Despite changes, crisis pregnancy centers still attract scrutiny over HIPAA promises

In November 2024, the Department of Health and Human Services officially asserted that crisis pregnancy centers — facilities whose mission is to persuade women not to have abortions — are not covered by the federal data privacy law known as HIPAA.

The statement was a victory for data privacy, reproductive rights and consumer protection advocates, who have long held that many crisis pregnancy centers (CPCs) mislead women into believing their sensitive — and legally vulnerable — reproductive data is protected by the well-known federal statute.

Shortly after HHS weighed in, the largest CPC umbrella organization — Heartbeat International — noted the department’s letter, and by early January began advising its affiliated centers not to invoke HIPAA. A smaller CPC umbrella organization, the National Institute of Family and Life Advocates (NIFLA), issued similar guidance to its affiliates in November, according to the Heartbeat web page cautioning centers against citing HIPAA.

But Heartbeat and NIFLA’s actions weren’t the end of the story. 

Some CPCs are still misleading women about whether their confidential information is protected under the federal health privacy law, say data privacy, consumer protection and reproductive rights advocates. 

It’s a claim backed up by spot checks of several CPC websites previously cited by those groups and revisited by Recorded Future News.

The advocacy groups worry about CPC visitors who share their abortion histories and plans for current pregnancies — particularly given the increasing criminalization of abortion by state governments and the fact that Heartbeat in particular promotes a database that its own board chair has called a “data mine.” 

In recent months, the advocacy groups have been ratcheting up pressure on state attorneys general to rein in the CPCs that continue to claim HIPAA adherence, sometimes prominently, even after the HHS, Heartbeat and NIFLA guidance was issued. 

Data privacy, reproductive rights and consumer protection advocates jointly appealed to 15 state attorneys general to crack down on misleading HIPAA claims they found on dozens of CPC websites in late winter of 2024 and early spring of this year. 

While most state attorneys general have not answered the letters beyond acknowledging receipt, advocates say, Idaho Attorney General Raúl Labrador’s office did ask one CPC in June to respond to questions following a letter a consumer protection watchdog sent to his office last year.. 

The CPC — the Sage Women’s Center — responded to the AG’s office in July, detailing its practices and asserting that it is “most likely” not covered by HIPAA, according to a copy of an email exchange with Labrador’s office provided by consumer watchdog the Campaign for Accountability (CfA), which received it from Labrador’s staff. Sage Women’s Center did not respond to a request for comment.

Attorneys general do not make ongoing investigations public, so it is unclear if any formal probes are underway other than in New Jersey, where the state issued a subpoena to a chain of CPCs in November 2023, before the advocates’ letters were sent.

Most of the letters include screenshots showing CPC websites suggesting that the centers are covered by HIPAA. The language varies. Some CPCs say they adhere to the privacy law, a claim that is tough to verify. Others tell prospective clients they can appeal to HHS’s Office for Civil Rights if they believe their privacy rights have been violated. That’s not true. 

A spokesperson for the Department of Health and Human Services declined to comment. The Office for Civil Rights is the primary enforcer of rules under HIPAA, the 1996 federal law known as the Health Insurance Portability and Accountability Act.

A spokesperson for Heartbeat International said it has long advised affiliates that they are not covered by HIPAA, but added that headquarters sent them “additional guidance” after learning of the November HHS letter.

Other CPC umbrella organizations like NIFLA and Care Net interact with many additional women. Neither responded to a request for comment. (It is unclear if any NIFLA affiliates are among those continuing to use misleading HIPAA language.)

"It's so important for the AGs to do some investigation here because the fact is that ordinary humans don't have the same ability to … go behind the curtain and figure out what's going on."

— Corynne McSherry, legal director, Electronic Frontier Foundation

As of 2024 there were more than 2,600 CPCs operating in the U.S., according to data published in the June 2025 issue of the American Journal of Public Health.

The lack of clarity about what CPCs are doing with the data they collect, whom they may be sharing it with and why they collect so much is what drove the Electronic Frontier Foundation’s legal director, Corynne McSherry, to appeal to several of the state AGs for help, she said.

“It's a scandal, frankly,” said McSherry, whose organization focuses on data privacy and digital freedoms. “It's so important for the AGs to do some investigation here because the fact is that ordinary humans don't have the same ability to … go behind the curtain and figure out what's going on, who's communicating with whom [about women’s data] and how.”

“EFF is not backing away from this fight and is exploring additional ways to ensure that CPCs protect client privacy.”

