Privacy Tips

LEarn More

Strategies for Safeguarding Reproductive Healthcare Privacy Rights

Home

Guidance for Individuals

Recommendations for Technology Companies

Following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization overturning Roe v. Wade in 2022, many states have banned or severely limited abortion access. In most cases, these bans prohibit people from providing abortions, but there is increasing concern about how individuals could be criminally targeted for accessing reproductive healthcare. A September 2024 report from Pregnancy Justice estimates that at least five pregnant people have faced criminal charges related to abortion in the first year after the Dobbs decision. As a result, pregnant people who live in states that restrict access to reproductive health services such as abortion may want to consider how their online and offline actions make it more difficult to protect their right to privacy in their own healthcare and put them at risk of prosecution or in other legal jeopardy. While it is impossible to be completely anonymous when searching for and obtaining reproductive health services, individuals can take a number of steps to protect their privacy and reduce their digital and physical footprint.

GUIDANCE FOR INDIVIDUALS

5 of 10

Name, Company

Block Targeted Advertisements

3 of 10

Use a VPN

1 of 10

Name, Company

Use a Privacy Protective Browser App or Window

Searching for Reproductive Health Resources Online Many organizations, from your internet service provider (ISP) to advertising companies and search engines, collect information relating to your activity on the internet. While none of the steps below will ensure you have complete privacy, there are steps you can take to limit what information is collected about you when you browse the internet. Before seeking reproductive health resources online, consider the following steps to protect your privacy online:

4 of 10

Opt Out of Third-Party Tracking

Communicating with Reproductive Health-Related Services If a valid warrant or subpoena is served on an organization where you received reproductive health services, including abortion clinics, OB-GYN offices, hospitals, and birthing centers, the organization may be legally required to turn over sensitive information to law enforcement. Where possible, limit the personal information that is shared with reproductive health services to only that which is necessary to obtain care. When communicating about reproductive health services, consider the following steps to enhance the privacy of your communications:

3. Create a New, Encrypted Email Address

2. Use End-to-End Encrypted Communication Apps

Call clinics, healthcare providers, and transportation services using a secondary phone number or buy a burner phone using cash rather than using personal devices. Using a secondary phone number provides an additional layer of privacy (not anonymity) to your telephone records by making it more difficult for law enforcement or third parties to connect your phone number to a certain clinic’s records. Distancing your phone number from the clinic’s records makes it harder for police or third parties to use your phone call logs to clinics as potential evidence against you:

Obtaining Reproductive Health-Related Services in Person When traveling to receive, and while receiving, reproductive health services, consider the following steps to increase the likelihood that your plans and movements remain private:

1. Use Secondary Phone Numbers

Google Voice (free):

Use end-to-end encrypted communication apps for messages, phone calls, or video calls when communicating with clinics or healthcare providers. Consider turning on automatic message deletion where possible and turning off automatic back-ups.

Signal

Create an encrypted secondary email address for communicating with clinics or healthcare providers rather than using a personal email address. This may prevent the services from reading emails shared on the platform.

When writing emails > leave out personal information and reproductive health-specific information from the subject line of emails to clinics or healthcare providers. Subject lines are not considered “content” of the communication and require a search warrant under the Stored Communications Act.

Think Before You Talk About It

Tell as few people as possible (and do not talk to your smart speaker or voice assistant) about your plans. If you do tell someone, tell someone you trust in person or over an encrypted call. Do not tell people on social media.

Don’t Post About it

Do not post online about your plans.

Proceed with Caution When Seeking Care from a Healthcare Provider in States That Are Hostile to Abortion

Healthcare professionals may be required to report people they suspect of having had an abortion. So, if you are seeking care from a healthcare provider and you do not know whether that provider supports abortion access or whether your state law requires reporting, avoid talking about your abortion.

Avoid Ride-, Bike-, and Scooter-Sharing Apps

Do not use ride-, bike-, or scooter-sharing apps to go to clinics. Instead, take a taxi and pay with cash or take public transportation. If you must use a ride-sharing app, do not select the clinic as your destination. Use a nearby business instead. If you must use a bike- or scooter-sharing app, drop off the bike or scooter around the corner from the clinic or at a return station that is not in close proximity to the clinic.

Avoid Toll Roads.

Many roads with toll systems utilize license scanning technology, which law enforcement could potentially access and use as evidence to show you went to clinic. If you must take a road with a toll, avoid using electronic toll collection systems such as E-ZPass and instead pay in cash.

Turn off Location Tracking or Leave Your Devices Behind

Only take devices you need. Before you go to a provider, put your phone on airplane mode or turn it off. When you finish your appointment, ask the clinic to call a taxi for you if you don’t have your phone with you or if your phone is turned off. Also be sure to remove non-mobile tracking devices, such as AirTags, from your car and bags. If your phone must be with you and turned on, turn off cell service, Wi-Fi, Bluetooth connectivity, and location services.

If Possible, Avoid Using a Credit or Debit Card or Payment App

Pay for lodging, transportation, services, or medicine in cash, postal money orders, or a prepaid gift card.

Dress to Conceal

Conceal yourself when you go to the clinic to prevent others from recognizing you or taking your photograph as well as security cameras from capturing footage of your movements.

