Reproductive health disclosures in therapy and cloud AI scribes: abortion, fertility, and pregnancy decisions in the vendor archive

What therapists hear about reproductive health decisions

Reproductive health topics arise in therapy across a wide range of clinical presentations — and in 2026, following the overturning of federal abortion rights protections, those disclosures carry a legal risk profile that did not exist four years ago. What clients say in these sessions is clinically ordinary; what that content represents in a jurisdiction with criminal abortion statutes is something different.

Clients processing an abortion decision describe the circumstances and timing in detail: how they learned they were pregnant, the conversations they had with their partner or family, the specific clinical providers they consulted or plan to consult, whether they are considering traveling across state lines for care, what they have already scheduled or completed, and how they feel about the decision at each stage. For a therapist, this is normal grief and decision-support work. In a state with a criminal abortion statute, those details — the provider, the date, the gestational age, the geographic route taken for care — map directly to the elements of the offense and the aggravating factors that affect prosecution.

Clients undergoing fertility treatment disclose the clinic they are using, the donor identifiers they have selected, the status of each IVF cycle, what happened to specific embryos, and the decisions they are actively making about embryos in storage. In states that have enacted fetal personhood statutes or laws governing embryo disposition, some of this content has direct legal implications. The client's verbal account of what happened to specific embryos in a failed cycle is exactly the kind of content that an investigator focused on embryo personhood claims would seek.

Clients who have experienced miscarriage sometimes describe circumstances — symptoms, delays in seeking care, medications they were taking — that could be scrutinized under fetal homicide statutes in jurisdictions where prosecutorial interpretation of those statutes is broad. Clients who are pregnant and undecided discuss the full range of options they are considering. Clients who helped a family member, partner, or friend access reproductive care describe their role in detail.

All of this content is legitimate, therapeutic, and clinically appropriate. It is also precisely the content that investigators, civil enforcement plaintiffs, and attorney general offices in restrictive jurisdictions would seek from a cloud AI scribe vendor's independently retained archive.

For foundational context on the therapist-patient privilege and what it covers, see our analysis of psychotherapy notes versus progress notes under HIPAA.

The 2024 HIPAA reproductive health privacy rule: what it does and what it does not do

On April 26, 2024, the Department of Health and Human Services published a final rule amending the HIPAA Privacy Rule to address reproductive health privacy. The rule took effect on February 16, 2024, with a compliance date of December 23, 2024. The amendment adds 45 CFR § 164.502(a)(5)(iii), which prohibits covered entities and business associates from using or disclosing PHI to:

• Conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care
• Impose criminal, civil, or administrative liability on any person for the same
• Identify any person for any such purpose

The prohibition applies when the reproductive health care at issue was lawful under the law of the state or jurisdiction in which it was provided, or when the covered entity has a reasonable basis to believe the care was lawful. The rule also requires covered entities to obtain a signed attestation before complying with certain requests for PHI potentially related to reproductive health matters.

For a therapist who is a HIPAA covered entity, this rule creates real and meaningful protection. When a law enforcement officer from a state with abortion restrictions presents a request for client PHI that relates to reproductive health, the therapist must evaluate whether the request falls under the reproductive health privacy prohibition. If the care was provided in a state where it was lawful, the therapist has a strong basis to decline the request.

The rule's protections, however, operate on covered entities and their business associates. The obligation runs from the covered entity to the investigative party. When a state grand jury issues a subpoena not to the therapist but to the cloud AI scribe vendor — seeking the vendor's independently retained business records of sessions that occurred in the therapist's office — the legal situation is structurally different. The subpoena does not ask the covered entity (the therapist) to disclose anything. The reproductive health rule's prohibition on covered entity disclosure is not directly triggered.

