Multiple Republican-led states have sued to rescind a federal rule keeping the records of those who sought legal reproductive care private, while a federal judge in Texas is questioning the constitutionality of the federal HIPAA law in its entirety. (Photo by Wichayada Suwanachun/Getty Images)

The decades-old federal law protecting the privacy of individual health information is threatened by multiple lawsuits that seek to throw out a rule restricting disclosure of information in criminal investigations, including for those seeking legal abortion and other reproductive health care.

In one of the cases, the Texas federal judge who has been at the center of several anti-abortion court battles appears to question the constitutionality and legality of the health privacy act in its entirety.

The Health Insurance Portability and Accountability Act — or HIPAA — established in 1996 to protect the privacy and security of patient health information, includes some exceptions under limited conditions, such as law enforcement investigations. But after the U.S. Supreme Court ended federal abortion rights in 2022 and more than a dozen states passed abortion bans, advocates worried that such records could be used by state officials and law enforcement to investigate and prosecute patients seeking an abortion and those who help them.

Health officials under former President Joe Biden’s administration enacted a HIPAA rule to keep health information private when the patient was in a state with legal access and the care was obtained legally. In order to release information related to this type of care, the entity subject to HIPAA rules must sign a document stating it is not released for one of the prohibited purposes.

“These cases may have been prompted by this newer rule, but they threaten more broadly the entire HIPAA system on which we all rely when accessing medical care,” said Carrie Flaxman, senior legal adviser for Democracy Forward, a nonprofit legal organization.

Two lawsuits seek to rescind that most recent rule, while another brought by Texas Attorney General Ken Paxton goes a step further, asking the court to remove the general rules established in 2000 about how much health information can be disclosed to law enforcement.

“The threats to the 2000 privacy rule would be a seismic shift that could erode patients’ trust entirely in their providers and dissuade them from wanting to seek out health care and be transparent about their symptoms,” said Ashley Emery, a senior policy analyst for the nonprofit Partnership for Women and Families. “A law enforcement officer could pressure a psychiatrist to share patient notes from therapy sessions without a subpoena, without a warrant, if the 2000 privacy rule is invalidated.”

The state of Missouri sued to rescind the Biden rule in January, and the state of Tennessee filed a similar action the same day that 14 other Republican attorneys general joined as plaintiffs: Alabama, Arkansas, Georgia, Idaho, Indiana, Iowa, Louisiana, Montana, Nebraska, North Dakota, Ohio, South Carolina, South Dakota and West Virginia. All but three of those states either heavily restrict or outright ban abortion, and if the lawsuits are successful, records kept by doctors and pharmacists in other states could be subpoenaed.

All of the lawsuits are filed against the U.S. Department of Health and Human Services, which is now under Republican President Donald Trump and HHS Secretary Robert F. Kennedy Jr. The Trump administration has so far followed the direction of the conservative Heritage Foundation’s Project 2025, which calls for the most recent HIPAA rule to be rescinded.

Amarillo judge ordered briefing on HIPAA’s constitutionality and legality

Three cases are still in motion, including one with a physician as the plaintiff. Dr. Carmen Purl, the sole owner of Dr. Purl’s Fast Care Walk In Clinic in Dumas, Texas, sued HHS because she said the rule creates a conflict with the laws requiring her to report child abuse.

“I consider both a pregnant woman and her unborn child to be human persons, and both are entitled to medical care and deserve the protection of the law,” Purl said in court documents. “I believe … that elective abortions harm patients’ health and public health.”

The location of Purl’s clinic puts her in the judicial district that has only one federal judge — U.S. District Judge Matthew Kacsmaryk, a Trump appointee. Most federal cases are assigned randomly to a group of judges in a district, but since Kacsmaryk is the only one, many advocates and attorneys have accused law firms like Alliance Defending Freedom, who is representing Purl in the case, of “judge shopping,” or finding a plaintiff in a certain area for the purpose of putting it in front of an ideologically friendly judge.

On Dec. 22, Kacsmaryk granted an injunction blocking enforcement of the rule against Purl while the case proceeds, and he is still considering whether to permanently block the law.

As part of the decision, Kacsmaryk also ordered the parties to submit briefs explaining how recent U.S. Supreme Court rulings that delegate more authority to Congress over administrative agencies “affect the constitutionality or legality of HIPAA and HHS’s authority to issue the 2024 rule.”