Be Mindful of Your Mail

Law enforcement can examine (but not open) your mail without a search warrant. Stay aware of what kinds of mail you may receive at your address, such as billing receipts, health insurance notices, or other letters that might suggest you’ve sought out reproductive health-related services. Opt in to paperless communications where possible.

Be Cautious If Driving and Do Not Park Onsite

If you plan to drive yourself, be aware that newer cars are increasingly connected to the internet and include tracking technologies. Avoid using your car’s built-in GPS application to navigate to the clinic. Also be aware that automated license plate readers—camera mounted on street poles, overpasses, and other public areas—may be used by law enforcement to identify and capture license plate numbers on passing cars and stored for potential future criminal investigations. If you drive, do not park at the clinic. Park at a nearby business location and walk to and from the clinic. Anti-abortion protestors are reported to be taking photos of cars and recording license plates upon their arrival at reproductive healthcare clinics.

Shred Sensitive Documents

Law enforcement can search your trash without a search warrant. Be careful of what you throw away (e.g., pregnancy tests), and shred any sensitive documents (e.g., insurance or reproductive health services receipts).

Deleting Data After Searching for or Receiving Reproductive Health Services If you were unable to use encrypted browsing and email services or messaging apps when searching for or contacting reproductive health-related services, consider deleting any data potentially connected to the services you received:

Delete Browsing and Internet Histories Delete browsing and internet histories to decrease the likelihood that law enforcement could see your searches on your devices if they were seized or could subpoena ISPs for your search information:

Tips on choosing a VPN Click on your device to learn how to install a VPN:

Android | iOS

7 of 10

Take Precautions When Using Health-Tracking Apps

Use a paper calendar or a password protected spreadsheet or an app that saves the information locally in your phone (versus the server of the app provider).

8 of 10

Name, Company

Only Use Trusted Resources and Websites

• If you must use an app, deny permissions in the apps to use the device’s location and to share data with third parties. • If you have used an app, delete your account and request that your data be deleted.

10 of 10

Name, Company

Practice Good Digital Hygiene

Keep Devices Updated. Configure your devices and applications for automatic software updates to protect your devices and systems against cyber threats. Create Unique Passwords. Strengthen passwords and avoid using the same password for multiple accounts. Enable Multifactor Authentication. Prevent bad actors from accessing your accounts remotely by adding an extra step to access accounts.

Hushed (paid):

Burner (paid):

Delete Device Data and Accounts If you download information regarding reproductive health services on your computer or phone, consider deleting your device data. Note: this action would wipe everything from your device and/or your account (including personal items like your contacts, text message history, and family photos). If you automatically back up to iCloud, delete this back-up copy as well because law enforcement can obtain a search warrant for cloud storage accounts:

Key Takeaways Although there is no perfect solution to shield you from digital surveillance, implementing the recommendations above will greatly improve your digital privacy. Increasing your digital privacy may involve complicated steps and create some inconveniences to everyday use of your devices by impairing device performance or removing some device features. Nevertheless, these difficulties are certainly worthwhile when considering the alternative—potential prosecution. If you are only able to implement a few measures, consider the following key steps:

4. Browse Privately and Delete Your Data Browsing or searching the internet securely only takes a couple of clicks and can greatly improve your digital privacy. Routinely deleting your search histories and location histories provides an additional layer of security.

3. If You Write About It or Talk About It, Do It Securely FaceTime and Duo, the default video-calling apps on iOS and Android, are both end-to-end encrypted and offer convenient ways to communicate securely (without writing things down).

1. Think Before You Talk About It The fewer people who know, the fewer people there will be to report it.

5. Call a Lawyer If a law enforcement officer approaches you, exercise your constitutional right to call a lawyer and seek legal advice.

2. Don’t Write About It Text messages, posts, and online searches can be critical evidence.

Go to Settings  Google  Ads  Toggle “Opt out of ads personalization” to On. You can also reset your Advertising Identifier in both Android and iOS to unlink any previous data associated with your ID.

Go to Settings  Privacy  Advertising  Toggle “Limit Ad Tracking” to On. You can also reset your Advertising Identifier in both Android and iOS to unlink any previous data associated with your ID.

Microsoft Edge: 1. Delete browsing history 2. Delete cookies

FaceTime

Zoom

Duo

Searching for Reproductive Health Resources

When Communicating with Reproductive Health-Related Services

When Obtaining Reproductive Health-Related Services

Deleting Data After Reproductive Health-Related Services

If a Police Officer Approaches or Contacts You

Key Takeaways

Apple Data: Understand and control the personal information that you store with Apple

Google Data: Delete your activity

Safari: 1. Delete your browsing history 2. Remove stored cookies and website data iPhone, iPad, or iPod touch: Clear history and cookies

Firefox: 1. Delete browsing, search and download history 2. Clear cookies and site data

Chrome: 1. Delete browsing data 2. Clear cache & cookies

Windows Computer: How to: Delete Your Data Securely on Windows

Apple Computer: How to: Delete Your Data Securely on macOS

iPhone: Delete all content and settings. Android: Factory-reset your phone. Apple Computer: Delete data on macOS. Windows Computer: Delete data on Windows. Google Account: Delete your account Apple Data: Delete your Apple ID account and data.