Whether the rule's protections extend through the business associate relationship to independently retained vendor records, and whether a vendor can invoke the rule's protections in response to a third-party subpoena served on it as a separate business entity, is an unsettled legal question. HHS has not issued guidance specifically addressing this gap. Courts will be working through it as enforcement activity develops. In the interim, the practical position of clients who have discussed reproductive health decisions with a therapist using cloud AI documentation is that the vendor's archive sits in a legal gray zone that the 2024 rule was not clearly designed to reach.

For context on how HIPAA generally applies to cloud documentation vendors, see our analysis of what a business associate agreement covers and does not cover.

The gap between the formal progress note and the verbatim archive

A therapist who exercises appropriate professional discretion in documenting a session where a client discusses a reproductive health decision will produce a progress note that reflects what is clinically relevant. The note might record that the client is navigating a significant reproductive health decision, that the client is experiencing anticipatory grief or decisional conflict, or that the client is processing a loss. The note will typically not include the name of the abortion clinic, the date of a procedure, the gestational age at termination, the state where care was obtained, the fact that the client crossed state lines, or the client's specific account of how they arranged transportation and who accompanied them.

This is appropriate clinical documentation. The therapist's professional judgment about what belongs in a health record is exercised precisely to protect the client — not just from embarrassment, but from the foreseeable legal consequences of having sensitive details committed to a medical record that could be subpoenaed.

A cloud AI scribe's verbatim archive does not apply that judgment. The session audio and the AI-generated transcript capture everything the client said. The vendor retains that content in its own database as part of its business operations — quality assurance, model improvement disclosures in the terms of service, customer service functions, audit purposes. The vendor's retained archive contains all the details the therapist's clinical documentation excluded.

This creates a structural gap that investigators have learned to exploit in other contexts. When the formal clinical record from the covered entity is too carefully worded to yield the specific facts investigators need, the vendor archive is the next target. The investigator who subpoenas the therapist's progress notes and receives a clinically worded document that says "client is processing a reproductive health decision" has a clear next step: subpoena the vendor for the verbatim audio and transcript of that session.

This is the same pattern that appears in other high-stakes documentation contexts — the gap between what the formal record says and what the vendor archive holds. We have analyzed versions of this gap in contexts ranging from civil subpoenas to cloud AI scribe vendors to what cloud AI scribes actually transmit and retain.

Five adversarial proceedings that can reach the vendor archive

1. State criminal investigation under abortion ban statutes

Fourteen states have enacted near-total or significant abortion bans since the Supreme Court's June 2022 decision in Dobbs v. Jackson Women's Health Organization. Several additional states have enacted gestational limits with criminal penalties. State grand juries in these jurisdictions have subpoena authority to compel production of records from third-party business custodians.

A state grand jury investigating an alleged criminal abortion offense can issue a subpoena to a cloud AI scribe company demanding the vendor's retained records of sessions with a specific individual on specific dates. The subpoena does not go to the therapist; it goes to the vendor as a separate business entity that independently holds business records. The vendor's legal counsel evaluates the subpoena against the vendor's own legal obligations — including HIPAA's applicability as a business associate, and potentially the reproductive health rule's reach — but this is a different legal proceeding than a subpoena directed at the therapist. The vendor does not have the same privilege framework that the therapist holds. The outcome of a challenge to this subpoena depends on the jurisdiction, the vendor's legal resources, the specific facts of the case, and how courts resolve the unsettled question of whether the 2024 reproductive health rule restricts vendor disclosure in response to third-party criminal subpoenas.

The content investigators are most likely to seek: specific dates and circumstances of a procedure; the name of a provider or clinic; descriptions of travel arrangements, including travel across state lines; conversations about who assisted in arranging care; and the client's own account of the decision-making process, which is relevant to the elements of specific criminal offenses and their intent requirements.

