The federal autism registry privacy debate started in April 2025 when HHS announced plans to collect data on Americans with autism through Medicare, Medicaid, medical files, and smartwatch data. This article explains what the federal autism registry privacy risks actually are, what HIPAA protects, what Pennsylvania did in April 2026, and what you can do right now.
Quick stats first
To understand the full scope of the federal autism registry privacy issue, it helps to start with the numbers.
- 1 in 31 children in the U.S. had an autism diagnosis in 2022, up from 1 in 150 in 2000 (Source: Centers for Disease Control and Prevention, 2022)
- The ACLU, the Autistic Self Advocacy Network, and more than 80 disability rights organizations signed a formal letter to HHS Secretary Robert F. Kennedy Jr. in May 2025 demanding answers on the data platform (Source: ACLU, 2025)
- Approximately 40% of children with autism in the U.S. are enrolled in Medicaid, according to data from the Centers for Medicare and Medicaid Services, meaning the scope of the platform could reach millions of families directly (Source: CMS, 2024)
What is the federal autism “registry,” and is it actually a registry?
The short answer: it started as a registry, got renamed, and the database is still being built.
In April 2025, NIH Director Jay Bhattacharya told his agency staff about plans to create “national disease registries, including a new one for autism.” The autism parent community erupted. Within days, HHS walked it back. They said it was not a registry. They called it a “real-world data platform” instead.
Here is the part that matters for you: the name changed, but the plan did not disappear. By May 2025, HHS confirmed that the National Institutes of Health and the Centers for Medicare and Medicaid Services would work together to link insurance claims, medical records, and data from personal devices including smartwatches. HHS announced that $50 million would fund the effort. The stated goal is to find the “root causes” of autism.
I remember the first time I saw the word “registry” in a headline about my child’s diagnosis and felt my stomach drop. No parent raising a child with a disability wants to hear that word. It carries a weight that most people outside our community never feel the way we do.
The thing is: a rose by any other name is still a rose. “Real-world data platform” and “autism registry” may mean different things in a legal brief, but if you are asking whether your child’s diagnosis could end up in a federal database, you are not wrong to keep asking. That question deserves a clear answer, and right now there isn’t one.
Understanding your child’s IEP rights
What data could actually be collected, and does it include my child?
The current federal autism registry privacy question centers on people enrolled in Medicare or Medicaid, which covers roughly 36% of all Americans.
The data sources HHS described include:
- Insurance claims from Medicare and Medicaid
- Electronic health records
- Prescription records
- Data from wearable devices, including smartwatches and fitness trackers
HHS stated the data would be “de-identified,” meaning names and direct identifiers would be removed. Privacy experts pushed back hard on how clean that protection actually is. Helen Tager-Flusberg, director of the Center for Autism Research at Boston University, pointed out to NPR that CMS data includes date of birth, sex, and geographic location. Those three pieces of information together can often identify a specific person, even without a name attached.
If your child is covered by Medicaid, their insurance claims are potentially within scope of this effort. If your child is on private insurance only, the current announced plan does not directly reach them. But advocates are watching closely to see whether that expands.
The Autistic Self Advocacy Network has been tracking this situation since the first announcement and updates their guidance regularly as new information comes out.
ASAN statement on the HHS data platform
Does HIPAA actually protect my child from this federal autism registry privacy concern?
HIPAA protects a lot. But it does not protect everything, and the gap is exactly what advocates are worried about.
HIPAA, the Health Insurance Portability and Accountability Act, sets strict rules for how healthcare providers, insurance companies, and health clearinghouses handle your medical information. Your child’s doctor cannot share their diagnosis without your consent. Your child’s therapist cannot hand records to a researcher without proper authorization. That protection is real, and it covers most of the healthcare your family interacts with every day.
Here is where HIPAA falls short in this situation. The Autism Society of Minnesota explains it clearly: HIPAA applies to what the law calls “covered entities,” organizations that directly provide healthcare or manage health plans. Not every federal agency automatically qualifies. An agency like HHS conducting research, rather than delivering care, may operate in spaces where HIPAA’s rules are less direct. That is the legal gap advocates are pointing to.