Guidance for Clinics and Healthcare Providers

When Collecting and Processing Patient Data

When Responding to Legal Process

Facebook Go to Settings & Privacy > Settings > Accounts Center > Ad Preferences > Manage Info Categories used to reach you > Toggle all categories to Off. Activity information from ad partners > Review setting > Toggle to No, don’t make my ads more relevant by using this information. Ads shown outside of Meta > Toggle to Not allowed.

Instagram Go to Settings > Accounts Center > Ad Preferences > Manage Info Activity information from ad partners > Review setting > Toggle to No, don’t make my ads more relevant by using this information. Ads shown outside of Meta > Toggle to Not allowed.

X Go to Settings & Privacy > Privacy & Safety > Data Sharing and Personalization Ads preferences > Unclick the box for Personalized ads. Inferred identity > Unclick the box for Personalize based on your inferred identity. Data sharing with business partners > Unclick the box for Allow additional information sharing with business partners. Location information > Unclick the box for Personalize based on places you’ve been. Grok & Third-Party Collaborators > Unclick the box for Allow your public data as well as your interactions, inputs, and results with Grok and xAI to be used for training and fine-tuning.

Android: Go to Settings > Google > All Services > Privacy & Security > Ads > Click Reset advertising ID or Delete advertising ID.

iOS: Go to Settings > Privacy & Security > Tracking > Toggle “Allow Apps to Request to Track” to Off.

Proton

PreVeil

DISCLAIMER: Morrison & Foerster LLP makes the information and materials in this digital handbook available for informational purposes only. While we hope and believe this information will be helpful, we cannot warrant that the handbook is accurate or complete. Moreover, the handbook is general in nature and may not apply to your particular factual or legal circumstances. In any event, the handbook does not constitute legal advice and should not be relied on as such. Morrison & Foerster LLP renders legal advice only after compliance with certain procedures for accepting clients and when it is legally permissible to do so. Readers seeking to act upon any of the information contained in this resource are urged to seek their own legal advice. This handbook was last updated on February 19, 2025.

PostScan Mail iPostal1 Anytime Mailbox

2 of 10

Name, Company

Use Private Browsing

These apps do not save your searches on the Internet, and thus if a law enforcement request were made to these apps to collect your search history, there would be nothing for the app to share:

If you are unable to use a privacy-protective browser, consider using private browsing settings when you are searching, which eliminates saved searches on your device. Private browsing does not stop ISPs like Google or Microsoft from collecting and storing information about your search history because your internet connection will not be encrypted, but it does help to protect your privacy by preventing your browser from storing your search history on your device. In addition to using private browsing, it is important to routinely delete your history (see recommendation under Deleting Data After Reproductive Health Services below for more information):

Mac | iPhone / iPod Touch

Use a virtual private network (VPN) to protect internet activity. VPNs protect your privacy and mask your online activity by routing your internet connection through an encrypted server, preventing ISPs from seeing what you are doing online. That way, if your ISP receives a law enforcement request, they will not have information to hand over to law enforcement:

When third-party tracking is enabled, third parties like advertisers and data brokers can track you across your apps and websites on your mobile devices through an ad identifier, a string of numbers and letters that identifies your smart device (“IDFA” on iOS or “AAID” on Android) and that every app can see. Third parties use the ad identifier to collect your activity and create a profile about you, which they use to send you targeted ads or sell to other companies. Opting out of tracking across third-party apps and websites on your phone will prevent third parties from seeing your ad identifier and creating that profile, making it less likely that law enforcement or third parties can obtain data from them through legal process:

While opting out of third-party tracking will decrease the majority of the data third parties collect about you, first parties (i.e., the actual apps installed on your phone themselves) may still collect data about you, use that data to themselves to serve you targeted ads, and capture your interaction with the ads. Opting out of targeted advertising on your browsers and social media platforms will not prevent first parties from collecting information about you completely, but it will prevent them from collecting information related to your interaction with targeted ads. Opting out may also prevent you from seeing potentially unwanted ads by anti-abortion groups:

If you decide to use a menstruation or pregnancy tracking app, opt for one with strong privacy and security protections. While “privacy protective” menstruation or pregnancy tracking apps provide some additional protections beyond standard apps, such apps are not totally “safe” and still bring law enforcement access risks. Here are some “privacy protective” apps which are better, but it is still advisable to use a paper calendar instead:

Anti-abortion clinics may pose as crises pregnancy centers and may spread harmful misinformation or collect personal information or location information. Crises pregnancy centers (CPCs) are organizations with a primary aim of keeping people from having abortions. CPCs are often affiliated with religious organizations that oppose abortion. CPCs can be found in states that have abortion bans as well as those do not. For a map that can help you identify (and avoid) CPCs, see https://crisispregnancycentermap.com/. For advice on recognizing CPCs, see cpc-flowchart_secure.pdf.