2. Civil bounty enforcement statutes

Texas Senate Bill 8 (effective September 2021) created a private civil enforcement mechanism for Texas's pre-viability abortion prohibition, allowing private individuals to sue anyone who performs or aids and abets a prohibited abortion for a minimum of $10,000 in statutory damages. Several other states have enacted or proposed similar private enforcement mechanisms. These civil suits are not criminal proceedings — they are civil actions brought by private plaintiffs in civil court. Civil discovery in these actions is governed by the standard civil discovery rules of the jurisdiction.

A civil plaintiff bringing a bounty enforcement action can use civil discovery — including Rule 45 subpoenas to third parties — to obtain records from a cloud AI scribe vendor. The legal path for this discovery does not run through the criminal law enforcement exception to HIPAA (45 CFR § 164.512(f)); it runs through civil subpoena authority, which requires the vendor to evaluate the subpoena against applicable privilege frameworks and HIPAA's civil proceedings provisions (45 CFR § 164.512(e)). HIPAA's civil proceedings provisions require that the subject receive notice and an opportunity to object — but if the subject (the client) does not know their therapist's vendor is the target of a civil enforcement subpoena, the notice mechanism may not protect them. The 2024 reproductive health rule's civil enforcement implications are also being developed through litigation.

3. State attorney general investigations and data requests

State attorneys general in states with abortion restrictions have broad investigative authority under state law, including the power to issue civil investigative demands and administrative subpoenas. Some state AGs have taken the position that their investigative authority extends to conduct that occurs in other states when the state has a sufficiently significant interest in the matter. The preemption analysis — whether federal HIPAA law, including the 2024 reproductive health rule amendment, preempts state law enforcement demands — is actively litigated.

A state attorney general who issues a civil investigative demand or administrative subpoena to a cloud AI scribe vendor presents a legal challenge the vendor must evaluate. If the vendor is incorporated outside the state, questions of jurisdiction arise. If the vendor does business in the state or holds records of residents of the state, the AG may argue sufficient jurisdictional basis. HHS's position is that the 2024 reproductive health rule preempts contrary state law that would require a covered entity to disclose PHI in violation of the rule — but the vendor's status as a business associate versus an independent custodian, and the vendor's ability to invoke federal preemption, are not settled.

4. Federal investigation

The federal investigative landscape for reproductive health has shifted since 2022. Federal law enforcement — DOJ, FBI, HSI — has historically operated under HIPAA's law enforcement exception (45 CFR § 164.512(f)), which permits covered entity disclosure in response to lawful process including grand jury subpoenas, administrative requests, and court orders issued pursuant to investigations. The 2024 reproductive health rule's prohibition applies to federal law enforcement requests as well as state requests — covered entities may not disclose PHI to federal investigators for purposes of investigating or prosecuting individuals for seeking lawful reproductive health care.

Federal subpoenas under Rule 17 of the Federal Rules of Criminal Procedure and under the Stored Communications Act (18 U.S.C. § 2703) reach electronic records held by service providers. A cloud AI scribe that retains session audio, transcripts, or derived records in electronic storage is a potential target for a federal Stored Communications Act demand. The SCA has its own compulsory process framework, separate from HIPAA, and HIPAA's reproductive health rule does not directly amend the SCA. Whether a vendor can successfully resist an SCA demand by invoking HIPAA and the reproductive health rule is untested.

The Comstock Act (18 U.S.C. §§ 1461-1462), a nineteenth-century statute prohibiting the mailing of obscene materials and contraceptive devices, has been cited in some policy contexts as a potential federal tool in reproductive rights enforcement. Its potential application to reproductive health documentation is speculative but discussed in legal scholarship as a post-Dobbs issue.

5. Insurance fraud investigation and coverage disputes

Medicaid in several states excludes coverage for abortion services in most circumstances. When a Medicaid beneficiary or provider is investigated for Medicaid fraud — including billing for services that Medicaid does not cover — the investigation may reach therapy session records to establish what care the patient was receiving and discussing. A cloud AI scribe vendor whose records reveal that a client discussed obtaining or receiving abortion services could become a third-party records target in a Medicaid fraud investigation, regardless of whether the investigation's primary focus is on the therapy practice.