There is also the question of de-identified data. Under HIPAA, once data is properly de-identified, the privacy protections technically no longer apply to it. If HHS strips names from a dataset and calls it de-identified, HIPAA’s protections stop at that point, even if experts argue the data can still be connected back to individuals through other identifiers.
Your child’s school records are a separate case. They are protected by FERPA, the Family Educational Rights and Privacy Act, not HIPAA. FERPA keeps school records inside the school system. That is a different protection entirely, and it is important to know if your child has an IEP or a 504 plan.
What this means in plain terms: HIPAA is a strong floor, not a ceiling. It protects your child in the doctor’s office. It does not necessarily follow them into a federal research platform operating under research exemptions.
Advocating for your child’s rights at school
Why are advocates still worried if HHS said it is not a registry?
Because the name change did not come with answers. The federal autism registry privacy concerns remain unaddressed.
When HHS backtracked in late April 2025, they did not answer the questions that actually matter. The Autistic Self Advocacy Network wrote at the time that they still did not know how autistic people would be identified, whether personally identifying information would be pulled from the data, what confidentiality protections were in place, or whether families would have any way to opt out.
The ACLU, ASAN, and more than 80 disability rights organizations put their federal autism registry privacy concerns formally into writing in May 2025. Vania Leveille, ACLU senior legislative counsel, stated that federal health agencies had “taken every opportunity to shut disabled and autistic people out of the conversation.”
Disability advocates have also pointed to a documented history of government programs that collected data on disabled people in ways that were later used against them. That history does not make every database a threat. But it does mean that “trust us, it’s fine” is not an acceptable answer from people who have not yet explained the most basic details of how the program works. The questions being asked by the ACLU and ASAN are not political. They are practical. Who sees this data. Can you opt out. How is it secured. Those questions still do not have clear answers as of 2026.
What did Pennsylvania do, and why does it matter if you live somewhere else?
On April 16, 2026, Pennsylvania Governor Josh Shapiro signed three executive orders that directly pushed back on federal disability data collection.
The first order is the one that matters most to parents: it bars Pennsylvania state agencies from sharing disability data, including autism diagnoses, with the federal government unless sharing is legally required or the individual has given consent. Governor Shapiro confirmed at his press conference that HHS had already requested data from Pennsylvania the year before. Pennsylvania had quietly declined. The executive order made that refusal permanent policy.
Pennsylvania became the first state to put this refusal in writing, setting a precedent on federal autism registry privacy protections through executive action.
The other two orders created a new Governor’s Advisory Commission on People with Disabilities, with up to 30 volunteer members including disabled individuals and family members, and updated the state’s Developmental Disabilities Council.
Here is why this matters if you live somewhere else: if your state manages its own Medicaid program, your governor has the same tool Shapiro just used. Most Medicaid programs are state-run, even though they receive federal funding. A state can decide how much it cooperates with federal data requests that go beyond what federal law requires. Pennsylvania just showed it is possible.
No other state had made a formal move by the time of this writing. But conversations are happening in legislatures and governor’s offices around the country. Your state’s disability advocacy organization, including your local Arc chapter or the Autism Society affiliate, will have the most current information on where your state stands.
What can you actually do right now to protect your child’s information?
You do not need a lawyer to take action on federal autism registry privacy concerns. You need five concrete steps.
- Ask your child’s doctor directly at the next appointment: “Has your practice received requests from federal agencies related to autism data? Who outside of direct care does my child’s information get shared with?” Most providers will answer. If they cannot, ask to see their data sharing policy in writing.
- Call your child’s Medicaid member services line. Ask specifically about data sharing with federal research programs and whether any opt-out options exist. States vary on this. You will not know until you ask.
- Contact your governor’s office. A one-paragraph email matters. Ask your governor to follow Pennsylvania’s lead and issue an executive order limiting disability data sharing with the federal government. Offices track constituent volume on exactly this kind of issue.