Data vulnerability post-Dobbs

Heartbeat International affiliates manage nearly 2 million appointments each year, according to the organization’s website. An average of 1,100 people a day also contact its “Option Line“ by phone to get help, its website says. 

Accountability for how data is treated — by Heartbeat and similar organizations — is often murky due to CPCs’ organizational structure, say privacy groups and other advocates.

Affiliates are responsible for managing their own affairs while headquarters at Heartbeat International and other CPC umbrella organizations typically issue guidance. Individual centers can choose to ignore that guidance because they are independently run.

Local CPC offices generally do not use uniform branding or market themselves as being affiliated with their umbrella organizations. It is not uncommon for local CPC affiliates to partner with multiple umbrella organizations, including Heartbeat, Care Net and NIFLA.

Some people visit CPCs believing that they have reached medical clinics, according to reports from individual women and reproductive freedom advocates.

"Data collected by CPCs is "not legally protected, and if any attorney general wanted that information in order to prosecute women or their partners or whoever's helping them get an abortion, it would appear that it is totally available to them.”

— Debra Rosen, executive director, Reproductive Health and Freedom Watch

Data collection and sharing by CPCs is especially charged in the aftermath of the Supreme Court's 2022 Dobbs decision, which held that abortion is not a constitutional right.

Since Dobbs, some anti-abortion law enforcement officials have suggested that they would like to reach across state lines to access private health records. Such moves would threaten women's safety, deter care and weaponize data to criminalize those seeking legal abortions beyond their state’s borders, according to Debra Rosen, executive director of Reproductive Health and Freedom Watch.

CPCs are “sitting on a ton of data,” said Rosen. “That is not legally protected, and if any attorney general wanted that information in order to prosecute women or their partners or whoever's helping them get an abortion, it would appear that it is totally available to them.”

Columbus, Ohio-based Heartbeat International offers guidance to affiliates on how long to retain data — including voicemail messages and electronic communications — recommending in its Legal Essentials manual that as a matter of policy, the data be stored for at least seven years. 

The manual also tells centers not to dispose of visitors’ records in case of subpoena, investigations or administrative proceedings by government agencies, according to documents from the manual, copies of which were provided to Recorded Future News by Carly Thomsen, a Rice University professor who specializes in reproductive justice.

The language in the manual has a 2013 copyright, but was included in a copy of the publication that Thomsen said she purchased in spring 2024. 

“We can't trust CPCs to tell us the truth about what they do with data they collect,” Thomsen said, calling CPCs the “backbone” of the anti-abortion movement. 

“Any information given to CPCs can end up in the hands of the police, the broader anti-abortion movement, or in videos that circulate online and that is because CPCs are not regulated medical facilities where personal data is protected by patient privacy laws like HIPAA.”

In a statement, a spokesperson for Heartbeat International’s central office said it “does not access or share individual client information.” Headquarters also does not disclose data to law enforcement, the spokesperson said, because the central office does not have “access to individual client files.” 

“Heartbeat International does not run any pregnancy centers,” the office said in a statement. “Instead, we provide guidance through training and resources such as the Legal Essentials manual, which centers can use with their board to develop policies and procedures suited to their own organization.”

In addition to providing legal guidance, Heartbeat’s headquarters runs a training center, Heartbeat International Academy, holds large annual conferences for affiliates and serves as the public face for the mission. It also created software that facilitates data analytics about pregnant women on a mass scale.

'A data mine'

Many CPCs, which largely operate unregulated at the state or federal level, routinely collect deeply personal information — often including reproductive heath information, details about past abortions, abortion intentions for current pregnancies and even the names of loved ones likely to support their pregnancy decisions, Rosen said.

CPCs also perform ultrasounds and often provide testing for sexually transmitted diseases, generating additional data about women and their pregnancies.

Abortion-rights advocates say that CPCs often intentionally leave women with the impression that they are full-scale medical clinics, even though those advocates say the facilities typically lack on-site medical directors. Rosen recently published an opinion article arguing that as a “sprawling system of pseudo-health care” providers, the centers operate without proper medical oversight yet feature staffers wearing white coats and performing ultrasounds on their websites.

Data collected by the clinics appears to be entered into national databases like Heartbeat International’s proprietary Next Level, according to Rosen. 

A Heartbeat International spokesperson says the network remains “committed to maintaining confidentiality and protecting the trust placed in us by the women and families we serve — supporting each one with compassion, professionalism, and integrity.” 

A spokesperson for Heartbeat International said the information it stores in Next Level is de-identified and is not “pooled in a way that allows open access across centers.” 