By practicing good digital hygiene, you can help protect your privacy by preventing unwanted cyber or physical searches of your device. These actions make it harder for law enforcement to open your device if seized as part of an investigation or for hackers to break into your device and obtain your data:

If a Police Officer Approaches or Contacts You State law enforcement of abortion laws will likely depend less on whether a person turns off their Bluetooth or disables third-party cookies and more on how many people they tell, how they communicate with those people, whether they are mindful about reducing their digital footprint, and whether they have counsel. This is because state law enforcement investigations often rely on public tips, witnesses, and information provided voluntarily by the subject of the investigation, including voluntarily providing access to their cell phone. When speaking with a police officer, do not hand over your private, and potentially incriminating, information freely:

If asked to interview with the police, do not do it without a lawyer. You have the right not to talk to the police about anything without a lawyer, but it is up to you to assert that right. If you have been questioned or arrested—or you think you will be questioned or arrested—by the police because of your abortion, contact the Repro Legal Helpline. This helpline is a free and confidential legal service. Lawyers on the helpline will work to help you find a lawyer. If you already have a lawyer, Repro Legal Helpline may be able to work with your lawyer to help defend you.

If a police officer approaches you asking to search and/or seize your device, ask them if they have a warrant.

If the officer does have a warrant, comply with their requests but make it known that you object and are not complying with the request voluntarily.

If the officer does not have a warrant, inform the police that you do not consent to their requests.

Do not provide your password voluntarily, even if asked; law enforcement cannot compel you to do that. If you are asked to use your biometric identifiers (e.g., fingerprint or facial recognition) to open your phone, make sure that the warrant specifically authorizes that.

Do not give the police your device voluntarily, even if asked.

If the warrant does not authorize the use of biometric identifiers, you do not need to unlock your phone. However, if the officer insists, comply rather than resist physically.

After complying, consider challenging the search or seizure through a suppression motion with legal counsel.

After law enforcement contacts you, do not delete any data without first consulting with legal counsel.

Do not provide your password voluntarily.

You cannot be coerced to use your biometric identification (e.g., holding the phone up to you face) to open your phone.

Credit card companies and financial institutions keep records of all transactions. Payment apps, such as PayPal and Venmo, may seem more secure, but they must also comply with law enforcement requests for data. Be sure to turn off public sharing if you choose to use a payment app. Consider paying for related everyday reproductive healthcare purchases (e.g., pregnancy tests, prenatal vitamins, and menstrual products) with cash, too. Avoid using in-store loyalty or membership cards or online accounts when you do so.

iPhone: Go to Settings > General > VPN & Device Management. If you have installed one of the recommended VPNs or another VPN of your choice, it should appear here for you to select. You can also manually add a VPN configuration by entering your administrator’s information.

Android: Go to Settings > Network & Internet > Advanced > VPN. Again, if you have already downloaded one of these apps, select it and login to your account. You can also manually add a VPN configuration by clicking the plus sign and then entering your administrator’s information.

Windows/Mac: Installing a VPN on a desktop or laptop computer will operate like installing any app on your device. Go to the service provider’s website and download the official app from the service. Once the download is finished, go through the installation process on screen. On a Mac, you can also manually add a VPN configuration by going to Settings > Network > Add VPN Configuration.

If you must use an app, deny permissions in the app to use your device’s location and to share data with third parties.

If you have used an app, delete your account and request that your data be deleted.

To turn off location services:

Use a Privacy Protective Browser App or Window

Use Private Browsing

Use a VPN

Opt Out of Third-Party Tracking

Block Targeted Advertisements

Take Precautions When Using Health-Tracking Apps

Take Caution When Using AI Tools

Practice Good Digital Hygiene

CLICK ON A STEP TO LEARN MORE

Written by Miriam Wugmeister, Melissa Crespo, Carson Martinez, Damian Mencini, and Katherine Wang. Morrison Foerster is a global technology law firm with an industry-leading privacy practice that is committed to protecting reproductive rights.

If you must use location services on your device, consider resetting your device’s advertising ID before and after visiting sensitive locations. This will make it harder to connect such data to you. Android: Go to Settings > Google > All Services > Privacy & Security > Ads > Reset Advertising ID > Confirm by clicking OK. iOS: Go to Settings > Privacy & Security > Apple Advertising > Toggle Personalized Ads to Off. If financially practicable, consider buying a burner phone to bring with you instead.

If the warrant does authorize the use of biometric identifiers, comply with the warrant while making it clear to the officers that you object to being compelled to unlock your phone.

FEATURED DEALS

Apple Computer: Delete data on macOS Windows Computer: Delete data on Windows

iPhone: Delete all content and settings Android: Factory reset your phone

Google Account: Delete your account Apple Data: Delete your Apple ID account and data

Obtaining Reproductive Health-Related Medication by Mail If you choose to obtain reproductive health-related medication by mail rather than in person, you should consider the following steps to enhance the privacy of the letters and packages delivered to you.

Take Caution When Searching for Medication Resources Online

Create a Mail-Forwarding Address

Familiarize Yourself with Laws on Receiving Medication by Mail

Consider Asking a Friend to Order Medication on Your Behalf

Carefully Dispose of Leftover Cartridges

View our tips above on how to protect your digital privacy when researching how to obtain reproductive health-related medications online, such as contraceptives or abortion medication.

When buying abortion medication (i.e., mifepristone and misoprostol) online, your name, email address, physical address, and/or other personally identifying information may be linked to the medication when it is shipped. To avoid this, consider creating a mail-forwarding address in a state without restrictions on using telehealth to access abortion medication and ship your medication to that address. Seek legal advice before engaging in this activity. • PostScan Mail • iPostal1 • Anytime Mailbox

Depending on where you live, you may not be permitted to obtain abortion medication by mail, even if reproductive health-related services are otherwise available. For example, Arizona prohibits providing abortion pills to residents through a courier, delivery, or mail service. Make sure to understand your state’s laws on obtaining reproductive health-related medication by telehealth and mail prior to placing an order.

