Policymakers Should Pass a Federal Privacy Law to Protect Women’s Health Data

 

In December 2024, Texas Attorney General Ken Paxton sued a doctor in New York for mailing abortion medication to a pregnant woman in Texas. While the doctor is protected under New York’s shield law, which shields healthcare providers who prescribe and mail abortion medications to patients located in states with severe abortion restrictions, the case underscores the risks women and their providers face in the wake of an overturned Roe v. Wade. These risks are amplified by the widespread availability of reproductive health data from entities not covered by the Health Insurance Portability and Accountability Act (HIPAA), such as data from wearable devices and geolocation data, and the absence of a federal comprehensive privacy law to protect it. Regardless of where you land on the abortion issue, the resulting confusion around privacy rights across state borders that arises as states take different approaches to abortion restrictions intensifies the need for a national privacy framework that applies across states. The enactment of a federal, comprehensive, preemptive privacy law would strengthen and clarify protections that apply to health data and access to care, enable the flow of health information across state borders, and simplify compliance requirements for small businesses.

While 19 states have passed comprehensive privacy laws and others have passed laws protecting health data, the fragmented privacy landscape leaves women in many states without adequate protections for their health data. Every time women in these states use a menstrual tracking app or carry a phone that records their location, they create digital evidence that could potentially be used to investigate them, their healthcare providers, or any of the digital services they use if they are suspected of receiving an abortion. A federal comprehensive privacy law would address the gaps created by differing state laws, establish uniform protections for women’s health data nationwide, and ensure that all women, regardless of where they live, can safely access digital health tools.

Further, a comprehensive privacy law could address challenges related to the interstate flow of health information and medical records. In the absence of a law protecting health data outside the scope of HIPAA, uncertainty and costly potential liability will continue to cast a shadow over consumer health services. Even healthcare providers—though HIPAA largely covers their collection and processing of protected health information—hesitate to facilitate the transfer of health information across state lines for fear that they must later comply with interstate abortion investigations or even face liability from lawsuits from other jurisdictions. This chilling effect extends to companies managing health data, forcing them to grapple with increasingly complex decisions about data storage and compliance. To mitigate legal risks, companies may relocate data centers to states without abortion bans. These measures may also include declining to transfer reproductive health data that may or may not be subject to future investigations, creating a fragmented health data system that undermines care quality. Such a practice would require assiduous maintenance of reproductive health separately from other health information or at least flagged as being potentially subject to future abortion investigations, hampering providers’ ability to provide comprehensive services for their patients and degrading those services for women by further fragmenting their health records.

Finally, enacting a federal comprehensive privacy law that preempts related state laws will significantly benefit small businesses in the digital health sector by replacing the current patchwork of differing state privacy laws with a unified framework. Many small businesses do not have the same resources as their larger counterparts to contend with multiple states’ privacy laws and often divert funds necessary for hiring more employees or conducting business to compliance efforts. Policymakers must not inadvertently eliminate consumers’ access to digital health services like period trackers. But the risk of doing so increases as regulatory confusion persists, preventing the introduction and maintenance of digital health tools for women. A federal standard would alleviate this burden, allowing small businesses to shift their focus from these costly efforts to driving innovation and growth.

The reversal of Roe v. Wade devolved the regulation of abortion services to states, touching off a growing patchwork of state abortion restrictions. The wide-ranging effects of these differing approaches to abortion on women’s privacy are emerging as their own, separate challenge. Both sides of the aisle generally agree that digital health services are an important part of modern healthcare. We hope the 119^th Congress can find agreement that the abortion restriction patchwork presents just as big a set of problems for privacy as the patchwork of state comprehensive privacy laws. To address these interwoven issues, Congress must pass a federal privacy law that comprehensively protects Americans’ sensitive digital health data while ensuring providers can deliver care effectively and innovate without unnecessary barriers.