A screenshot made public by an independent journalist in May 2024 showed a snippet of a Next Level training session video that allegedly exposed names and pregnancy-related data for 13 Heartbeat clients to trainees seeking to learn how to use the software. (The screenshot blurs out the women's names.)

A link to the women’s data was reportedly left on the open web before being removed after the journalist made the breach public. The incident prompted CfA to send HHS a complaint, leading to the agency’s assertion that CPCs are not HIPAA-covered. 

The breach was subject to a “thorough internal review” which led to “strengthened safeguards to prevent future occurrences,” a Heartbeat spokesperson said in a statement.

A promotional video on Heartbeat’s website calls Next Level a “data mine” that allows Heartbeat staff to collect and exchange client information digitally and share it widely among center staff to make “seamless collection of data possible for pregnancy centers.”

“The data that will be collected actually will benefit everyone,” Heartbeat International Board Chair Peggy Hartshorn says in the video. “It will be open to everyone.”

Next Level lets CPCs “view and manage their own client records” while the organization’s home office “only accesses aggregated, de-identified data such as total services offered, appointment types, and general demographics,” a Heartbeat statement said. 

The CPC network as a whole remains “committed to maintaining confidentiality and protecting the trust placed in us by the women and families we serve — supporting each one with compassion, professionalism, and integrity,” according to a Heartbeat spokesperson.

HIPAA's privacy 'brand name'

Beyond the efforts to remove HIPAA language from CPC websites, privacy advocates and abortion-rights groups acknowledge that the federal law is not fail-safe for people seeking to protect their medical data. HIPAA-protected data can be obtained by law enforcement with a court order, subpoena or by administrative request.

Most people don’t realize that, according to Carmel Shachar, who is the faculty director for the Health Law and Policy Clinic at the Center for Health Law and Policy Innovation at Harvard Law School.

“For patients and consumers HIPAA almost has a brand name reputation to it,” she said, “like, ‘Oh, my data is private. My data is safe because of HIPAA.’” 

HIPAA protections apply to medical records kept by so-called covered entities and their vendors. 

Patients at Planned Parenthood clinics and doctors’ offices are typically protected by HIPAA because they are visiting traditional health care providers who create medical records that are then used in certain transactions, making them “covered entities” under HIPAA, Shachar said.

CPCs generally do not bill for their services. Heartbeat International acknowledges that fact, but said in a statement that its affiliates “voluntarily implement privacy and security practices that align with HIPAA standards to help safeguard sensitive information.”

Shachar says that’s not enough.

The pregnancy centers are “benefiting from the reputation of HIPAA without having the accountability of HIPAA,” she said.

Is it fraud?

Even for the CPCs that are clear about not being covered by HIPAA, at least one state government is looking at their privacy practices as part of a broader case involving potential consumer fraud.

New Jersey Attorney General Matthew Platkin issued a subpoena seeking investigative materials from the state’s First Choice Women’s Resource Centers organization, which has five locations, in November 2023.

In a court filing, Platkin’s office said that its investigation “revealed concerns about [the CPCs’] patient-privacy practices.” 

“For example, First Choice represents that its services are ‘confidential’ and ‘private’ … But elsewhere, it claims that it is exempt from HIPAA because it does not accept insurance.”

The court filing asserts that the lack of HIPAA protections “raised concerns about how and whether plaintiff keeps health or other sensitive information private and secure.”

Platkin’s office declined to comment citing its ongoing subpoena request, which First Choice is seeking to block through litigation. 

Lincoln Wilson, senior counsel with Alliance Defending Freedom, a legal advocacy group representing First Choice, said in a statement that Platkin “claims to be concerned about First Choice’s privacy practices, but he has never cited any complaint by a client or any other evidence that First Choice’s practices have violated any state or federal law.” 

“First Choice believes that privacy is crucial to pregnant women making important decisions for themselves and their children,” the statement said, noting that the CPC voluntarily adheres to HIPAA standards.

First Choice’s privacy policy says it “may disclose the information we collect from or about you to our affiliates; to service providers who work on our behalf; as required by law; when required to protect our rights or your safety or the safety of others, or to detect, prevent, or respond to misuse of our sites.”

There are open questions as to whether the “safety of others” caveat could apply to unborn children, a point which Michelle Kuppersmith, executive director of CfA, underscored. 

"Any woman walking into a CPC should know that there are usually no federal protections like HIPAA preventing that center from sharing their most personal information if it advances the center's ideological goals,” said Kuppersmith, whose organization was first to highlight CPCs’ HIPAA practices to AGs.

“They are often bound only by their personal ethics and values — which may include the belief that women are not entitled to make their own decision about their pregnancy."