If you feel comfortable, consider asking a non-birthing friend to use their account or personal information to place an order for you, especially if they reside in a state with no restrictions on reproductive health-related services.

If you take medication received by mail, make sure to take precautions when throwing away cartridges and other supplies that might contain labels containing your name and other personally identifying information. As mentioned above, law enforcement can search your trash without a search warrant.

Turn Off Your Location History on Your Devices

Only Use Trusted Resources and Websites

Browsers Opt out of personalized advertising on browsers or block ads/trackers using a browser extension:

Browsers

Social Media

Apple (iOS)

TikTok Go to Settings and Privacy > Ads > Toggle Targeted ads to Off.

Snapchat Go to Settings > Additional Services > Ad Preferences > Toggle all categories to Off.

Apple (iOS) Go to Settings > Privacy & Security > Apple Advertising > Toggle Personalized Ads to Off.

6 of 10

Turn Off Your Location History on Your Devices

Your location history can be obtained by law enforcement through legal process. Before you search through your device’s Maps feature for directions to any reproductive health-related clinic or service, turn off your location history. And make sure to delete your location on your device.

Android | iOS

Go to “Location History” of your Google Account > Select “your account and all devices” > at the top, turn “Location History” > On or Offf.

Google - Turn Off Location Sharing

Delete Location History on Google Maps

Apple - Turn Off Location Sharing

Apple - Clear Location History

Open the Google Maps app > Tap on your profile picture > Your Timeline > Location and privacy settings > Delete range of timeline data, Delete all timeline data, or Set Google Maps to auto delete timeline data.

Settings > Privacy & Security > Location Services > Toggle off location sharing.

Settings > Privacy & Security > Location Services > System Services > Significant Locations > Tap Clear History.

Health-tracking apps collect a wide range of personal information, such as your sleep quality and heart rate. They also encourage you to share as much data as possible to maximize your health and wellness, such as tracking your vitamin intake (which may include prenatal vitamins). However, these apps may share or sell your sensitive health information with third parties or draw inferences related to you, including your pregnancy status, based on the data you enter.

9 of 10

Name, Company

Take Caution When Using AI Tools

Be careful about using AI chatbots and AI-powered search engines for reproductive health guidance. Reproductive health and abortion are complex issues that involve medical and legal considerations, and a chatbot might not be able to fully address all aspects of your situation. Further, AI technologies may commonly experience “hallucinations,” which can result in misleading, inaccurate, or nonsensical responses. Also be aware that many AI chatbots also collect your IP address, prompts, and outputs when you interact with them, and some companies may also repurpose your prompt and output information to train the underlying AI model. Such information can be obtained by law enforcement through legal process if it is stored by the company. Some private browsers, but not all, allow you to anonymously interact with AI chatbots. These browsers remove users’ IP addresses and replace them with their own. Don’t enter personal information into AI tools. Information entered into these tools can be retained by the AI companies, and the tools may accidentally provide nonpublic information from your interactions to other users (“prompt regurgitation”).

Menstruation- and period-tracking apps

Pregnancy-tracking apps

Drip Euki Spot On Periodical

Preglife Pregnancy+

Health, menstruation, and pregnancy tracking apps can be used as evidence in a prosecution if law enforcement obtains data from these apps through legal process or if law enforcement determines you installed the application on your phone through a search warrant. If you choose to use these apps, take precautions. Ensure that the app of your choice engages in best practices for user security and privacy. Choose apps with features that offer significant privacy protection for users: (1) storing data locally on your device rather than in the cloud, (2) forgoing third-party tracking services that can access the data that users provide, and (3) allowing users to access the application without having to register with the app.

Finally, pregnancy tracking apps present the greatest risk when it comes to app tracking. These apps allow you to calculate your estimated due date, track the development of your pregnancy week-to-week, and log your medical conditions, vaccines, and other health-related data. Although these apps may offer convenience to users, the apps may be able to predict when a pregnancy is likely to experience complications or may track when a pregnancy has ended. The safest way to track your pregnancy is through an analog calendar.

Menstruation and period-tracking apps carry heightened risk. While they can be useful tools to avoid an unwanted pregnancy, they also collect a tremendous amount of data about your menstrual cycle, ovulation, and contraception. In fact, your menstruation tracking app may “know” you are pregnant before you do due to the sophistication of its tracking. The safest way to track your period is through an analog calendar.

Menstruation- and period-tracking apps carry heightened risk. While they can be useful tools to avoid an unwanted pregnancy, they also collect a tremendous amount of data about your menstrual cycle, ovulation, and contraception, and you may lose control of some of your sensitive health information that is shared with the apps. In fact, your menstruation tracking app may “know” you are pregnant before you do due to the sophistication of its tracking. The safest way to track your period is with an analog calendar.

