Unregulated pregnancy clinics (UPCs), also known as crisis pregnancy centers (CPCs), have become a focal point in the ongoing debate over reproductive rights and their questionable handling of sensitive health information.
Unregulated pregnancy clinics are typically religiously affiliated organizations that provide services to pregnant women, including pregnancy tests, ultrasounds, and counseling. However, these clinics are distinct from regulated medical facilities in that they are not bound by the same legal and ethical obligations to protect patient privacy. Despite offering services that appear medical in nature, UPCs are not considered "covered entities" under the Health Insurance Portability and Accountability Act (HIPAA), which means they are not legally required to protect the privacy of the health information they collect.
See also:
One of the most concerning aspects of UPCs is their lack of regulation regarding data privacy. Unlike traditional healthcare providers, which are bound by strict laws to protect patient information, UPCs operate in a legal gray area. This allows them to collect and retain sensitive data—such as the date of a woman’s last menstrual period, pregnancy history, and even her interest in abortion—without the legal obligation to keep this information confidential.
Many UPCs promise confidentiality and even claim HIPAA compliance, creating a false sense of security for the women and teens who visit these centers. However, these promises are often misleading. Since UPCs do not bill insurance or transmit health information electronically in a way that would make them subject to HIPAA, they are essentially free to share the data they collect as they see fit.
Related:
In states where abortion is illegal or heavily restricted, the data collected by UPCs could be weaponized in legal investigations against women seeking reproductive care. There have already been instances where such data has been used in criminal cases. For example, in 2017, a crisis pregnancy center in Alabama provided client records that were used to prosecute a woman for drug use during pregnancy.
Moreover, recent investigations have uncovered significant breaches in data security at these clinics. A particularly concerning case involved Heartbeat International, a major anti-abortion organization that manages a network of UPCs across the U.S. It was revealed that Heartbeat had exposed sensitive client information in publicly accessible online videos, raising serious questions about the organization's data protection practices.
In response to growing concerns over data privacy, federal lawmakers have been pushing for new regulations, including the American Privacy Rights Act (APRA) and the Kids Online Safety Act (KOSA). These laws aim to establish national standards for consumer data privacy and provide better protection for children online. However, the anti-abortion movement has been staunchly opposed to these bills, arguing that they would impose burdensome legal requirements on UPCs, potentially leading to their closure.
Organizations like Care Net, Heartbeat International, and the National Institute of Family and Life Advocates (NIFLA)—which are the backbone of the UPC industry—are leading the charge against these privacy protections. They argue that compliance with such laws would expose them to "service-ending legal fees" and threaten the effectiveness of their operations.
The lack of accountability and transparency in the UPC industry is a growing concern among privacy advocates, legal experts, and lawmakers. The deceptive practices employed by these clinics undermine the trust of the women they serve and put their personal health information at significant risk. In an era where data breaches and cyberattacks are increasingly common, the unregulated handling of sensitive health information is a threat to consumer privacy and safety on multiple fronts.
Campaigns like those led by the watchdog group Campaign for Accountability (CfA) are calling for state attorneys general to investigate the privacy practices of UPCs and hold them accountable for any deceptive or dangerous behavior. Polls show that a significant majority of Americans—across the political spectrum—are concerned about the privacy practices of these clinics and support stronger regulations to protect sensitive health information.
HIPAA, or the Health Insurance Portability and Accountability Act, is a federal law that sets national standards for the protection of sensitive patient information. It ensures that health data is kept confidential and secure by regulating who can access and share this information. However, UPCs are often not covered by HIPAA, which means they are not required to follow these privacy standards.
Go deeper: What is HIPAA?
To protect your personal information, you should verify the credentials and privacy policies of any clinic you visit. Consider visiting a licensed medical provider or a clinic that is transparent about its services and privacy practices. Avoid sharing sensitive information with organizations that do not clearly explain how they will protect your data.
Signs that a clinic may be a UPC include a focus on free services like pregnancy tests and counseling, a lack of licensed medical staff, and an emphasis on discouraging abortion. They may also use vague language about their services and avoid offering comprehensive reproductive healthcare, such as contraception or abortion referrals.