How Private and Protected Is Virtual Reproductive Care?

While online telehealth visits surged during the pandemic, consumers now seeking remote reproductive health services face a number of privacy and legal challenges

Illustration of a woman visiting their doctor on a laptop Illustration: Kiersten Essenpreis

As COVID-19 spread around the world, patients and providers turned to telehealth en masse, with many accessing online healthcare for the first time. Abortion care began to follow a similar pattern in December 2021, when the Food and Drug Administration said it would allow people access to what’s known as medication abortion—where pills are used to induce an abortion—via a virtual consultation with a doctor. This move permanently waived an earlier rule that required an in-person visit. 

Since then, abortion providers say demand for telehealth abortions—abortions facilitated remotely by a medical provider—has been on the rise, with many pregnant people attempting to turn to internet-based platforms dedicated to reproductive care. Now that the Supreme Court has overturned Roe v. Wade—many states have banned abortion outright, and hundreds of abortion clinics across the country are expected to shut down—that trend is likely to continue, experts say. 

More on Reproductive Health and Privacy

But the Supreme Court decision on Roe has also thrown online reproductive care into a state of confusion, with different types of online abortion providers subject to different rules and jurisdictions, leaving some virtual abortion care in a legal gray area. 

That means many of the general privacy concerns associated with online healthcare could now also have potential legal consequences for consumers when it comes to reproductive care. In many states, getting miscarriage care or even doing research online about accessing an abortion could ultimately be used against a patient, their provider, or others who assist the patient in accessing care in states where abortion is restricted or outlawed, according to experts such as David Cohen, a professor at the Drexel University Thomas R. Kline School of Law in Philadelphia, and Mary Ziegler, a professor of law at the University of California, Davis, both leading experts on the laws behind reproductive care. And the federal laws governing the treatment of sensitive medical information might not provide much protection if someone knowingly or unknowingly breaks the law.

The gulf between federal and state rules around abortion care also seems to be widening. In a July 8 announcement, President Joe Biden directed the secretary of health and human services to find new ways to protect and expand access to medication abortion. The announcement called for agencies to look into additional strategies for bolstering privacy protections around reproductive care. 

With so many people using telemedicine, here’s what you need to know generally about the privacy of sensitive health information and specifically as it now applies to telehealth abortion.

Jump to:
• How HIPAA Protects—and Doesn’t Protect—Telehealth Visits
• Legal Questions About Different Types of Telehealth Abortion Care
• How Laws Could Change and Further Affect Reproductive Telehealth Services
• Protecting Your Privacy When Seeking Medical Care Online

How HIPAA Protects—and Doesn’t Protect—Telehealth Visits

The primary law that governs the handling of medical data is the Health Insurance Portability and Accountability Act (HIPAA) of 1996. It sets out the rules insurers and providers must follow when handling personal data, but it doesn’t cover all medical conversations. HIPAA applies only to healthcare providers, health insurance companies, and certain other entities that handle medical information, such as medical billing services, so it doesn’t generally apply to internet searches or apps, and it won’t protect someone from a court order or subpoena. HIPAA prohibits these entities from disclosing private healthcare information—such as what medication you’re taking, what surgeries you’re scheduled for, and what diagnoses you’ve received—except in very specific situations.

That also applies when it comes to reproductive care. “If an abortion provider, including a telemedicine abortion provider, takes insurance and bills insurance electronically for at least one patient, then the telemedicine provider is a covered entity and must comply with HIPAA,” says Stacey Tovino, a professor of law at the University of Oklahoma College of Law in Norman and a leading expert on bioethics and health law. Even if they aren’t governed by HIPAA, licensed nurses and doctors who don’t take insurance must comply with local medical practice laws that require certain levels of patient confidentiality.

(Read more about what HIPAA covers and what it does not.)