Finally, pregnancy tracking apps present the greatest risk when it comes to app tracking. These apps allow you to calculate your estimated due date, track the development of your pregnancy week-to-week, and log your medical conditions, vaccines, and other health-related data. Although these apps may offer convenience to users, you may lose control of some of your sensitive health information that is shared with the apps and the apps may be able to predict when a pregnancy is likely to experience complications or may track when a pregnancy has ended. The safest way to track your pregnancy is through an analog calendar.

Health-, menstruation-, and pregnancy-tracking apps can be used as evidence in a prosecution if law enforcement obtains data from these apps through legal process or if law enforcement determines you installed the application on your phone through a search warrant. If you choose to use these apps, take precautions. Ensure that the app of your choice engages in best practices for user security and privacy. Choose apps with features that offer significant privacy protection for users: (1) storing data locally on your device rather than in the cloud, (2) forgoing third-party tracking services that can access the data that users provide, and (3) allowing users to access the application without having to register with the app.

If you decide to use a menstruation- or pregnancy-tracking app, opt for one with strong privacy and security protections. While “privacy protective” menstruation- or pregnancy-tracking apps provide some additional protections beyond standard apps, such apps are not totally “safe” and still bring law enforcement access risks. Here are some “privacy protective” apps that are better, but it is still advisable to use an analog calendar instead:

LEARN MORE

Following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization overturning Roe v. Wade, many states have banned or severely limited abortion access. As healthcare providers adapt to this new reality, healthcare providers offering reproductive health services, particularly in states that have banned or severely restricted abortion, must now consider whether and how their data collection and retention practices may put their patients at risk of potential prosecution. While it is impossible to avoid collecting any sensitive data in the process of providing reproductive health-related care to patients, healthcare providers offering reproductive health services can take steps to mitigate the risks associated with the data they collect, maintain, and disclose.

GUIDANCE FOR CLINICS AND HEALTHCARE PROVIDERS

6 of 6

Name, Company

Make Appointments Securely

5 of 6

Name, Company

Recommend That Patients Avoid Using Credit and Debit Cards to Pay for Appointments

When patients book an appointment, consider recommending that they use a form of payment that is not identifiable, such as cash or a gift card. This can help your patients minimize their risk.

4 of 6

Name, Company

Create a Data Deletion Protocol

Have short data retention policies and securely dispose of or de-identify data when it is no longer needed (note that state laws may impose retention requirements). Create secure disposal procedures for any physical papers with patient information. If healthcare providers exercise data minimization, data deletion protocols will be more manageable as there will be less volume of data to be deleted.

3 of 6

Name, Company

Block Ads from Websites

2 of 6

Use a VPN

Tips on choosing a VPN How to install a VPN depends on device type:

1 of 6

Name, Company

Employ Data Minimization Techniques

When Collecting and Processing Patient Data Clinics and healthcare providers may wish to minimize the amount of information they collect. For the information they must collect, clinics and healthcare providers should work to keep patient information as private as possible. Consider these steps:

Take inventory of the information you currently collect about patients. Only collect information that is absolutely necessary to carry out reproductive health services.

Use secure appointment booking software (if available) or book appointments with encrypted email services or messaging apps. This would prevent the app from reading messages shared on the platform, but encrypted messages could still be accessed by law enforcement with a search warrant if the messages are retained on devices. Consider turning on automatic message deletion where possible and turning off automatic back-ups.

When Responding to Legal Process Upon receiving a request for patient information from law enforcement, review the request for compliance with the Health Information Portability and Accountability Act (HIPAA) and other legal requirements and respond appropriately. Consider these steps:

Always Engage with Legal Counsel

Nec tincidunt praesent semper feugiat nibh sed pulvinar proin gravida. Cras pulvinar mattis nunc sed blandit libero. Eu tincidunt tortor aliquam nulla facilisi cras. Nec feugiat in fermentum posuere urna nec tincidunt praesent semper. Fringilla urna porttitor rhoncus dolor purus. Feugiat nibh sed pulvinar proin gravida hendrerit lectus. Velit sed ullamcorper morbi tincidunt. Vitae semper quis lectus nulla at volutpat diam ut venenatis. Et egestas quis ipsum suspendisse ultrices gravida dictum fusce. Vestibulum mattis ullamcorper velit sed. Sed odio morbi quis commodo odio aenean. Aliquam purus sit amet luctus venenatis lectus. Diam sollicitudin tempor id eu nisl nunc mi. Faucibus in ornare quam viverra orci sagittis. Feugiat scelerisque varius morbi enim nunc. Nec tincidunt praesent semper feugiat nibh sed pulvinar. Consequat interdum varius sit amet. In est ante in nibh mauris cursus. Adipiscing enim eu turpis egestas pretium aenean. Sagittis nisl rhoncus mattis rhoncus urna neque viverra justo nec. Tristique magna sit amet purus gravida. Ultricies tristique nulla aliquet enim tortor at auctor urna nunc. Ornare suspendisse.

The Solution

Ask for Valid Legal Process. Only provide data in response to valid legal process (i.e., a subpoena, court order, or search warrant)

Consider Potential Objections. Consider whether a reasonable ground for objection exists (consult with an attorney about this)

Did the correct court issue the request?

