Women's Health Data Privacy After Dobbs: An Operator's Playbook for Period-Tracking, Telehealth, and Reproductive-Health Apps

What Dobbs changed for women's health data

Before June 2022, reproductive health data sat in the same general category as other sensitive personal information: valuable to advertisers, regulated under HIPAA when held by covered entities, and a real liability in the event of a breach. It was rarely a target of criminal process. That changed when the Supreme Court decided Dobbs v. Jackson Women's Health Organization, holding that the Constitution does not confer a right to abortion and returning regulatory authority to the states.

The downstream effect on data was immediate. According to the Guttmacher Institute, 14 states have since implemented total or near-total abortion bans, and several have enacted statutes that authorize criminal or civil enforcement against people who obtain, perform, or assist with abortions. Period-tracking entries, geolocation history, telehealth visit notes, pharmacy records, and search queries are now potential evidence in state investigations — not hypothetically, but as a matter of how these statutes are written and enforced.

For operators of women's health apps, fertility platforms, telehealth services, and any product that touches reproductive data, the threat model has shifted. The risk is no longer just a breach notification or an FTC inquiry into deceptive privacy practices, though those remain. It now includes subpoenas, search warrants, and civil discovery from state actors. The FTC made its position clear in a July 2022 blog post, warning that misuse of location and reproductive health data exposes consumers to significant harm and that the Commission would use the full scope of its authority to act. What follows is an operator's playbook for responding to that environment — not a political argument about it.

The four legal regimes that touch your data

Women's health data sits at the intersection of four overlapping legal frameworks, none of which fully covers the field on its own. If you operate a period tracker, fertility app, telehealth platform, or any service that collects reproductive health information, you need to know which regimes apply to you, which apply to your vendors, and which gaps you are responsible for closing through contract and design.

1. HIPAA — narrower than most operators assume

HIPAA applies only to covered entities — health plans, health care clearinghouses, and health care providers that transmit health information electronically — and to the business associates that handle PHI on their behalf, per HHS OCR guidance. Most direct-to-consumer period and fertility apps are neither. If your app is not billing insurance and not operating as a provider, HIPAA almost certainly does not reach you, no matter how sensitive the data feels. That is a feature of the statute, not an oversight you can rely on regulators to fix.

2. The 2024 HIPAA Reproductive Health Privacy Rule

For entities that are HIPAA-regulated, the rules tightened materially in 2024. The HHS final rule (89 Fed. Reg. 32976, April 26, 2024; compliance date December 23, 2024) prohibits covered providers, plans, and clearinghouses from using or disclosing PHI to investigate or impose liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, or to identify a person for that purpose. Before making a disclosure that could plausibly fall within this prohibition, the regulated entity must obtain a written attestation from the requester confirming the request is not for a prohibited purpose.

3. FTC Health Breach Notification Rule

For everyone outside HIPAA's perimeter, the FTC has stepped in. The 2024 HBNR amendments (89 Fed. Reg. 47028, May 30, 2024) explicitly extend the Rule to health apps and similar technologies, including period trackers, fertility apps, and fitness wearables. If your app handles identifiable health information and experiences an unauthorized disclosure — including disclosures via ad-tech pixels — you owe notice to affected users, the FTC, and in some cases the media.

4. State consumer privacy laws — Washington's MHMDA leads

Washington's My Health My Data Act (HB 1155, RCW 19.373) took effect March 31, 2024, with small businesses covered as of June 30, 2024. It defines consumer health data broadly — reproductive and sexual health, gender-affirming care, biometric data, and precise location data indicating that a consumer sought health services — and is enforceable both by the Washington AG and through the state Consumer Protection Act, which carries a private right of action. That last point is the one that should reorder your risk model: MHMDA violations are litigation, not just regulatory exposure.

The new threat model: state actors as adversaries

For most of the last two decades, women's health app product teams designed against a familiar threat model: criminal hackers, careless vendors, and the occasional FTC enforcement action over deceptive privacy promises. Post-Dobbs, the adversary list now includes state prosecutors, private bounty plaintiffs, and law-enforcement officers in jurisdictions where the user has never set foot. Every data-flow decision — what to log, where to store it, who can compel it — has to be re-evaluated against that wider set of requesters.

