Crisis Pregnancy Centers’ Websites Edited After Scrutiny of HIPAA Claims
Back in February, The HIPAA Journal reported on the efforts of the non-profit watchdog organizations the Campaign for Accountability and the Electronic Frontier Foundation (EFF) to prevent crisis pregnancy centers (CPCs) from claiming or implying they are bound by the Health Insurance Portability and Accountability Act (HIPAA) on their websites and intake forms, when they are not HIPAA-regulated entities.
Most CPCs are not licensed healthcare providers and are therefore not bound by the HIPAA Rules, yet CPCs have been identified by the Campaign for Accountability and EFF that imply that they are bound by the HIPAA Rules. Regardless of personal opinions about abortion procedures and reproductive healthcare, implying that personal data is protected by HIPAA when it is not is a deceptive business practice.
Under HIPAA, regulated entities are healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities, and all are required to comply with the HIPAA Rules. One of the requirements of HIPAA is to have a notice of privacy practices, which should be displayed in a prominent position in a physical location and be published on the entity’s website. The notice of privacy practices must clearly state how the entity may use and share health information, individuals’ privacy rights, and how to make a complaint about a potential privacy violation, including the right to file a complaint with the Department of Health and Human Services (HHS).
Investigations by the watchdogs identified CPCs that have a website notice of privacy practices, which indicates compliance with the HIPAA Rules. Some even state in their notice of privacy practices that individuals can file a complaint with the HHS if they feel their privacy has been violated. While anyone can file a complaint with the HHS about a potential HIPAA violation, the HHS will not act on any complaint if it is filed against a non-HIPAA-regulated entity. While a CPC may comply with its published privacy policy, uses and disclosures of personally identifiable health information are not subject to HIPAA protections, and implying or stating that information is protected under HIPAA misleads consumers about privacy protections.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Both the Campaign for Accountability and the Electronic Frontier Foundation filed complaints with several state attorneys general about the alleged deceptive business practices. In 2024, the Campaign for Accountability filed complaints with the state attorneys general in Idaho, Minnesota, Washington, Pennsylvania, and New Jersey, and this year, EFF filed complaints with the state attorneys general in Arkansas, Missouri, Texas, and Florida. The complaints included examples of CPCs in the respective states that were alleged to have engaged in deceptive business practices.
The complaints include numerous statements from CPC websites indicating HIPAA compliance, when those entities are not bound by the HIPAA Rules. For example, some CPCs state “client information is held in strict and absolute confidence, according to HIPAA guidelines,” or that they are subject to oversight by the HHS’ Office for Civil Rights, or that their forms are HIPAA-compliant. In one case, a CPC claimed, “If you receive services through [CPC], federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), also protects your health information.” In each case, the CPC is not a HIPAA-regulated entity.
In a recent update, the EFF confirmed that its efforts are showing some signs of success. While substantive responses have not been received from state attorneys general, other than confirmations that the complaints have been received, some CPCs have responded and have made changes to their messaging. “Of the 21 CPCs we cited as exhibits in our complaints, six have completely removed HIPAA references from their websites, and one has made partial changes (removed one of two misleading claims). Notably, every center we flagged in our letters to Texas AG Ken Paxton and Arkansas AG Tim Griffin has updated its website—a clear sign that clinics in these states are responding to scrutiny,” said EFF legislative activist, Rindala Alajaji. “While 14 remain unchanged, this is a promising development. These centers are clearly paying attention—and changing their messaging.”
