Crisis pregnancy centers are editing their websites following pressure over false claims about health data protections.
What happened
Several crisis pregnancy centers (CPCs), often criticized for posing as legitimate medical clinics, have begun quietly removing misleading claims about HIPAA compliance from their websites. The changes follow formal complaints filed by the Electronic Frontier Foundation (EFF) with attorneys general in eight US states. The complaints alleged that these centers falsely stated or implied that they were bound by HIPAA, the federal law that governs the privacy of health information.
Out of the 21 centers cited by the EFF, six have fully removed HIPAA references, and one has made partial edits. All CPCs flagged in Texas and Arkansas have updated their websites, indicating a direct response to scrutiny. The remaining 14 have yet to make changes.
Going deeper
Crisis pregnancy centers are often not licensed medical facilities and may lack qualified healthcare providers altogether. As a result, they are not required to comply with HIPAA, despite collecting sensitive personal information such as medical history, pregnancy status, and contact details.
EFF’s investigation found that many CPCs were misleading users by claiming legal protections they were not obligated to uphold. In some cases, they directed users to the U.S. Department of Health and Human Services for complaints, implying that oversight existed where it did not.
While edits to websites may reduce public confusion, they do not address the core issue: most CPCs continue to collect and handle personal data without adequate transparency or regulation. In the absence of comprehensive federal privacy laws, individuals have limited avenues for recourse if their data is misused.
What was said
EFF has not yet received full responses from any of the attorneys general contacted, aside from acknowledgments. However, the organization views the website edits as early evidence that transparency efforts are influencing public messaging. The group stated that changes to online language are not a substitute for accountability or legal safeguards.
FAQs
What is the difference between HIPAA-covered entities and crisis pregnancy centers?
HIPAA-covered entities are typically licensed healthcare providers, health plans, or clearinghouses that transmit health information electronically. Most CPCs do not meet these criteria and are therefore not bound by HIPAA.
Can a CPC legally collect sensitive health information without being subject to HIPAA?
Yes. While it is legal for CPCs to collect sensitive data, they are not required to follow HIPAA unless they are licensed healthcare entities. This means they can operate without the same privacy safeguards.
What are the risks for individuals who share personal data with a CPC?
Without HIPAA protections, data shared with CPCs may be stored, used, or shared without clear disclosure or limits. In some cases, information could be passed to affiliated political or religious organizations.
Why did some CPCs refer users to the U.S. Department of Health and Human Services?
Referring users to HHS created the false impression that CPCs were regulated by federal privacy laws. In reality, many CPCs fall outside the scope of HIPAA and are not subject to federal health privacy enforcement.
What can individuals do to protect their data if they visit a CPC?
People should ask directly whether the center is a licensed medical provider and request a written privacy policy. Avoid sharing personal or health information until privacy protections are clearly stated and verified.
Farah Amod
