principles of transparency and consent. Additionally, poor data management practices, including inadequate encryption and failure to allow users to delete or control their data, exacerbate risks. Vulnerabilities in app code further expose users to unauthorized access and data breaches.
These issues are compounded by the lack of regulatory oversight specific to FemTech, leaving users exposed to exploitation and privacy violations, especially in jurisdictions with restrictive reproductive rights.
HIPAA primarily protects health information handled by covered entities such as healthcare providers and insurers but does not extend to most consumer health apps, including many FemTech products. The gap leaves sensitive reproductive health data collected by apps vulnerable to misuse and unregulated sharing.
A 2024 faculty article from Stacey A. Tovino published in the the University of Oklahoma College of Law expands on the rise and function of the rule, “As the number of abortion-restricting laws continues to grow in the wake of the Supreme Court's ruling in Dobbs v. Jackson Women 's Health Organization, law enforcement officers are increasingly interested in obtaining and using reproductive health information for law enforcement purposes. Although physicians and other covered entities generally are required to keep protected health information (PHI) confidential under the Health Insurance Portability and Accountability Act Privacy Rule, a number of regulatory exceptions historically have permitted covered entities to disclose PHI for civil, criminal, and administrative investigations and proceedings.
On April 26, 2024, the Department of Health and Human Services promulgated a final rule amending certain of these exceptions. In particular, the final rule prohibits covered entities from using and disclosing PHI to conduct criminal, civil, and administrative investigations into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided. The final rule also prohibits covered entities from using and disclosing PHI to impose criminal, civil, and administrative liability on any person, or to identify any person, for the same purposes.”
The 2025 updates to HIPAA aim to address some of these limitations by expanding protections to include certain digital health technologies and clarifying rules around data sharing and patient rights. These changes seek to enhance transparency, require stronger security safeguards, and improve patient control over their health data. Challenges remain in enforcement and in covering the full spectrum of reproductive health data generated outside traditional healthcare settings.
The FTC enforces laws against unfair or deceptive practices, including unauthorized data sharing and inadequate privacy protections. It has taken action against reproductive health apps that sell or share user data without consent, imposing penalties and requiring changes to privacy practices. The FTC’s oversight helps fill regulatory gaps by holding companies accountable for protecting consumer health information and ensuring truthful disclosures.
However, the FTC’s authority is reactive and case-by-case. One such case is the FTC case against popular period tracker, Flo. The FTC brief on the matter notes, “Despite promising to keep users’ health data private, Flo shared sensitive health data from millions of users of its Flo Period & Ovulation Tracker app with marketing and analytics firms, including Facebook and Google.” The corrective action required by the FTC is based on the nature of the indiscretion with the decision closing off with the following view, “The Commission noted that it is currently undertaking a review of the Health Breach Notification Rule, and is actively considering public comments regarding the application of the Rule to mobile applications and other direct-to-consumer technologies that handle consumers’ sensitive health information.”
According to the journal article ‘Understanding Shield Laws’ published in the Journal of Law, Medicine & Ethics, “In anticipation of extraterritorial application of antiabortion laws, many states have enacted laws that attempt to shield abortion providers, helpers, and patients from civil, professional, or criminal liability associated with legal abortion care.” Shield laws are designed to protect reproductive health information from law enforcement subpoenas. Many do not cover data held by third-party app providers or data brokers, leaving users vulnerable to surveillance.
Law enforcement agencies can often obtain data through warrants or subpoenas from companies outside healthcare’s traditional regulatory scope. A thesis by Sophia Fetrow submitted to W.A. Franke Honors College took a look at practical cases in the wake of the overturning of the Dobbs decision, “Although police used a warrant to access the Burgess' private communications, law enforcement can access potentially incriminating information without ever seeking a warrant—or placing someone under formal investigation…Police departments have begun purchasing commercial data from data brokers and private companies to indiscriminately surveil every single person in their jurisdiction at all times. Police departments can access private, intimate information that most individuals never expect anyone, much less law enforcement, to see.”
Additionally, inconsistent definitions of protected data and limited geographic reach weaken these laws’ effectiveness. This creates a risk that sensitive reproductive health information can be accessed and used in criminal investigations, particularly in states with restrictive abortion laws.
HIPAA compliant email ensures that PHI is encrypted both in transit and at rest, making it unreadable to unauthorized parties such as hackers, internet service providers, or even email service administrators.
This level of security is critical for reproductive health data, which is highly sensitive and can have serious legal and social consequences if exposed, especially in the current US context where reproductive rights are under heightened scrutiny. Secure email also supports confidentiality by restricting access to authorized healthcare providers and patients only, thereby reducing the risk of inadvertent disclosure.
Geofencing technology can track individuals' locations and may expose them to targeted advertisements or legal scrutiny based on their reproductive health choices. In states with restrictive abortion laws, this data can lead to harassment or criminal prosecution for individuals seeking care.
The Final Rule requires covered entities to update their NPPs to include descriptions and examples of prohibited uses and disclosures of reproductive health PHI, and to inform patients about their rights and protections under the new rule. These updates must be implemented by February 2026 for group health plans.
Patients should ask whether their healthcare provider or app is covered by HIPAA, review privacy policies carefully, limit sharing sensitive information on non-covered platforms, and use secure communication channels. Awareness of state laws and potential risks is also important.
The Final Rule became effective June 25, 2024, with most compliance obligations required by December 23, 2024. Updates to notices of privacy practices must be completed by February 16, 2026.