Kacsmaryk presided over a lawsuit in 2023 brought by a group of anti-abortion doctors seeking to revoke the U.S. Food and Drug Administration’s approval of mifepristone, one of two drugs commonly used to terminate pregnancies in the first trimester and to treat miscarriages. Kacsmaryk ruled in favor of removing its approval, but the U.S. Supreme Court unanimously overruled him in 2024.

Purl added that she thinks gender-affirming care is harmful to children, never medically necessary and a matter of concern for public health, though she has never treated a child with gender dysphoria. In the process of providing routine medical care, she said she could learn that a child was being subjected to gender-affirming treatments or procedures that could constitute child abuse, and she would be obligated to report it.

Purl’s clinic has fewer than 20 employees, and she has been licensed to practice family medicine in Texas since 1986. In that time, she said she has treated many patients who have been victims of abuse and neglect, and estimates she has personally treated more than 100 pediatric patients who were victims of sexual abuse.

“I have treated hundreds of girls under the age of consent who were either pregnant or reported sexual activity. During my career, I have delivered babies from mothers as young as 12 years old,” Purl wrote.

Purl said she has responded to Child Protective Services investigations between 10 and 12 times, and she fears that providing full, unredacted patient records in response to an entity such as CPS would violate the 2024 rule and subject her and the clinic to civil and criminal penalties, which often means hefty fines.

In a response filed by HHS in December, before Trump’s second term began, the department said the rule does nothing to prevent Purl from reporting suspected child abuse, and denied the other harms Purl said she would incur.

“Given the nature of her medical practice, Dr. Purl is highly unlikely to ever encounter a conflict between her obligations under state law and under the Rule,” the department said in court documents.

AGs from ban states are testing newly enacted shield laws

The Texas case led by Paxton has been on hold since February, after the U.S. Department of Justice asked the court to delay scheduling until the new administration could determine how to proceed. U.S. District Judge James Wesley Hendrix, a Trump appointee, ordered the parties to file a status report by May 1.

Attorneys general in states with abortions bans have already attempted to prosecute providers in other states for prescribing abortion pills via telehealth and prosecute women who obtained an abortion in another state without the consent of a male partner. Louisiana Gov. Jeff Landry signed an extradition warrant for a doctor in New York for prescribing and mailing abortion pills to residents of the state.

New York is one of 17 Democratic-led states that has a shield law to protect providers and patients from out-of-state legal actions for reproductive care and gender-affirming care, and the state government has so far refused to comply with Louisiana’s law enforcement efforts.

The coalition of states that joined Tennessee’s lawsuit claim the privacy rule harms their ability to investigate cases of waste, fraud and abuse, and “sharply limits state investigative authority.”

Chad Kubis, spokesperson for Tennessee Attorney General Jonathan Skrmetti, told States Newsroom via email that the office could not comment for this story because of the ongoing litigation.

“The final rule will hamper states’ ability to gather information critical to policing serious misconduct like Medicaid billing fraud, child and elder abuse, and insurance-related malfeasance,” the complaint says.

Attorneys at Democracy Forward have asked the courts to allow the clients they are representing to intervene as defendants in all four cases, arguing that the new administration is likely to either not defend the cases at all or defend them inadequately. They are representing the cities of Columbus, Ohio, and Madison, Wisconsin, as well as Doctors for America, an activist organization of physicians and medical students. None of the judges have ruled on their motions yet.

Partnership for Women and Families filed an amicus brief with 23 other advocacy organizations to support upholding the rule.

“We can’t count on the Trump administration to defend this regulation, given its longstanding record of hostility toward reproductive health and rights,” Emery said.

It’s possible the new leadership at HHS will rescind the 2024 rule, Emery said, but the lawsuits alone are concerning enough because of the threat posed to privacy protections. That’s part of the goal, said Emery and Flaxman — to present the threat and sow fear and intimidation in patients and providers. And the method of launching multiple lawsuits in various jurisdictions fits a pattern that has been observed in the fight for abortion rights, Emery said.

“Anti-abortion extremists’ legal campaign against HIPAA’s reproductive health privacy protections is designed to test out different legal venues and arguments to obtain the most favorable outcome possible,” she said.

Doctor who has been investigated before says intimidation tactics have an effect

Indiana OB-GYN Dr. Caitlin Bernard knows what it’s like to be the target of an investigation, and said she’s still in court fighting new attempts to instill fear in doctors and patients.