Compelled disclosure: subpoenas, warrants, and geofence orders

The first vector is the one operators are best equipped to recognize: criminal process. State prosecutors investigating abortion-related conduct can serve subpoenas for period-tracking records, search warrants for telehealth chat logs, and geofence warrants compelling tech companies to disclose every device located near a clinic at a given time. The constitutional status of geofence warrants is unsettled — the Fifth Circuit held the technique unconstitutional in United States v. Smith (2024), but other circuits have gone the other way — so operators cannot assume a warrant will be quashed on Fourth Amendment grounds.

Civil discovery and bounty plaintiffs

The second vector is civil, and it is where the threat model genuinely breaks. Texas SB 8 authorizes any private person to sue anyone who performs, induces, or "aids or abets" a prohibited abortion, with statutory damages of not less than $10,000 per abortion. A bounty plaintiff with a viable claim can serve civil discovery on a femtech operator the same way they would on any third-party witness — and civil subpoenas do not require probable cause.

Voluntary disclosure as reputation risk

The third vector is voluntary cooperation. Before Dobbs, many consumer health apps routinely shared data with law enforcement on minimal request. The Washington Post documented in June 2022 how several major period-tracking apps had data-handling and police-cooperation practices that could expose users to prosecution; Flo and Clue responded by introducing anonymous modes or refusing to hand over data to U.S. authorities for prosecution purposes. What used to be a quiet trust-and-safety workflow is now a public-facing policy decision.

What operators should change immediately

The threat model in the prior section translates into a short list of engineering and policy decisions that founders, product leads, and counsel can make this quarter. None of these are aspirational — each is already a documented expectation from regulators, civil-liberties organizations, or established privacy frameworks. Skipping them is the path that produced the Flo Health enforcement action and the trust collapse that followed.

Collect less, and store it for less time

The single most defensible posture is the one the Electronic Frontier Foundation recommends for reproductive-health services: avoid collecting or retaining identifiable data in the first place, and where collection is unavoidable, encrypt end-to-end so the service provider itself cannot produce plaintext in response to legal process. In practice that means turning off precise IP geolocation, scrubbing location metadata before it hits your warehouse, and shortening retention windows for cycle and pregnancy fields to the minimum the feature actually needs. Purpose limitation is not a slogan — it is a defense, because data you no longer hold is data you cannot be compelled to produce.

Encrypt on the device, not just in transit

Period tracking, symptom logs, and pregnancy status should be encrypted on the user's device with keys the backend does not hold. The NIST Privacy Framework operationalizes this through its Core Functions — Identify-P, Govern-P, Control-P, Communicate-P, and Protect-P — and bakes in data minimization, purpose specification, retention limits, and de-identification as baseline controls. The FTC and state regulators increasingly treat the framework as the benchmark for what counts as "reasonable" privacy practice, which means deviating from it is now a litigation exhibit, not just a design choice.

Audit every SDK, pixel, and analytics integration

The cautionary tale is concrete. The Flo Health FTC settlement documented that Flo shared sensitive information about users' menstrual cycles and pregnancies with Facebook Analytics, Google Analytics, AppsFlyer, and Flurry — despite privacy-policy promises that the data would be kept private. The consent order now requires Flo to obtain affirmative express consent before sharing user health information with third parties and to instruct those third parties to destroy data they received. Operators should inventory every SDK, pixel, and tag, classify what each one transmits, and remove anything that touches reproductive-health fields. "We didn't know our analytics vendor was logging that" is not a defense the FTC has accepted.

Publish a law-enforcement guidelines document

The four criteria the EFF tracks in its Who Has Your Back transparency work — requiring a warrant for content, publishing law-enforcement guidelines, notifying users of government data requests when permitted, and issuing transparency reports — are now baseline expectations for any service holding reproductive-health-adjacent data. Draft the guidelines, commit to warrants rather than subpoenas for content, and build the user-notification workflow before the first request arrives. A policy written under deadline by outside counsel during an active investigation is the worst version of this document.

