Navigating the Evolving Terrain of Reproductive Health Data Privacy and State-Level Safeguards

We are witnesssing a surge in legislative activity aimed at protecting reproductive health information following the 2022 Dobbs v. Jackson Women’s Health Organization decision. This ruling shifted abortion regulation to the states, exposing individuals to heightened risks of data misuse, particularly through digital tracking and out-of-state investigations. While the federal government’s attempt to bolster HIPAA protections faltered in 2025, several states have stepped in with targeted laws that extend beyond traditional health care entities to encompass apps, wearables, and data brokers. These measures emphasize explicit consent, data minimization, and restrictions on sharing, often applying to sensitive categories like abortion services, contraception, and gender-affirming care. In this analysis, I examine the federal landscape and key state enactments in California, Colorado, Nevada, New York, Virginia, and Washington, providing deeper insights into their operational impacts and compliance strategies.

Federal Developments: The Vacated HIPAA Amendments

In April 2024, the U.S. Department of Health and Human Services (HHS) issued amendments to the HIPAA Privacy Rule to shield protected health information (PHI) related to reproductive health care from disclosures tied to criminal investigations or civil penalties. These changes prohibited covered entities from using or disclosing such PHI without patient authorization and mandated updates to Notices of Privacy Practices, along with vendor attestations confirming non-use for prohibited purposes. However, on June 18, 2025, the U.S. District Court for the Northern District of Texas in Purl v. U.S. Department of Health and Human Services vacated these provisions nationwide, ruling that they unlawfully restricted state child abuse reporting obligations, improperly redefined key terms, and exceeded HHS’s statutory authority. HHS declined to appeal by August 18, 2025, leaving only amendments to 42 CFR Part 2 for substance use disorder records intact. This reversal reverts to baseline HIPAA standards, underscoring the urgency for state-level interventions and prompting businesses to revisit data-sharing agreements with heightened scrutiny.

State-Specific Healthcare Privacy Protections

Several states have enacted or amended laws to fill the federal void, broadening protections to non-HIPAA entities and incorporating reproductive health data into general privacy frameworks or standalone statutes. Below, I detail these developments, highlighting their scope, requirements, and nuances based on my experience counseling clients in multistate operations.

California: Amendments to the Confidentiality of Medical Information Act (CMIA) via AB 352

California’s enhancements, effective January 1, 2024 (with security measures from July 1, 2024), fortify the CMIA to cover reproductive services including abortion, contraception, and gender-affirming care. Unlike HIPAA, the CMIA applies without exemption to all entities maintaining medical information, from electronic health record vendors to employers collecting wellness data.

Key obligations include:

1. Implementing access controls to prevent unauthorized sharing of reproductive data outside the state.
2. Prohibiting cooperation with out-of-state subpoenas or inquiries that seek to identify individuals accessing lawful services in California.
3. Excluding abortion-related information from automatic data exchanges under the state’s Health and Human Services framework.
4. Requiring explicit patient authorization for any disclosures of reproductive health records.

Enforcement relies on administrative actions with civil penalties ranging from $2,500 to $250,000 per violation, plus potential criminal charges for willful breaches causing harm. In practice, this has led to increased vendor audits, as I have advised digital health firms to segment data flows geographically.

Colorado: Colorado Privacy Act (CPA) Sensitive Data Provisions

Effective July 1, 2023, the CPA designates reproductive health information as “sensitive data,” alongside sexual orientation and sex life details, triggering heightened safeguards for controllers processing data of 100,000 or more consumers. This law’s broad applicability captures period-tracking apps and fertility platforms, even those not directly affiliated with health care providers.

Core requirements encompass:

• Conducting data protection impact assessments for high-risk processing, such as profiling based on reproductive data.
• Offering consumers opt-out rights for targeted advertising using sensitive information.
• Limiting data retention to necessary periods and mandating deletion upon request.
• Ensuring processors adhere to controller instructions via contractual safeguards.

The Colorado Attorney General enforces violations with fines up to $20,000 per willful infraction, and while no private right of action exists, the law’s assessment mandates have spurred proactive compliance programs in my client engagements.

Nevada: Health Data Privacy Act

Nevada’s standalone statute, effective October 1, 2023, targets consumer health data, explicitly including reproductive conditions, treatments, and biometric indicators like menstrual cycle tracking. It applies to any entity collecting such data from Nevada residents, regardless of size or HIPAA status.

Salient features include:

1. Requiring affirmative, informed consent prior to collection, with clear disclosures of purposes and recipients.
2. Imposing data minimization to collect only what is essential for stated objectives.
3. Prohibiting secondary uses, such as marketing or research, without renewed consent.
4. Mandating prompt breach notifications tailored to health data sensitivities.

Exclusively enforced by the Nevada Attorney General, penalties reach $5,000 per violation, emphasizing education over litigation in enforcement trends observed through 2025.