Bernard was an abortion provider in Indiana before the state enacted its ban in August 2023. She reported in 2022 that she had provided a medication abortion to a 10-year-old rape victim who traveled to Indiana from Ohio when the state briefly had a ban in place. She was accused of violating patient privacy laws and investigated by Indiana Attorney General Todd Rokita, and the state licensing board fined her $3,000 and reprimanded her for the incident after Rokita asked the board to revoke her license to practice medicine. She was found to have violated patient privacy, but the board determined the fine was sufficient and she kept her license.

“Now my case is held up as an example of what can happen to you if you speak out about abortion bans,” Bernard said. “I’ve spoken to many physicians across the country who are intimidated by that. They say, ‘Look at Dr. Bernard and what happened to her.’”

Now, Bernard is part of a lawsuit against the state to categorize terminated pregnancy records as medical records in state law that cannot be released to the public. Indiana has historically treated abortion reports as public record with certain details redacted, but Bernard said with the ban in place and so few people qualifying for its limited exceptions, that policy should change. The records include demographic information like age, ethnicity and education level, as well as information such as diagnoses and the date, location and physician who provided care.

“It also includes the county, so you could imagine in these very small counties, somebody could absolutely figure out who that person is,” Bernard said.

Ashley Emery, senior policy analyst at Partnership for Women and Families, said the lawsuits take aim at a deeply needed line of defense against abortion criminalization, and said it will disproportionately affect immigrants, people of color and low-income populations. Trust is already low between marginalized people and health care providers, Emery said, and this would further erode that trust.

“These challenges to HIPAA are designed to take protections away from patients and try to allow anti-abortion politicians to have more control, and I think that power deficit is really important to note, and it should be very chilling,” she said.

Editor’s note: This story has been corrected to say the Indiana state licensing board found Dr. Caitlin Bernard violated patient privacy laws but kept her license.

White House Senior Advisor to the President, Tesla and SpaceX CEO Elon Musk arrives for a meeting with Senate Republicans at the U.S. Capitol on March 05, 2025 in Washington, DC. Musk is scheduled to meet with Republican lawmakers to coordinate his ongoing federal government cost cutting plan. (Photo by Kevin Dietsch/Getty Images)

While the role and actions of the Elon Musk-headed Department of Government Efficiency remain somewhat murky, data privacy experts have been tracking the group’s moves and documenting potential violations of federal privacy protections.

Before President Donald Trump took office in January, he characterized DOGE as an advisory body, saying it would “provide advice and guidance from outside of government” in partnership with the White House and Office of Management and Budget in order to eliminate fraud and waste from government spending.

But on Inauguration day, Trump’s executive order establishing the group said Musk would have “full and prompt access to all unclassified agency records, software systems and IT systems.”

In the nine weeks since its formation, DOGE has been able to access sensitive information from the Treasury Department payment system, information about the headcount and budget of an intelligence agency and Americans’ Social Security numbers, health information and other demographic data. Musk and department staffers are also using artificial intelligence in their analysis of department cuts.

Though the Trump administration has not provided transparency around what the collected data is being used for, several federal agencies have laid off tens of thousands of workers, under the direction of DOGE, in the past two months. Thousands have been cut from the Environmental Protection Agency, Department of Education, Internal Revenue Service and the Department of Treasury this month.

Frank Torres, senior AI and privacy adviser for The Leadership Conference’s Center for Civil Rights and Technology, which researches the intersection of civil rights and technology, said his organization partnered with the Center for Democracy and Technology, which researches and works with legislators on tech topics, to sort out what DOGE was doing. The organizations published a resource sheet documenting DOGE’s actions, the data privacy violations they are concerned about and the lawsuits that several federal agencies have filed over DOGE’s actions. 

“It doesn’t have to be this way,” Torres said. “I mean, there are processes and procedures and protections in place that are put in place for a reason, and it doesn’t appear that DOGE is following any of that, which is alarming.”

The organizations outlined potential violations of federal privacy protections, like the Privacy Act of 1974, which prohibits the disclosure of information without written consent, and substantive due process under the Fifth Amendment, which protects privacy from government interference.

White House Principal Deputy Press Secretary Harrison Fields would not say if DOGE planned to provide more insight into its plans for the data it is accessing.

“Waste, fraud and abuse have been deeply entrenched in our broken system for far too long,” Fields told States Newsroom in an emailed statement. “It takes direct access to the system to identify and fix it. DOGE will continue to shine a light on the fraud they uncover as the American people deserve to know what their government has been spending their hard earned tax dollars on.”

The lack of transparency concerns U.S. Reps. Gerald E. Connolly, (D-Virginia) and  Jamie Raskin, (D-Maryland), who filed a Freedom of Information Act request this month requesting DOGE provide clear answers about its operations.