But there are many ways that information about an abortion or other reproductive care can be disclosed that are not covered by HIPAA. Text messages and emails to friends or family, Google searches, location data, and other types of online data are generally not protected by any privacy laws, even if you’re discussing your health or other sensitive matters. Information from these types of searches and communications can be sold by tech companies or subpoenaed by law enforcement. However, in early July, Google announced that it won’t collect location data around abortion clinics, fertility centers, domestic violence shelters, and other sensitive healthcare facilities.

Now that Roe has been overturned, things will only get murkier. For someone who lives in a state where abortion is restricted or illegal, an online conversation with a doctor—even through a HIPAA-compliant program, such as Zoom for Healthcare—may be subject to law enforcement access. That’s the case regardless of what state the doctor is licensed to practice in. 

“In general, if there’s a law in the state that requires people to notify officials if they suspect a crime occurred—you can see this with child abuse or other mandatory reporting laws—that’s an exception to HIPAA,” says Greer Donley, an associate professor at the University of Pittsburgh School of Law who studies reproductive care and abortion laws.

The Department of Health and Human Services recently published updated guidance on reproductive healthcare clarifying that HIPAA-regulated entities, such as doctors and nurses, are permitted to disclose protected health information only when presented with a court order or a warrant that’s enforceable in a court of law. 

How Laws Could Change and Further Affect Reproductive Telehealth Services

Now that Roe v. Wade has been overturned, approximately 26 states are expected to ban all abortion care, according to the Guttmacher Institute, a reproductive rights research and policy group. That means restrictive state laws may also soon go beyond policing providers, according to Donley at the University of Pittsburgh School of Law. 

Anti-abortion organizations are already advising states on further restrictions that would enforce laws on people or groups offering advice to those seeking abortions, whether online or in person. The National Right to Life Committee, the largest anti-abortion group in the country, has drafted model legislation that would make it a crime to tell a person how to seek an abortion or to host a website providing information about where people can seek abortion medication in any state that chose to adopt the legislation.

Future laws, say Donley and Cohen at Drexel University, may also target the pregnant person—someone who obtains abortion pills online directly or via a service like Aid Access, for example. This is in part because of how difficult it is for states to enforce existing anti-abortion laws when online pharmacies and providers such as Aid Access are based overseas, according to Donley. While such providers might not be vulnerable to such state laws, people in states where abortion is illegal certainly are, and may find abortion-related searches or communications they thought were private used against them in a prosecution. 

People with desired, but nonviable or medically dangerous pregnancies or miscarriage complications may find themselves targets of these laws as well. “It will become harder for patients to get care after an abortion or miscarriage, and they may be more fearful of doing so, depending on what activities a state law criminalizes,” says Allison Hoffman, a professor of law at the University of Pennsylvania Carey Law School who specializes in healthcare law and policy. 

In certain states with extremely limited access to abortion, this already occurs, according to Drexel University’s Cohen. Patients “have had to fly while they’re in the middle of miscarriage to another state to get the care they need because no Texas provider will care for them,” he says. This is in part because some of the procedures done to help a patient experiencing a miscarriage “could be seen as an abortion,” he says.

Currently, there are no states that limit physically traveling across state lines for an abortion, including a telehealth abortion, though some states, such as Missouri and Arkansas, have signaled a desire to criminalize such activities. Both Biden and U.S. Attorney General Merrick Garland have asserted that based on “bedrock constitutional principles” people must remain free to travel for their reproductive healthcare. And according to Biden’s July 8 announcement, the attorney general will also provide “technical assistance to states affording legal protection to out-of-state patients.”

Protecting Your Privacy When Seeking Medical Care Online

Consumer Reports experts have consistently argued that patients deserve to have their medical information protected. “The laws protecting patient data are outdated and out of touch with consumers’ expectations of privacy,” says Justin Brookman, director of privacy and technology policy at Consumer Reports. “We need stronger protections for sensitive health data.” In the meantime, as the landscape continues to shift for reproductive health, here are important considerations for protecting your privacy when seeking any medical care online.