Consider Potential Objections. If HIPAA requirements are met, consider whether a reasonable ground for objection exists (consult with an attorney about this):

• Did the correct court issue the request? – insurance company has a business presence. – If the court does not have jurisdiction, you are not obligated to comply. • Is the warrant or subpoena particularized? – Are accounts/individuals specified? – Is there a limiting time frame? – Law enforcement cannot, in most cases, broadly ask for “all patients” who visited within a particular timeframe. Instead, requests for data must be specific and limited to individual patients (or a handful of patients if there was evidence they were acting together).

Respond to the Request. Petition the court if you decline to provide information

Only Disclose Requested Information. If HIPAA and/or state requirements are met and there are no grounds for objection, disclose only the PHI expressly requested by the legal request (i.e., the “minimum necessary” to comply with the request)

Only Disclose at the Specified Time

Information not specifically requested should be redacted or not shared. It may violate HIPAA to share such unrequested records. Ensure a valid attestation accompanies any requests for oversight activities authorized by law, judicial, or administrative proceedings, law enforcement purposes, and coroners and medical examiners.

Notify Patients. Where possible, notify patients whose data has been released in response to a valid legal request

Warrants may come with a gag order preventing notification. Consult with legal counsel if considering contesting a gag order. Subpoenas may impose state law-specific non-disclosure requirements.

Prevents HIPAA-covered entities from disclosing PHI related to reproductive health services without the written consent of the patient; Prohibits out-of-state judicial requests to issue a subpoena in Connecticut seeking to collect reproductive health PHI; and Prevents public agencies from aiding investigations seeking to impose criminal or civil liability for reproductive healthcare.

Consider State Laws. Determine whether state law provides any guidance

If law enforcement requests information or records, ask that they return with valid legal process. Absent a valid legal process, disclosure is not permitted under HIPAA, and fines may be imposed. For additional information, see HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care.

Home

Recommendations for Technology Companies

Guidance for Clinics and Healthcare Providers

Guidance for Individuals

When Collecting and Processing Patient Data

When Responding to Legal Process

Searching for Reproductive Health Resources

When Communicating with Reproductive Health-Related Services

When Obtaining Reproductive Health-Related Services

Deleting Data After Reproductive Health-Related Services

If a Police Officer Approaches or Contacts You

Key Takeaways

Deleting Data After Reproductive Health-Related Services

Review Requests. If you receive a subpoena, court order, or warrant, consider whether the HIPAA rules are met, or, if there is a conflict between state law and HIPAA, consider whether the law that provides the greater protection applies

For court orders, warrants, and subpoenas issued by a judicial officer or grand jury subpoena, HIPAA permits covered entities to disclose the requested information.

Encrypted Email:

Encrypted Messaging:

Encrypted Videoing:

Signal

Proton

PreVeil

iOS | Android Set and manage disappearing messages

Duo

FaceTime

Zoom

Do not capture specific appointment types (e.g., visit, procedure, consultation, check-up) where possible.

List all appointments as “appointments” so if law enforcement requests data, the response would include “appointment” with no information about the type of procedure or consultation performed. If clinics have their own communications system with patients, the contents of the communications can only be released with a warrant or court order. Note: Hospitals, facilities, and physicians providing abortion-related services may submit regular reports regarding the facility at which the abortion was performed, the physician performing the procedure, the patient’s demographic characteristics, gestational age, and the abortion procedure used, among other state-specific requirements.

Use a virtual private network (VPN) for all business activity. VPNs mask your employees’ activity by routing their internet connection through an encrypted server, preventing ISPs from seeing what employees are doing online. That way, if your ISP receives a law enforcement request, they would have limited information to hand over to law enforcement:

A number of healthcare providers have inadvertently included advertising pixels both on their websites and within protected portals that have revealed sensitive personal information. Make sure websites that collect URLs associated with searches or appointments do not have advertising pixels. This will prevent your website from revealing the identity of visitors (i.e., potential patients) to ad brokers. It may also help to reduce your exposure under state and federal wiretap laws.

The information sought is relevant and material to the legitimate law enforcement inquiry; The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and De-identified data could not be reasonably used.

De-identified data could not be reasonably used.

For subpoenas not accompanied by an order of a court or administrative tribunal, HIPAA permits disclosure if:

There is written satisfactory assurance from the requesting agency that it made a good-faith effort to notify the patient of the subpoena, it gave the patient a chance to object, and the objection has either been declined or time has elapsed; There is a protective order requested or in place; or The covered entity has made reasonable efforts to contact the patient about the subpoena.

Subpoenas, orders, and warrants issued across state lines are generally unenforceable; the request must be issued by a court within the state in which the provider, clinic, or insurance company has a business presence. If the court does not have jurisdiction, you are not obligated to comply.

Is the warrant or subpoena particularized?

Are accounts/individuals specified? Is there a limiting timeframe? Law enforcement cannot, in most cases, broadly ask for “all patients” who visited within a particular timeframe. Instead, requests for data must be specific and limited to individual patients (or a handful of patients if there was evidence they were acting together).

Android: Go to Settings > Network & Internet > Advanced > VPN. Again, if you have already downloaded one of these apps, select it and log in to your account. You can also manually add a VPN configuration by clicking the plus sign and then entering your administrator’s information.

Employ Data Minimization Techniques

Use a VPN

Block Ads from Websites

Create a Data Deletion Protocol

Recommend That Patients Avoid Using Credit and Debit Cards to Pay for Appointments

Make Appointments Securely

LEARN MORE

If possible, have legal counsel ready so you are prepared and can act swiftly if law enforcement contacts you.