In private insurance contexts, clients who discuss fertility treatments in therapy sometimes describe coverage decisions, insurer denials, and steps they have taken to obtain coverage for fertility services. These discussions are normal therapeutic content. In a billing dispute or fraud investigation involving the fertility clinic or insurance claim, the vendor's retained records of what the client said about their coverage situation and treatment status could be sought in civil discovery from the vendor as a third-party custodian.

What the vendor archive contains that the formal record excludes

The specific content that creates the investigative value of the vendor archive — and that the therapist's documentation judgment typically excludes from the formal progress note — includes several categories that map directly to enforcement priorities in restrictive jurisdictions:

Specific provider and location information. Clients name abortion clinics, fertility clinics, and the states where they obtained or plan to obtain care. They describe driving distances, flight arrangements, and who traveled with them. This geographic specificity is directly relevant to prosecutorial theories in states that attempt to assert jurisdiction over conduct occurring in other states, and to the aiding and abetting theories in civil bounty enforcement suits.

Temporal markers and intent. Clients describe when they discovered they were pregnant, when they made decisions, when procedures occurred, and how far into the pregnancy they were at each stage. This creates a contemporaneous timeline — made at maximum candor, before any legal proceeding was anticipated — that is more probative than reconstructed timelines from medical billing records. The client's own words establishing intent and timing are what criminal prosecutors and civil plaintiffs seek from communications records in other enforcement contexts.

Assistance networks. Clients discuss who helped them: partners who drove them, family members who provided childcare during travel, friends who provided financial assistance, abortion funds they contacted. Each named individual is a potential additional target in jurisdictions with aiding and abetting statutes. The vendor archive creates a record of this network that the therapist's formal documentation would never contain.

Medication and procedure details. Clients describe what medications they took, where they obtained them (including medication abortion through mail-order), and the clinical details of their experience. In states with specific statutes targeting medication abortion or self-managed abortion, these disclosures are directly material to the elements of potential offenses.

Ongoing deliberation in real time. Perhaps the most distinctive feature of the vendor archive in this context is that it captures the client's reproductive decision-making at every stage — often across multiple sessions — before any decision is finalized. The vendor holds a temporal record of the client considering options, gathering information, and ultimately choosing a course of action. This is unlike medical records, which document care after it has been provided. The vendor archive may contain sessions in which the client was still deciding, as well as sessions in which the client processed a decision that had already been made.

The therapist-patient privilege analysis at the vendor level

Therapist-patient privilege — or psychotherapist-patient privilege, as recognized by the Supreme Court in Jaffee v. Redmond (1996) — protects confidential communications between a therapist and a patient from compelled disclosure in federal court proceedings. State analogs protect such communications in state proceedings, though the scope varies by state.

The privilege belongs to the patient and may be asserted by the patient or by the therapist on the patient's behalf. A subpoena directed at the therapist for therapy session content is subject to the privilege; the therapist must assert it on the patient's behalf and the party seeking the records must overcome the privilege or demonstrate that an exception applies.

A subpoena directed at the cloud AI scribe vendor presents a different privilege question. The vendor is not the therapist. The vendor-client relationship is a business relationship, governed by the terms of service and the business associate agreement. Whether the therapist-patient privilege protects the vendor's independently retained copies of session audio and transcripts — such that the patient could assert the privilege to block a subpoena to the vendor — is not settled law. Courts in analogous contexts (e-discovery from cloud storage providers, subpoenas to third-party technology vendors in healthcare contexts) have reached varying conclusions about whether privilege extends to independently retained copies held by third parties.

The result is that a client who relies on therapist-patient privilege to protect their reproductive health disclosures in therapy may find that the privilege protects the therapist's records but does not clearly protect the vendor's independently retained archive. The legal battle over whether to extend privilege to vendor records is expensive, time-consuming, and uncertain — and it takes place after the investigative party has already identified that the vendor exists and holds relevant records.

