Speaking Engagements
Georgetown Law 2025 Advanced eDiscovery Institute
November 21, 2025 | 8:30 AM – 9:30 AM ET
Leading the energy evolution.
Learn more
From compliance to the courtroom, we have you covered.
Learn more
Helping you focus on what matters – improving human health.
Learn more
Trusted advisors to leading insurers for 100+ years.
Learn more
Unlocking value in the middle market and beyond.
Learn more
Full-service legal advice from coast to coast.
Learn more
Applying radical applications of common sense
Explore More
Our standard-setting client experience program.
Explore more
Delivering life-changing help to those most in need.
Explore More
Our firm’s greatest asset is our people.
Explore More
Market-leading eDiscovery and data management services.
Explore more
The Pepper Center for Public Services
Explore more
Strategies helps businesses and individuals solve the complexities of dealing with the government at every level. Our team of specialists concentrate exclusively on government affairs, representing clients nationwide who need assistance with public policy, advocacy, and government relations strategies.
This unique program provides innovative and affordable opportunities to startups and early-stage emerging companies with a solid technology or scientific foundation. We help companies that have a quality management team in place and do not have other significant legal representation.
eMerge’s lawyers and technologists work together to deliver strategic end-to-end eDiscovery and data management solutions for litigation, investigations, due diligence, and compliance matters. We help clients discover the information necessary to resolve disputes, respond to investigations, conduct due diligence, and comply with legal requirements.
Stay ahead of the curve and in touch with our latest thinking on the issues that are top of mind across our practices and industry sectors.
Change happens fast in today’s turbulent world. Stay on top of the latest with our industry-specific channels.
Take a closer look at how we partner with clients to help them realize their goals.
Articles + Publications October 6, 2025
Influenced by advancements in AI and wearable technology, and fueled by privacy concerns, reproductive health data is at a pivotal intersection of federal and state regulations. Traditionally, the Health Insurance Portability and Accountability Act (HIPAA) has served as the primary framework for protecting patient information and regulating health care providers and insurers.
Recently, however, a federal judge in Texas overturned the Reproductive Health Care Privacy rule, which amended HIPAA to impose stricter limitations on the use and disclosure of reproductive health-related protected health information (PHI). This ruling leaves covered entities uncertain about compliance, as states like California, Washington, and Virginia are enacting laws to fill these gaps and protect reproductive health data across various platforms and technologies. These laws often apply beyond traditional health care entities regulated by HIPAA, yet may still apply to HIPAA-covered entities if they collect data outside their medical provider role. This post summarizes some of the key developments and requirements in this area.
Federal Protections – A Federal Court Vacates the Final Rule
In April 2024, the U.S. Department of Health and Human Services (HHS) amended the HIPAA Privacy Rule to support reproductive health care privacy in the wake of the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization. A majority of the final rule prohibits covered entities from disclosing or using PHI potentially related to reproductive health care for certain purposes, including criminal or administrative investigations or penalties. It also requires covered entities to attest that they would not use or disclose reproductive health care PHI for a prohibited purpose. The final rule also updated 42 CFR Part 2, requiring covered entities to revise their Notice of Privacy Policies to inform individuals of these changes.
In Purl v. U.S. Department of Health and Human Services, a Texas physician challenged the final rule on the grounds that it prevented her from complying with state reporting requirements related to child abuse and participating in public health investigations. On June 18, 2025, the court agreed and struck down those portions of the final rule related to reproductive health care privacy protections finding that they impermissibly limit state law on child abuse reporting, unlawfully redefine terms, and exceed HHS’s authority to implement such a rule.
Accordingly, the court vacated the reproductive health care privacy protections set forth in the final rule, leaving intact only those requirements relating to modifications in notices of privacy practices related to substance abuse disorder to reflect changes in Section 3221(i) of the Coronavirus Aid, Relief, and Economic Security Act. HHS let the August 18, 2025, appeal deadline pass without challenging the Purl decision, thus telegraphing its agreement with the court’s decision. HIPAA-regulated entities must continue protecting reproductive health care information under existing HIPAA rules and regulations, but the enhanced reproductive protections under the final rule are no longer in effect.