Failure to respond to a valid order, warrant, or subpoena may result in fines or penalties.

If the subpoena requires disclosure at a specific time, do not disclose information before the deadline without the patient’s consent. Doing so may deprive the patient of the opportunity to seek to quash the subpoena.

For administrative subpoenas, HIPAA permits disclosure if:

When Collecting and Processing Patient Data

When Responding to Legal Process

FEATURED DEALS

Guidance for Clinics and Healthcare Providers

Guidance for Individuals

Recommendations for Technology Companies

Searching for Reproductive Health Resources

When Communicating with Reproductive Health-Related Services

When Obtaining Reproductive Health-Related Services

Deleting Data After Reproductive Health-Related Services

If a Police Officer Approaches or Contacts You

Key Takeaways

Deleting Data After Reproductive Health-Related Services

Always Engage with Legal Counsel

Ask for a Valid Legal Process

Ask for Valid Legal Process

Consider Potential Objections

Review Requests

Respond to the Request

Only Disclose Requested Information

Only Disclose at the Specified Time

Notify Patients

Consider state Laws

Consider State Laws

Comply with the Updated HIPAA Privacy Rule

The U.S Department of Health and Human Services Office for Civil Rights issued a Final Rule to Protect Reproductive Healthcare Privacy, amending the HIPAA Privacy Rule that took effect on June 25, 2024. Regulated entities must comply with the majority of the Final Rule requirements by December 23, 2024. The Final Rule prohibits clinics and healthcare providers from using or disclosing protected health information (PHI) for purposes of investigating or imposing liability on any person for seeking, obtaining, providing, or facilitating lawful reproductive healthcare. Reproductive healthcare is lawful if it is provided in a state in which the care is lawful or if it is protected, required, or authorized by federal law (regardless of the state in which it is provided). Disclosure requests for PHI for oversight activities authorized by law, judicial, or administrative proceedings, law enforcement purposes, and coroners and medical examiners must include a signed and dated attestation that the request is not for a prohibited purpose.

As a reminder, based on the Updated HIPAA Privacy Rule that took effect on June 25, 2024, reproductive healthcare is lawful when provided in a state in which the care is lawful.

See, for example, Connecticut's "Reproductive Freedom Defense Act," which:

1. Minimize Collection of SEARCH AND Location Data Related to Sensitive Medical Facilities

If law enforcement is going to serve legal process on a private entity in a reproductive health case, it is most likely going to be on a major technology company under the Stored Communications Act (SCA) because: (1) these companies have broad data holdings on individuals, and (2) law enforcement is often most familiar with serving SCA legal process on these companies. While major technology companies must comply with SCA requests, they may wish to consider taking the additional steps to enhance privacy for reproductive rights listed below.

RECOMMENDATIONS FOR TECHNOLOGY COMPANIES

3. Provide Additional Protections and Data MinimizatioN Procedures for Sensitive HEalth Data

4. Do Not Identify Pregnant People Through Consumer- Tracking Tools

Technology companies may wish to limit the collection of location data or search data, especially in relation to sensitive medical facilities. Alternatively, companies may wish to develop automatic deletion protocols. For example, on December 12, 2023, Google announced that it will automatically delete location data for individuals every three months by default. Users also have the option to delete activity related to specific locations directly in Google Maps. Search engines may expand this approach to automatically delete search terms for individuals researching counseling centers, abortion clinics, fertility centers, or similar medical facilities.

Technology companies may wish to provide end-to-end encryption for health data collected from devices and third parties, or consider automatically deleting health histories related to reproductive health.

Technology companies that are able to identify pregnant people through purchases, searches, or other online activity may wish to stop specific targeted advertising based on a person’s pregnancy, birth control needs, or reproductive health inquiries.

Home

Recommendations for Technology Companies

Guidance for Clinics and Healthcare Providers

Guidance for Individuals

When Collecting and Processing Patient Data

When Responding to Legal Process

Searching for Reproductive Health Resources

When Communicating with Reproductive Health-Related Services

When Obtaining Reproductive Health-Related Services

Deleting Data After Reproductive Health-Related Services

If a Police Officer Approaches or Contacts You

Key Takeaways

Deleting Data After Reproductive Health-Related Services

FEATURED DEALS

M&A TRENDS

2021 DEALS

When Collecting and Processing Patient Data

When Responding to Legal Process

FEATURED DEALS

Guidance for Clinics and Healthcare Providers

Guidance for Individuals

Recommendations for Technology Companies

2. Take Caution When Implementing Geofencing Technologies

Technology companies operating in certain states should consider whether geofencing around entities providing healthcare services, like an abortion clinic or reproductive healthcare facility, is prohibited. Under state laws in Connecticut, New York, Nevada, and Washington, covered companies are prohibited from placing spatial or location detection technology within a specified number of feet of any person or entity that provides in-person healthcare services or products for certain purposes, including: • Identify or track consumers seeking in-person healthcare services or products; • Collect information about the consumers; or • Send notifications, messages, or advertisements to consumers. Technology covered by these bans generally includes GPS coordinates, cell-tower connectivity, cellular data, radio-frequency identification, Wi-Fi data, and any other form of location-detection technology.