For context on how psychotherapy notes receive heightened HIPAA protection and why that protection does not automatically extend to vendor records, see our analysis of psychotherapy notes versus progress notes under HIPAA.

On-device processing: closing the vendor archive gap

On-device processing eliminates the vendor archive that creates this exposure. When a therapist's AI inference runs on a local device — audio captured locally, transcription performed by a local model, draft note generated by a local model — no session audio, transcript, or derived documentation is transmitted to a vendor's servers. The vendor holds nothing. There is no separately subpoenable third-party business record.

In the reproductive health context, this matters along each of the five adversarial pathways:

In a state criminal investigation, the grand jury can still subpoena the therapist for the therapist's own records. The therapist's designated record set — the clinical progress notes the therapist maintains — is protected by HIPAA, subject to the reproductive health rule's prohibition on covered entity disclosure in response to investigative requests for reproductive health PHI, and potentially subject to therapist-patient privilege. On-device processing means there is no additional second target: no vendor archive that a grand jury can reach by issuing a separate subpoena to a technology company.

In a civil bounty enforcement action, the plaintiff's discovery cannot reach a vendor archive that does not exist. Civil discovery is limited to the therapist's own records, which are subject to the same privilege and HIPAA frameworks that have always applied to clinical documentation.

In an attorney general investigation, the AG's civil investigative demand or administrative subpoena has only one target in the clinical documentation chain: the therapist. The preemption analysis under the 2024 reproductive health rule applies cleanly to the therapist as the covered entity, rather than being complicated by the question of whether the rule reaches a vendor's independently retained copies.

In a federal investigation, a Stored Communications Act demand to a vendor for electronic records of session audio and transcripts cannot reach records that were never transmitted and never stored on a remote server. The SCA applies to service providers who hold stored electronic communications on behalf of users; on-device processing means there is no such stored communication at the vendor level.

In an insurance fraud or coverage investigation, civil discovery in any proceeding arising from coverage disputes can reach only what the covered entity holds. The vendor holds nothing.

On-device processing is not a guarantee against all investigative risk — the therapist's records remain subpoenable through lawful process. But it removes the second, separately reachable custodian who holds a verbatim archive that the therapist's own documentation judgment never created. The legal risk from a therapy relationship reverts to what it has always been: a well-established privilege framework protecting the therapist's formal records, not a novel framework addressing a cloud vendor's business records that hold content no clinician consciously chose to record.

Practical implications for therapists

Assess your client population's exposure. Therapists in states with abortion restrictions, and therapists who serve clients who travel from restrictive states to obtain care elsewhere, face a specifically elevated version of this risk. If any meaningful portion of your clinical practice involves clients navigating reproductive health decisions, the documentation architecture you use for your sessions is directly relevant to those clients' safety — not just their treatment.

Understand what your informed consent actually describes. Most therapist informed consent forms describe the therapist's own confidentiality obligations. They do not describe what a cloud AI scribe vendor retains, how long it retains it, what the vendor's response would be to a state criminal subpoena, or whether the vendor's terms of service include a commitment to invoke the 2024 reproductive health rule in response to investigative demands. Clients making reproductive health disclosures in therapy sessions documented by cloud AI scribes should be informed of the vendor relationship and what it means for the retention and potential compelled production of their session content.

Evaluate vendor data retention policies carefully. Some cloud AI scribe vendors retain session audio and transcripts indefinitely. Others have configurable retention periods. The time window during which the vendor's archive exists is the time window during which it is subpoenable. Therapists whose clients discuss ongoing reproductive health decisions are managing a risk that extends through the entire duration of the vendor's retention policy — which may be years after the sessions occurred.