- Connect with your state’s disability advocacy organization. Your local Arc, Autism Society chapter, or ASAN affiliate is actively monitoring this. They have the most current information about what your specific state is doing or considering.
- Do not stop autism evaluations or services out of fear. This one is critical. Parents were canceling autism screenings in 2025 out of concern about data collection. Delaying a diagnosis or pulling back from services does not protect your child from a federal database. It only delays their care. Your child’s diagnosis record in a clinical office is protected by HIPAA.
A parent’s guide to advocating for your child in medical and school systems
If navigating policy fear on top of everything else you carry feels like too much, you are not imagining the weight. How to protect your child’s dignity inside systems that do not always see them clearly is exactly what Boundless Love: Nurturing the Emotional Growth of Special Needs Children is for. It is not a policy guide. It is a guide for the emotional labor of raising a child the world has not caught up to yet.
Frequently asked questions
These are the most common questions parents ask about federal autism registry privacy, what the law covers, and what protections actually exist right now.
Is there a federal autism registry right now?
HHS says no. What exists is a developing “real-world data platform” linking Medicare and Medicaid claims data, medical records, and wearable device data. NIH Director Jay Bhattacharya initially called it a registry in April 2025. HHS walked that back within days. Advocacy organizations including the ACLU say the name change did not resolve the underlying concerns.
Can the federal government access my child’s autism diagnosis without my permission?
It depends on where the data lives. Medical records held by your child’s doctor are protected by HIPAA and require your authorization before being shared for most purposes. However, if your child is enrolled in Medicaid, some claims data can be accessed by federal agencies for certain research purposes under existing law without your individual consent.
Does HIPAA protect my child’s autism diagnosis from being included in a federal database?
HIPAA is strong protection in clinical settings, but it has limits when data is de-identified or when government agencies are acting in a research capacity rather than a healthcare delivery capacity. Both the Autism Society of Minnesota and the ACLU have publicly flagged these gaps in relation to the HHS data platform specifically.
What exactly did Pennsylvania’s executive order do?
On April 16, 2026, Governor Josh Shapiro signed an order prohibiting Pennsylvania state agencies from sharing disability data, including autism diagnoses, with the federal government unless legally required or the individual has given consent. The order also formalized Pennsylvania’s refusal to comply with an earlier federal request for that data. It was the first such formal state action in the country.
Should I cancel my child’s autism evaluation or pull back on services because of this?
No. Advocacy groups including ASAN have strongly cautioned against this. Delaying evaluation or services does not protect your child’s records from federal data collection. It only delays your child’s access to support. Clinical records with your child’s doctor remain protected by HIPAA.
Can I opt my child out of the federal data platform?
The current framework does not clearly define an individual opt-out process for Medicare or Medicaid claims data used in research. This is one of the specific demands the ACLU and ASAN are making of HHS. Contacting your state’s Medicaid office about state-level opt-out policies is the most concrete step available to you right now.
Why are disability advocates still concerned even after HHS said it is not a registry?
Because HHS changed the name but did not answer the questions that matter: how individuals will be identified, whether they can opt out, who will have access to the data, and how it will be secured against misuse. The ACLU’s May 2025 letter listed those specific unanswered questions. A rebrand is not a safeguard.
What is the ACLU asking HHS to do?
The ACLU is asking for three things: meaningful engagement with autistic people and advocates before any platform launches, fundamental privacy safeguards that prevent misuse, and assurance that the platform advances the wellbeing of autistic people rather than harming them. Those requests remain unmet as of the writing of this article. Read the full ACLU letter to HHS Secretary Robert F. Kennedy Jr.
What to remember
Your concern about the federal autism registry privacy situation is not overreaction. It is a reasonable response to a real situation where the people running the program have not given straight answers. What you can do is stay grounded in what is confirmed, push through your state’s leadership, and keep your child’s care moving without letting policy fear interrupt their support. The systems are messy. Your job is to keep showing up anyway.
If you want more on federal autism registry privacy and related advocacy in your inbox, the MoSN newsletter sends one honest email per week with the information you actually need for raising your child. Subscribe