Segment by jurisdiction

For users in states with abortion bans or SB-8-style civil-enforcement regimes, consider jurisdiction-aware processing: delete reproductive-health records when a device crosses into a hostile jurisdiction, route processing through entities outside that jurisdiction, or offer an anonymous mode that decouples the cycle log from the user identity entirely. The engineering cost is real. The alternative is a database that functions as a discovery target.

Recent regulatory action — what enforcers are watching

The enforcement record since 2021 tells operators where the trip wires sit. Each of the four actions below targets a different layer of the stack — app-level promises, ad-tech pipes, HIPAA-regulated disclosures, and state-law private rights of action — and together they map the surface area regulators now consider fair game.

FTC v. Flo Health (2021)

The Flo Health matter was the FTC's first signal that period and pregnancy data would be treated as sensitive even outside HIPAA. The June 2021 final order required Flo to obtain affirmative express consent before sharing personal health information, notify affected users about the disclosures, and instruct third parties that received the data to destroy it. There was no monetary penalty, but the order imposed a 20-year compliance regime with mandatory independent assessments. For consumer-facing health apps, that order is the floor.

FTC v. BetterHelp (2023)

BetterHelp added teeth. In March 2023, the FTC announced a $7.8 million consumer-redress payment and a flat ban on sharing consumer health data — including mental health information — with platforms like Facebook and Snapchat for advertising, after the company had promised to keep that data private. The lesson is narrow and operational: if your privacy policy says you won't share, your Meta Pixel and conversion APIs cannot send hashed email plus visited-URL signals that reconstruct the same disclosure.

HHS Reproductive Health Privacy Rule (2024)

HHS then moved the HIPAA perimeter. The Reproductive Health Privacy Rule, finalized April 26, 2024 with general compliance required December 23, 2024, prohibits HIPAA-regulated entities from disclosing PHI potentially related to reproductive health care for health oversight, judicial or administrative proceedings, law enforcement, or coroner and medical examiner requests, unless the requestor signs a written attestation that the information will not be used for those purposes. Covered entities and business associates need new intake workflows and updated Notice of Privacy Practices to comply.

Washington's My Health My Data Act

The most aggressive regime is state law. Washington's My Health My Data Act, codified at RCW 19.373 and effective in March 2024 for most regulated entities, requires affirmative consent before collecting, sharing, or selling consumer health data and prohibits geofences around in-person health-care facilities. Violations are per se violations of the Washington Consumer Protection Act (RCW 19.86), which means private plaintiffs — not just the Attorney General — can sue, with treble damages capped at $25,000 per CPA violation, attorneys' fees, and injunctive relief on the table. That private right of action is what makes MHMDA the regime to plan around if you operate nationally.

Operator's checklist

If you build, run, or advise a product that touches reproductive-health data, the work below is the minimum viable response to the legal landscape this article has walked through. Treat it as a sequenced project, not a policy refresh.

1. Map the data. Inventory every field tied to menstruation, pregnancy, fertility, abortion care, or location near reproductive-health facilities. For each field, document the collection source, retention period, internal access list, and every third party that receives it. You cannot minimize what you have not mapped.
2. Rewrite the privacy policy. State explicitly how you respond to government data requests, what your retention windows are, and which categories of third parties receive reproductive-health data. Vague gestures toward "legal process" are what triggered the FTC actions against Flo and BetterHelp.
3. Stand up a law-enforcement response procedure. Document who reviews subpoenas and warrants, what your default posture is on challenging overbroad requests, and how you notify affected users when not legally gagged. Train the people who will actually receive the request at 5 p.m. on a Friday.
4. Audit third-party trackers in sensitive flows. Pull every SDK, pixel, and analytics tag out of cycle tracking, appointment booking, telehealth intake, and clinic-locator screens. Replace with first-party instrumentation where measurement is genuinely needed.
5. Encrypt cycle and pregnancy data end-to-end where the product architecture allows. If you cannot read it, you cannot be compelled to produce a readable copy.
6. Document MHMDA and HHS Reproductive Health Rule compliance. Write the memo now; do not wait for an inquiry to reconstruct your reasoning.
7. Be deliberate about users in banned states. Decide consciously what data you collect, retain, and share for those users, and write down why. Default settings will not defend themselves.