The request asks for details on who is in charge at DOGE, the scope of its authority to close federal agencies and lay off federal employees, the extent of its access to sensitive government sensitive databases and for Musk to outline how collected data may benefit his own companies and his foreign customers. They also questioned the feeding of sensitive information into AI systems, which DOGE touted last month.

“DOGE employees, including teenage and twenty-something computer programmers from Mr. Musk’s own companies, have been unleashed on the government’s most sensitive databases — from those containing national security and classified information to those containing the personal financial information of all Americans to those containing the trade secrets and sensitive commercial data of Mr. Musk’s competitors,” the representatives wrote in the request.

Most Americans have indeed submitted data to the federal government which can now be accessed by DOGE, said Elizabeth Laird, the director of equity in civic technology for the Center for Democracy and Technology — whether it be via a tax filing, student loan or Social Security. Laird said the two organizations see huge security concerns with how DOGE is collecting data and what it may be doing with the information. In the first few weeks of its existence, a coder discovered that anyone could access the database that posted updates to the DOGE.gov website.

“We’re talking about Social Security numbers, we’re talking about income, we’re talking about, you know, major life events, like whether you had a baby or got married,” Laird said. “We’re talking about if you’ve ever filed bankruptcy — like very sensitive stuff, and we’re talking about it for tens of millions of people.”

With that level of sensitive information, the business need should justify the level of risk, Laird said.

DOGE’s use of AI to comb through and categorize Americans’ data is concerning to Laird and Torres, as AI algorithms can produce inaccurate responses, pose security risks themselves and can have biases that lead to discrimination against marginalized groups.

While Torres, Laird and their teams plan to continue tracking DOGE’s actions and their potential privacy violations, they published the first resource sheet to start bringing awareness to the information that is already at risk. The data collection they’ve seen so far in an effort to cut federal spending is concerning, but both said they fear Americans’ data could end up being used in ways we don’t yet know about.

“The government has a wealth of data on all of us, and I would say data that’s probably very valuable on the open market,” Torres said. “It’s almost like a dossier on us from birth to death.”

Musk fired back at critics in an interview with Fox News published Thursday.

“They’ll say what we’re doing is somehow unconstitutional or illegal or whatever,” he said. “We’re like, ‘Well, which line of the cost savings do you disagree with?’ And they can’t point to any.”

The Wauwatosa Police Department (Photo by Isiah Holmes/Wisconsin Examiner)

Since 2022, the Wauwatosa Police Department (WPD) has operated under new, very specific guidelines on how intelligence is collected and shared. Developing a policy involved reflection, clarification and modernization for the police department. Prior to its creation, a spokesperson wrote in an emailed statement to Wisconsin Examiner, no formal intelligence gathering policy existed at Tosa PD. 

By establishing clear standards, WPD aims to “bring about an equitable balance between the civil rights and liberties of citizens and the needs of law enforcement to collect and disseminate Criminal Intelligence on the conduct of persons and groups who may be planning, engaged in, or about to be engaged in criminal activity,” the policy states. Versions of the policy, as well as emails detailing its creation, were obtained by Wisconsin Examiner through open records requests.

The eight-page policy defines the difference between “information” and “criminal intelligence,” outlines appropriate channels for sharing that information, and establishes clear boundaries protecting individuals and groups. “Information” is defined as “raw unprocessed data that is unverified and unevaluated,” and only becomes “intelligence” once it’s been “systematically planned, collected, analyzed, and disseminated in an effort to anticipate, prevent, or monitor potential criminal activity for public safety purposes,” according to the policy. 

It stresses that such efforts must meet the threshold of “reasonable suspicion,” where a sworn law enforcement officer or investigator believes there is a “reasonable possibility” that a person or group is involved in “a definable criminal activity or enterprise.” Individuals or groups which become the focus of WPD’s intel-gathering activities must be those suspected of being involved in the planning, financing or organization of criminal acts, those suspected of being involved in criminal acts with “known or suspected crime figures,” or be the victims of those acts. 

The policy highlights that intelligence may not be gathered on individuals or groups based solely on:

• An individual or group’s support of “unpopular causes”
• Any membership of a protected class including race, color, religion, national origin, ancestry, gender, pregnancy status, sexual orientation, gender identity, age, physical or mental disabilities, veteran status, genetic information or citizenship
• Political affiliations
• “Non-criminal personal habits” 

Any information gathered from confidential sources or electronic surveillance devices “shall be performed in a legally acceptable manner and in accordance with procedures,” the policy states. The policy also requires periodic review of intelligence by appropriate WPD staff to ensure the information is accurate, current, and remains relevant to the department’s goals. If it’s not, the policy states, the information should be purged. 

