In the wake of Roe v. Wade’s reversal, states across the country have moved to either restrict or protect access to reproductive health care. Connecticut quickly positioned itself as a national leader in safeguarding both access and privacy.
Building on its 2022 Reproductive Freedom Act, section 278 of Public Act 25-168 (the Act) expands protections for reproductive and gender-affirming health information. Effective July 1, 2025, these updates impose new legal obligations on HIPAA-covered entities and business associates, particularly when responding to subpoenas and third-party requests for health records.
This post outlines what healthcare providers and their partners need to know to comply.
The 2022 Connecticut Reproductive Freedom Act
Just weeks after the reversal of Roe v. Wade in the summer of 2022, Connecticut became the first state to pass legislation expanding access to reproductive health care and strengthening protections for reproductive health information.
In addition to expanding access to care, the law prohibited HIPAA-covered entities from disclosing any records, communications, or information related to a patient’s reproductive healthcare in any civil, probate, legislative, or administrative proceeding, unless the patient or the patient’s representative provides explicit written consent.
Explicit written consent must specifically identify reproductive health information in the consent. A general HIPAA authorization for medical information is not sufficient.
The 2025 Revisions – the Act
Effective July 1, 2025, HIPAA business associates are subject to the same restrictions as covered entities regarding the disclosure of reproductive health information. In addition, the protections now apply to gender-affirming care information.
Importantly, if such information is requested via subpoena for a civil, probate, legislative, or administrative proceeding, the covered entity or business associate may need to notify the CT AG. If none of the exceptions in the law apply (see below) and if the patient has not provided explicit written consent, the covered entity or business associate must send a copy of the subpoena to the CT Attorney General’s Office within seven days of receipt.
According to the CT AG’s website, subpoenas are to be sent to AG.ReproRights@ct.gov or faxed to 860-808-5347.
What constitutes “reproductive health care” and “gender-affirming care” services?
“Reproductive health care services” means “all medical, surgical, counseling or referral services relating to the human reproductive system, including, but not limited to, services relating to pregnancy, assisted reproduction, contraception or the termination of a pregnancy.” This is a broad definition. It includes not only abortion services but also all counseling services or referrals to other providers relating to all aspects of reproduction.
“Gender-affirming health care services” means “all supplies, care and services of a medical, behavioral health, mental health, surgical, psychiatric, therapeutic, diagnostic, preventative, rehabilitative or supportive nature, including medication relating to the treatment of gender dysphoria and gender incongruence.” It does not include conversion therapy.
What are the exceptions to the prohibition on disclosure without patient consent?
Explicit written consent from the patient or their legal representative is not required for disclosure of information in civil, probate, legislative, or administrative proceedings in the following situations:
- Compliance with CT Law: When disclosure is required by Connecticut law or CT Judicial Branch rules.
- Legal Defense: When a claim has been made—or is reasonably expected to be made against a covered entity or business associate for the purpose of defending against the claim.
- Public Health Investigations: To the Commissioner of the Department of Public Health when records are part of a complaint investigation and are relevant to that complaint.
- Abuse Reporting: if the covered entity or business associate has knowledge or a good faith suspicion of child abuse, elder abuse, abuse of a physically disabled or incompetent individual or abuse of an individual with intellectual disability.
Importantly, if none of the above exceptions apply to the subpoena and the patient or legal representative has not provided explicit written consent, the covered entity or business associate must notify the CT AG as described above.
What if the request falls under the Act but the patient signed a HIPAA authorization that does not explicitly include reproductive health or gender-affirming care information?
The short answer: get an authorization with explicit written consent or redact the information. See a more in-depth discussion under a similar heading in Connecticut’s New Law Protecting Reproductive Information and How it Works with HIPAA.
How is CT’s protection of these records different than the existing protection of records under HIPAA?
HIPAA requires only a generalized written authorization for the release of most protected health information (PHI). This includes reproductive health information since a federal court vacated the HIPAA Reproductive Health Final Rule in June 2025. Except for the very narrow category of psychotherapy notes, HIPAA does not treat categories of medical information differently.
In contrast, the Act, when applicable, essentially creates a special class of medical information for reproductive health care and gender-affirming care information that receives more protection under state law than HIPAA provides. It is more protective because it requires explicit consent before a provider or its business associate can disclose such information when the disclosure is for a civil action or probate, legislative or administrative proceeding.
This could involve, for example:
- A subpoena for documents or testimony
- A request from an attorney related to a lawsuit
- An investigative demand from a government agency
- A request from a party in a probate court matter
Under these circumstances, a standard HIPAA authorization will not suffice. Rather, as with behavioral health, HIV/AIDS, and substance use disorder information, the authorization must specifically allow the release of reproductive health or gender-affirming care information.
Will this impact how providers share information with other providers for treatment purposes?
No. The Act explicitly permits continued lawful sharing of PHI permitted by state or federal law. This includes sharing for treatment purposes. Although providers may share reproductive health and gender-affirming care information across state lines for treatment purposes, I urge them to document the patient’s understanding and consent. Once the records leave Connecticut, they no longer receive protection under Connecticut law.
What changes are necessary to ensure compliance with the Act?
Covered entities and business associates must train staff to:
- Identify requests from lawyers, subpoenas, and government agencies seeking health information that includes reproductive or gender-affirming care information.
- Understand that these requests require extra scrutiny.
- Recognize that a standard HIPAA authorization may not permit the disclosure of such information.
- Report offending subpoenas to the CT AG.
In addition, covered entities and business associates should be sure that they have a good process for managing third-party requests for information, generally. See Providers of Care and Defenders of Privacy: Strategies to Protect Patient Privacy After the Reversal of Roe v. Wade.
How will the Act impact a patient’s request to access their own records for use in a court proceeding?
It will not affect a patient’s right to access their own information, even if it is for a civil, probate, legislative or administrative proceeding. A patient retains the right to access to the patient’s record subject only to limited exceptions. Covered entities should have detailed policies on a patient’s right of access and should follow those policies in responding to patient requests or directives to send information.
Conclusion
Connecticut’s expanded protections require covered entities and business associates to go beyond HIPAA compliance and ensure explicit written consent when required for reproductive health and gender-affirming care information. Further, covered entities and business associates must carefully review subpoenas seeking reproductive or gender-affirming care information and report those that violate state law to the CT Attorney General.