State Law Fills in the Gaps
Even with the court-imposed limitations on the HIPAA final rule, several important states have regulated in this space. California, Virginia, and Washington have enacted data privacy laws that expand upon the federal requirements, with New York closely following suit with their pending New York Health Information Privacy Act (NYHIPA). These laws are broadly written and may apply to traditional HIPAA-regulated covered entities, health care-adjacent companies (e.g., fitness trackers), and organizations that likely do not consider themselves to be health care-oriented at all (e.g., retailers, advertisers, and tech companies that process geolocation data). Below are some considerations for businesses collecting reproductive health data.
California:
California’s Assembly Bill No. 352 (AB 352), effective January 1, 2024, amended California’s Confidentiality of Medical Information Act (CMIA) and introduced significant changes to the handling and sharing of sensitive health information, particularly regarding reproductive health services. The law applies broadly to both traditional and nontraditional health care entities. These nontraditional entities include electronic health record (EHR) developers, digital health companies, and other entities that store or maintain medical information on behalf of health care providers, health plans, pharmaceutical companies, contractors, or employers.
Although AB 352 does not create a new private right of action, it continues to allow individuals to seek remedies under the CMIA for negligent release of their confidential information or records. Administrative fines and civil penalties for negligent disclosure or mishandling of medical information can range from $2,500 to $25,000 per violation. Penalties for willful violations can amount to $250,000 per violation, and criminal penalties may also apply if the violation results in economic loss or personal injury to a patient. Key requirements include:
This law does not include a HIPAA exemption and therefore applies to HIPAA-covered entities.
Virginia:
Virginia’s Senate Bill 754, amending the Virginia Consumer Protection Act (VCPA), took effect on July 1, 2025. It prohibits “suppliers” from processing reproductive and sexual health information (RSHI) without consumer consent.
“Suppliers” include any entity involved in consumer transactions that obtain RSHI, including small businesses and nonprofits. Non-health care organizations, such as retailers, search engines, and companies using geolocation data, may fall under the act’s scope due to its broad definitions. The law includes the carveouts under the Virginia Consumer Data Protection Act (VCDPA), explicitly exempting PHI covered by HIPAA or similar federal or state regulations.
The act defines RSHI broadly, including information related to reproductive health services, conditions, surgeries, contraceptive use, and any data derived from non-health-related sources. It does not differentiate between data controllers and processors, arguably requiring vendors to obtain consent for processing RSHI.
Violations can result in civil penalties enforced by the Virginia attorney general, ranging from $2,500 to $5,000 per violation. The act also provides a private right of action for consumers, allowing recovery of actual damages or statutory damages, with potential for treble damages and attorney fees for willful violations.
Key requirements include:
For more information on the Virginia law, please visit our FAQ series on Virginia’s Protection of Reproductive Health Information Law.
Washington:
The My Health My Data Act (MHMDA), effective on April 27, 2023, imposes a variety of restrictions on the use of “consumer health data” by companies operating in Washington or engaging with its residents. Consumer health data includes any personal information linked to a consumer’s health status, and explicitly includes cookie IDs. The law is broad and applies to both traditional health care entities (like doctors or hospitals) as well as digital health companies (e.g., fitness trackers, telehealth apps). However, HIPAA-regulated PHI is not regulated by the statute. As with California’s and Virginia’s laws, the MHMDA covers a wide range of organizations, including small businesses and nonprofits, and applies to data collected in Washington.
Investigations into and penalties for violations of MHMDA can be brought by the Washington attorney general, with a maximum fine of $7,500 per violation. If the violation is deemed willful or intentional, the attorney general can, in their discretion, seek higher penalties. Further, the statute allows consumers to pursue a private right of action for noncompliance, including seeking declaratory relief, injunctive relief, actual damages, and statutory damages of up to $7,500 per violation.