New York: New York Health Information Privacy Act (NYHIPA)

Passed in early 2025 and awaiting gubernatorial signature, NYHIPA would take effect 180 days post-enactment, imposing stringent controls on health data including reproductive treatments, prescriptions, and genetic markers. It targets both traditional providers and digital intermediaries like telemedicine apps.

Provisions demand:

• Specific, prior consent for collection, use, or disclosure, revocable at any time.
• Encryption for electronic storage and transmission of sensitive records.
• Restrictions on marketing uses without separate opt-in mechanisms.
• Annual privacy impact assessments for entities processing over 50,000 records.

With no private right of action, the Attorney General could impose fines up to $15,000 per violation or 20% of derived revenue, potentially reshaping New York’s tech ecosystem upon implementation.

Virginia: Amendments to the Virginia Consumer Protection Act (VCPA) via SB 754

Effective July 1, 2025, these amendments introduce the Protection of Reproductive Health Information Law, defining reproductive or sexual health information (RSHI) expansively to include derived data from geolocation or search queries. It applies to all “suppliers” in consumer transactions, bypassing thresholds in the Virginia Consumer Data Protection Act.

Essential mandates are:

1. Obtaining explicit, opt-in consent for any RSHI processing, invalidating implied agreements.
2. Barring sales or disclosures that could enable tracking of reproductive care seekers.
3. Requiring data deletion upon consent withdrawal, extending to third-party recipients.
4. Prohibiting geofencing within 2,200 feet of reproductive health facilities for advertising.

Enforcement includes private actions with statutory damages of $500 or actual losses, plus treble damages for willful violations, alongside Attorney General penalties up to $5,000 per breach—a dual-track approach that heightens litigation risks.

Washington: My Health My Data Act (MHMDA)

Effective March 31, 2024 (with sales provisions from June 30, 2024), the MHMDA regulates “consumer health data,” encompassing reproductive services, fertility tracking, and location data near clinics. It covers entities targeting Washington consumers, including nonprofits and small apps.

Key elements comprise:

• Granular, written consent specifying data types, uses, and sharing parties.
• One-year authorizations for data sales, revocable anytime.
• Expanded rights to access, delete, and port data, applicable to affiliates.
• Bans on geofencing for health-related marketing within facility vicinities.

The Attorney General enforces with $7,500 fines per violation, supplemented by private suits for up to $7,500 in statutory damages, driving a compliance surge in telehealth sectors.

Comparative Analysis: State Reproductive Health Data Privacy Landscape

To illustrate variances, the following chart compares these states across critical dimensions. This table aids in benchmarking compliance efforts for state level healthcare privacy scopes and whether or not an individual has a private right of action:

State	Law Name	Effective Date	Scope (Beyond HIPAA?)	Key Consent Requirement	Enforcement (Private Right?)	Max Penalty per Violation
California	CMIA (AB 352)	Jan 1, 2024	Yes, all entities	Explicit authorization for disclosures	No	$250,000
Colorado	CPA	Jul 1, 2023	Yes, controllers >100k consumers	Opt-out for sensitive processing	No	$20,000
Nevada	Health Data Privacy Act	Oct 1, 2023	Yes, all collectors	Informed consent pre-collection	No	$5,000
New York	NYHIPA	Pending (180 days post-enactment)	Yes, all processors	Specific, revocable consent	No	$15,000
Virginia	VCPA (SB 754)	Jul 1, 2025	Yes, all suppliers	Opt-in for RSHI processing	Yes	$5,000 (AG); $1,500 (private)
Washington	MHMDA	Mar 31, 2024	Yes, all regulated entities	Granular written consent	Yes	$7,500

Strategic Implications and Best Practices

These laws create a patchwork of obligations, with Virginia and Washington standing out for private enforcement rights that amplify litigation exposure. Businesses must integrate these into enterprise-wide programs, particularly for derived data from wearables or ads. From my advisory perspective, the following steps are imperative:

1. Map data inventories to identify reproductive health elements, including inferred categories from location or search patterns.
2. Revise consent mechanisms to meet the strictest standards, such as Washington’s granularity, across jurisdictions.
3. Conduct impact assessments and vendor due diligence, focusing on out-of-state transfer risks.
4. Train personnel on geofencing prohibitions and data minimization to avert inadvertent violations.
5. Monitor pending legislation, like expansions in Massachusetts or Connecticut, for proactive alignment.

Broader trends reveal a bipartisan push toward equity, protecting vulnerable groups from surveillance, yet challenges persist in harmonizing with federal baselines.

How To Get Healthcare Data Privacy Compliant?

The flux in reproductive health data privacy underscores the need for vigilant, adaptive compliance. As states innovate to counter federal setbacks, organizations that prioritize these safeguards not only mitigate risks but also build consumer trust. I urge stakeholders to consult with us and to book a demo to see how Captain Compliance’s privacy software can help with privacy compliance in the healthcare space not only in California, Colorado, Nevada, New York, Virginia, and Washington but other states due to come online with pending legislation like Massachusetts, Connecticut, and other states.