Lessons learned, and a new day

The intelligence policy was created with input from several key personnel within WPD including Lt. Joseph Roy, crime analyst Dominick Ratkowski, and Capt. Shane Wrucke. WPD Chief James MacGillis — who was formerly a Milwaukee PD drug intelligence and High Intensity Drug Trafficking Area (HIDTA) officer — also had input in crafting the policy.

A WPD spokesperson wrote in an email statement that the city’s Police and Fire Commission, which oversees appointments, promotions and discipline of police and fire personnel, was not involved in establishing the policy. In April 2024, Ratkowski shared a final draft of the policy with Robert Bechtold, from the Madison Police Department. “Thanks for the SOP [Standard Operating Procedure],” emailed Bechtold, who was apparently looking for guidance on how to create such a policy. “I’m not looking forward to us building one,” he added. The Madison Police Department didn’t respond to a request for comment. 

Roy, Ratkowski, and Wrucke all have ties to WPD’s investigative division. Roy supervised the division’s dayshift and also serves as commander of the Milwaukee Area Investigative Team (MAIT), which focuses on officer-involved shootings and deaths. Ratkowski has worked at WPD since 2018, and was hired as the department’s first ever civilian crime analyst. Wrucke, like Roy, has past ties to both MAIT and WPD’s Special Operations Group (SOG), which focuses on covert surveillance, accessing phones, and drug investigations.

A WPD spokesperson explained in an email statement that the intel policy was created “to incorporate lessons learned, enhance transparency, and provide clear guidelines for intelligence gathering.” Those lessons likely stemmed from the protests of 2020, and the decisions made by investigators when WPD was still headed by former Chief Barry Weber. 

Following the killing of George Floyd by Minneapolis police officers, marches against police abuse began in Milwaukee and Wauwatosa, where a former police officer had killed three people over a five-year period. Wauwatosa experienced months of daily non-violent protests which occasionally ended in standoffs with officers. In October 2020, Wauwatosa declared a curfew after the district attorney’s office announced that officer Joseph Mensah wouldn’t be charged in his third fatal shooting. Protesters were confronted by riot police, the National Guard and militarized federal law enforcement during the curfew. 

Journalists, protesters and lawyers later learned that WPD had created a list of nearly 200 people during the summer of protest. Ratkowski had called it a “target list” in an email to assisting agencies. WPD publicly stated that the list — which included dozens of protesters, members of the Cole family, their attorneys, elected officials, and the author of this story — included  witnesses, victims and  suspects in possible crimes that occurred at the protests. 

 

5.3.4 Criminal Intelligence Collection Analysis Distribution Policy – 24-18 (2)

 

Civil lawsuits revealed more about use of the list under Weber, who retired in 2021. Ratkowski in depositions explained that he began creating the list around June 2020, after Capt. Luke Vetter asked him to begin identifying active participants in the protests. Ratkowski gathered information from confidential law enforcement databases with access to drivers license information, home addresses, arrest records, and more. He combed social media accounts on Facebook and Tinder, sometimes using fake Facebook accounts registered as “confidential informants.”

Simply being tagged in a protest-related social media post could get someone on the list, Ratkowski said in a deposition. He agreed with attorneys when asked whether “mere affiliation with a protest” was enough, and confirmed that threatening violence or committing a crime was not required. Ratkowski said that if a superior asked him to make a list of every member of the Socialist Party he would, “because I would assume that he [Capt. Vetter] would have asked me to do something that wasn’t useless.” The attorney questioning Ratkowski responded, “I’m not asking whether it’s useful or useless, I’m asking whether it’s constitutional or not,” to which Ratkowski replied, “I can’t make that determination.” 

The federal lawsuit eventually went to trial, where a jury ruled that WPD had not violated specific privacy laws related to obtaining and sharing drivers license information. 

In an emailed statement, WPD said that “a key objective” of the new intelligence policy “was to clearly define the distinction between information and intelligence, ensuring officers understand when data becomes actionable. It applies to all WPD staff involved in intelligence creation and upholds protections against intelligence gathering based on legally protected characteristics.” The department added that, “though journalists are not explicitly mentioned, the department remains committed to safeguarding First Amendment rights for all individuals. Above all, the Wauwatosa Police Department prioritizes transparency and strengthening trust within the community.”