Key aspects of the MHMDA include:
New York:
The NYHIPA will also seek to fill in the gaps and protect data not typically falling under HIPAA, requiring reasonable safeguards to protect the security, confidentiality, and integrity of regulated health information.
Similar to the other states, the NYHIPA applies broadly to both traditional health care entities like health care providers, and health insurers, but also nontraditional entities, such as apps and digital platforms that collect health data (e.g., wearable devices and digital health tools). The NYHIPA covers any health-related data that can identify an individual, including data related to medical conditions, treatment, prescription information, mental health data, and genetic information.
Although the NYHIPA does not offer a private right of action, the New York attorney general has enforcement power, and can bring both investigations and civil enforcement actions against organizations that fail to comply. Fines for violation can amount to $5,000, and up to $10,000 per violation if the violation was willful or resulted in harm to individuals.
Key aspects of the NYHIPA will include:
There are consistent themes across these state laws: entities not traditionally viewed as health care providers, such as digital health trackers and fitness apps, are now subject to stringent privacy regulations with significant penalties for noncompliance. Organizations should reassess the data they collect, the methods of collection, and its intended use to determine if they are governed by these statutes. Given the complexity and potential impact of these regulations, it is crucial for organizations to consult with experienced privacy counsel who can provide tailored guidance to ensure compliance and help mitigate risks associated with these new laws.
Speaking Engagements
Georgetown Law 2025 Advanced eDiscovery Institute
November 21, 2025 | 8:30 AM – 9:30 AM ET
Firm Events
2025 Mid-Atlantic Health Care IT Forum
November 19, 2025 | 3:30 PM – 7:00 PM ET
Troutman Pepper Locke Philadelphia Office – Philadelphia Conference Center
31st Floor, 3000 Two Logan Square, Philadelphia, PA 19103, Eighteenth and Arch Streets
Sponsored Events
2025 ACG Deal Crawl
November 19 – 20, 2025
JW Marriott Charlotte
600 S College Street, Charlotte, NC 28202
Speaking Engagements
Restructuring in the Age of Artificial Intelligence
November 17, 2025 | 1:30 PM – 2:30 PM ET
Offices of CohnReznick
New York, NY
Leading the energy evolution.
Learn more
From compliance to the courtroom, we have you covered.
Learn more
Helping you focus on what matters – improving human health.
Learn more
Trusted advisors to leading insurers for 100+ years.
Learn more
Unlocking value in the middle market and beyond.
Learn more
Full-service legal advice from coast to coast.
Learn more
Applying radical applications of common sense
Explore More
Our standard-setting client experience program.
Explore more
Delivering life-changing help to those most in need.
Explore More
Our firm’s greatest asset is our people.
Explore More
Market-leading eDiscovery and data management services.
Explore more
The Pepper Center for Public Services
Explore more
Strategies helps businesses and individuals solve the complexities of dealing with the government at every level. Our team of specialists concentrate exclusively on government affairs, representing clients nationwide who need assistance with public policy, advocacy, and government relations strategies.
This unique program provides innovative and affordable opportunities to startups and early-stage emerging companies with a solid technology or scientific foundation. We help companies that have a quality management team in place and do not have other significant legal representation.
eMerge’s lawyers and technologists work together to deliver strategic end-to-end eDiscovery and data management solutions for litigation, investigations, due diligence, and compliance matters. We help clients discover the information necessary to resolve disputes, respond to investigations, conduct due diligence, and comply with legal requirements.
Stay ahead of the curve and in touch with our latest thinking on the issues that are top of mind across our practices and industry sectors.
Change happens fast in today’s turbulent world. Stay on top of the latest with our industry-specific channels.
Take a closer look at how we partner with clients to help them realize their goals.