Use a HIPAA-Regulated App
Among the first things you generally should do to protect your medical privacy online is ensure that the app on which you’re conversing with a provider is required to comply with HIPAA. All healthcare providers who take insurance are bound by HIPAA, Tovino says. But some platforms sell data for marketing purposes, or have otherwise lax protections, and in those situations, personal data could be sold to data brokers and thus be easily accessible to law enforcement or anybody with the cash to buy the data. 

In other words, your doctor is subject to HIPAA, but the platform on which you’re talking to them might not be. You can check this list to see if the platform your doctor uses is regulated under HIPAA (though keep in mind that the list, while extensive, is not comprehensive). If not, you can always ask your doctor to hop on the phone instead. (See our previous articles on HIPAA-compliant videochat programs and the limits of HIPAA.)

Set Up Online Privacy Tools
There are a variety of tools that can improve the privacy of any online activity. The Electronic Frontier Foundation, a privacy and technology nonprofit, recommends using private browsers, such as Firefox and the mobile-only DuckDuckGo. Using a VPN—or virtual private network—may offer some measure of privacy protection, too, because it obscures your IP address and prevents third parties from seeing what websites you visit or data you share. CR’s Brookman recommends considering the private browser Tor to minimize traces of what you’re looking for. Securing your router is another good step. The Department of Health and Human Services also provides some additional tips for securing personal data on your phone or tablet.

But it’s important to understand the limitations of all of these steps. “A VPN could shield your activity from your ISP [internet service provider], but now your VPN could know who you’re talking to,” Brookman says. For example, if your workplace provides your work computer with a VPN, your employer still has access to your browsing if it takes place on a work computer, he says. That’s one reason it’s important to do any sensitive medical searches or consultations on your own personal device, and if you’re going to use a VPN, choose one with ample privacy protections. Mullvad and IVPN are two good options, according to CR’s tests

Understand The Risks of Searches and Conversations About Reproductive Care
“Users need to think of their laptops, phones, digital assistants, home cameras, etc., as open books on their activities,” says Anton Dahbura, PhD, the executive director of the Johns Hopkins University Information Security Institute in Baltimore. “Virtually anything users do or see on their devices can be tracked later, even if the user thinks that they deleted the information.”

That’s particularly important when it comes to online activity about reproductive care, where the laws can be tricky and confusing. “The average person with a smartphone who’s thinking about getting an abortion may Google ‘abortion near me’ or ‘where’s Planned Parenthood,’ or they may direct-message someone on Facebook or Instagram,” says Ziegler, professor of law at the University of California, Davis. Though common, that sort of activity is generally not private.

Abortion-related prosecutions that rely on internet search data have happened in at least one instance, when Latice Fisher, a Mississippi woman, was indicted for murder in 2018 after losing a pregnancy. “The inclusion of Ms. Fisher’s alleged internet search history related to her reproductive health as evidence of criminal intent will become standard protocol across the country once abortion is again criminalized,” Cynthia Conti-Cook, a tech fellow at the Ford Foundation, wrote in a 2020 paper published in the University of Baltimore Law Review.

If someone is texting, emailing, or calling their medical provider about any medical care, they may want to use separate applications for these communications rather than their regular email account, their phone’s built-in messaging app, and call service. A provider may be willing to converse via an encrypted app, such as Signal, for example. You can also use Signal to chat with friends or family, but “you still need to trust the person on the other end,” Brookman says. He also recommends selecting the option to automatically delete all messages after a certain period.

Some telehealth abortion providers, including Choix and Hey Jane, let patients request communication via encrypted messaging.

Angela Lashbrook

Angela Lashbrook

I believe shopping should be fun, safe, and sustainable, and I shape my coverage at Consumer Reports around how consumers of all ages can have better shopping experiences. I’ve worked in media for seven years, and my diverse time in the industry has taught me that quality service journalism is a critical resource. When I’m not working, I’m usually reading, cooking (or, more likely, eating), and hanging out with my dog, a Libra named Gordo.