Traveling for abortions and the reality of data privacy across state lines

In the United States, the necessity for patients to travel across state lines to obtain abortion services has dramatically increased following the Supreme Court’s Dobbs v. Jackson Women’s Health Organization decision in 2022. The ruling returned the authority to regulate abortion to individual states, leading to a patchwork of laws where many states, particularly in the South and Midwest, have enacted near-total or highly restrictive abortion bans.

A BMC Health Services Research study on the topic of abortion care and the real trade offs that come with traveling for out of state abortions notes, “Prior to the Court’s ruling, approximately 10% of all people who obtained an abortion—and 15% of those living in states with restrictive abortion laws – traveled across state lines for care [1]. Following the Supreme Court’s decision, the overall number of people who obtained out-of-state abortion care doubled from one in ten to one in five [2].”

Patients residing in these states are compelled to travel to states where abortion remains legal, such as California, New York, or Illinois, to access care. Beyond practical challenges, traveling across state lines for abortion care raises profound concerns regarding patient data privacy and the potential for litigation. When patients seek care out-of-state, their sensitive health information is generated and stored in multiple jurisdictions with varying legal protections. 

States with restrictive abortion laws have increasingly sought to use data to identify individuals who obtain abortions, even if legally performed elsewhere, by subpoenaing medical records, travel data, or digital footprints. 

Patchwork legality and state-level abortion bans 

The United States operates under a federalist legal system where sovereignty is constitutionally divided between the federal government and individual states. The federal government enacts laws and interprets the Constitution through the Supreme Court, while states retain broad powers to regulate health, safety, and welfare within their borders, including medical procedures like abortion. 

According to a study titled ‘Forecasts for a post-Roe America: The effects of increased travel distance on abortions and births’ published in the Journal of Policy and Management, “Within hours “trigger bans” designed to take effect with Roe’s demise began to shutter abortion\ facilities in some states, while in others, facilities closed due to uncertainty about the enforcement of pre-Roe bans that remained on the books or the threat of impending new bans (Bui et al., 2022). 

At present, bans enforced in 14 states have increased driving distances to the nearest abortion facility for nearly one-quarter of U.S. women of reproductive age (Figure 1). The landscape remains unstable, but when the dust settles from ongoing legislative activity and legal challenges, abortion is likely to be banned in about half of American states (Center for Reproductive Rights, 2022; Nash & Cross, 2022), causing more than two-fifths of American women of reproductive age to experience increased distance to abortion facilities.”

The 2022 Dobbs decision fundamentally altered this landscape by explicitly overturning Roe and Casey, holding that the Constitution does not confer a right to abortion. This ruling returned regulatory authority over abortion to the states, triggering a wave of legislative activity. 

Many states immediately enacted or enforced pre-existing “trigger laws” banning abortion outright or severely restricting it, while others strengthened protections for abortion access. The result is a highly fragmented legal environment where abortion rights and restrictions vary dramatically by state.

The boundaries that HIPAA sets for healthcare records

In response to Dobb’s, the Biden administration introduced a new Reproductive Privacy Rule in 2024, enhancing HIPAA's provisions to prevent the disclosure of protected health information related to reproductive health care, including abortions. According to Jennifer Klein, the director of the White House Gender Policy Council the reason for this was improved care, “No one should have their medical records used against them, their doctor or their loved one just because they sought or received lawful reproductive health care,” This rule prohibits health care providers and insurers from sharing such information with law enforcement or state officials for investigations or prosecutions, particularly when the care was legally obtained in another state.

Despite these strengthened protections, challenges remain. Law enforcement agencies can still access medical records through subpoenas, court orders, or administrative requests, which may not require a warrant. The rule's protections do not extend to abortions performed in states where the procedure is banned, leaving patients and providers in those areas vulnerable. The widespread use of electronic health records and digital health applications raises concerns about indirect disclosures of reproductive health information. 

Digital footprints that go beyond the clinic

According to a University of Chicago Law School working paper published by Aziz Z. Huq and Rebecca Wexler in 2022, “We show that search firms, social media, data brokers, and platforms—indeed any firm with a digital footprint falls into the scope of what we call a “digital” or a “technology” firm—will have to make fraught choices post-Dobbs. The modal response of tech firms to date has been to suggest they will firmly defend their employees’ access to reproductive services, but not their users’.44 This line is untenable. Worse for tech companies hoping to avoid taking a position, we demonstrate that private firms will not be able to use geographic boundaries to demarcate zones of compliance.”

Digital footprints related to abortion care extend far beyond the physical clinic and encompass a broad range of online and mobile activities that generate data about individuals’ reproductive health decisions. These include internet search histories where patients research abortion options, clinic locations, or medication abortion protocols; online appointment scheduling systems; telemedicine consultations conducted via video or chat platforms; and digital communication with abortion funds or support groups. 

Smartphones and wearable devices continuously collect geolocation data that can reveal travel patterns to abortion clinics or pharmacies. Social media interactions, including posts, messages, or engagement with reproductive health content, also create digital traces. Payment methods such as credit card transactions or mobile payment apps leave financial footprints linked to abortion services or travel expenses. 

Many of these digital footprints are collected and stored by private companies that are not covered by healthcare privacy laws like HIPAA, making them vulnerable to data mining, sale, or legal requests. 

The legislative impact of jurisdiction 

A notable case involves Dr. Joan Carpenter, a New York-based physician under investigation in Louisiana for allegedly prescribing abortion pills to a woman who was 20 weeks pregnant. This marks the second time Louisiana authorities have investigated Carpenter for violating the state's strict abortion laws, which prohibit nearly all abortions without exceptions for rape or incest. Carpenter is already facing criminal charges in Louisiana and a civil suit in Texas for similar actions. Both states are attempting to extradite Carpenter, but New York officials have denied their requests, citing the state's telehealth shield laws that protect providers who prescribe abortion medications to out-of-state patients. 

As states criminalize women for self-managing abortions, prosecutors can access an array of surveillance technologies to investigate them. Authorities prosecuting abortion-related criminal cases have been relying on personal digital data, including geolocation, web searches, and text messages. 

Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

Does HIPAA protect abortion-related information if the abortion is obtained out-of-state?

Yes. The 2024 HIPAA Privacy Rule explicitly prohibits covered entities from disclosing PHI for criminal, civil, or administrative investigations aimed at penalizing individuals for obtaining or providing lawful reproductive health care, even if the patient’s home state bans abortion.

Are there any exceptions to these HIPAA protections for reproductive health information?

The rule focuses on prohibiting disclosures related to investigations or liability for the mere act of seeking or providing lawful reproductive health care. It does not limit disclosures required by other laws, such as mandatory reporting of child abuse, public health surveillance, or investigations unrelated to reproductive care.

Does HIPAA cover all digital information related to reproductive health?

No. HIPAA protections apply only to covered entities such as healthcare providers, health plans, and healthcare clearinghouses. Personal health information shared outside of these settings-such as data from period tracking apps, social media posts, internet searches, or text messages-is not protected by HIPAA.

When will the new HIPAA Privacy Rule changes take effect?

The final rule was issued in April 2024, took effect on June 25, 2024, and enforcement began December 23, 2024. Covered entities are required to update their Notice of Privacy Practices by February 16, 2025, to reflect the new protections for reproductive health information.