Recognize the specific value of architectural privacy in this context. A business associate agreement with a cloud AI scribe vendor creates contractual obligations on the vendor, including an obligation not to disclose PHI in ways that violate HIPAA. A BAA does not override a lawful court order or grand jury subpoena. The 2024 reproductive health rule's protections are meaningful and represent a significant step forward in protecting reproductive health PHI from investigative demands — but the rule's reach to independently retained vendor archives is unsettled and likely to be litigated. Architectural privacy — the affirmative technical decision to process documentation locally so that no vendor archive exists — is a protection that works regardless of how those legal questions are ultimately resolved.

For a broader analysis of how cloud AI scribe documentation creates legal exposure that the BAA framework does not fully address, see our analysis of what cloud AI scribes actually send to servers.

Frequently asked questions

Does the 2024 HIPAA reproductive health privacy rule protect therapy clients who discussed abortion from subpoena?

The 2024 HIPAA Privacy Rule amendment (45 CFR § 164.502(a)(5)(iii)) prohibits covered entities and business associates from using or disclosing PHI to investigate or prosecute individuals for seeking lawful reproductive health care. For a therapist who is a covered entity, this is a meaningful protection that limits what they must produce in response to state investigative demands. However, the rule's prohibition runs from the covered entity to the party requesting the records. A cloud AI scribe vendor who receives a subpoena as a third-party business records custodian is in a different legal posture than the therapist receiving the same subpoena. Whether the rule's protections extend to independently retained vendor records — such that a vendor can invoke the rule to resist a subpoena — is an unsettled legal question with material consequences for clients who discussed reproductive health decisions in sessions documented by cloud AI scribes.

Can a state with criminal abortion statutes subpoena a cloud AI scribe company for therapy session recordings?

State grand jury subpoenas and attorney general investigative demands can reach third-party business records custodians, including cloud AI scribe companies. The vendor's ability to resist such a subpoena depends on the jurisdiction, the basis for the subpoena, the vendor's HIPAA obligations as a business associate, and how courts resolve the application of the 2024 reproductive health rule to vendor-held records. A client who discussed abortion in therapy sessions documented by a cloud AI scribe cannot rely on the same established privilege framework that protects their therapist's formal records from compelled production.

What specific reproductive health content appears in therapy sessions that creates this risk?

Clients discussing abortion decisions describe providers, dates, gestational timing, travel arrangements, and the people who assisted them — all content that maps to the elements of criminal abortion offenses and aiding and abetting theories. Clients in fertility treatment disclose clinic names, donor identifiers, embryo decisions, and coverage disputes. Clients processing miscarriage sometimes describe circumstances that could be scrutinized under fetal homicide statutes. All of this is clinically normal; it is also exactly what investigators pursuing enforcement in restrictive jurisdictions would seek from a vendor's verbatim archive.

How is the vendor archive different from the therapist's progress note in reproductive health enforcement contexts?

A therapist's clinical documentation reflects professional judgment about what is therapeutically relevant and should be recorded. A therapist exercising appropriate discretion will not include clinic names, procedure dates, gestational ages, or travel routes in a progress note. The cloud AI scribe's verbatim archive contains all of those details — because the archive captures what was said, not what the therapist chose to document. Investigators who find that the therapist's progress note is too clinically worded to yield specific facts can then pursue the vendor's verbatim archive as a second, separately subpoenable source of the content the therapist's documentation judgment excluded.

Does on-device processing fully protect clients who discuss reproductive health in therapy?

On-device processing eliminates the separately subpoenable vendor archive. When AI inference runs locally — no audio transmitted, no transcript sent to a server — the vendor holds nothing and cannot be compelled to produce what it does not have. The client's legal exposure from the therapy relationship reverts to the established therapist-patient privilege and HIPAA framework that protects the therapist's own formal records. On-device processing does not change what the therapist must produce in response to lawful process directed at the therapist; it removes the second custodian — the vendor — whose independently retained verbatim archive extends legal exposure beyond what the therapist's records create.