Federal district court vacates the 2024 HIPAA reproductive health care amendments
On June 18, 2025, in Purl v. U.S. Dep't of Health and Human Services, the U.S. District Court for the Northern District of Texas vacated the 2024 amendments to the HIPAA Privacy Rule that enhanced certain privacy protections concerning reproductive health care information but upheld amendments to the notice of privacy practices (NPP) requirements related to substance use disorder records. The result is that HIPAA-covered entities and business associates (regulated entities) are no longer required to obtain attestations from requestors for certain disclosures of protected health information (PHI), no longer prohibited from disclosing PHI for purposes of a requestor investigating or imposing liability related to reproductive health care (as long as a relevant HIPAA permission applies), and covered entities will no longer need to revise their NPPs with respect to reproductive health care.
While the U.S. Department of Health and Human Services (HHS) had sought dismissal of the case (even after the change of administration), it is unclear whether HHS will appeal this decision. In the meantime, although reproductive health care will no longer receive additional safeguards under HIPAA, regulated entities still will need to comply with the remainder of the Privacy Rule's restrictions on disclosures of PHI and an increasing number of state laws intended to protect information about reproductive health care and gender-affirming care.
The 2024 Rule
In response to the Dobbs v. Jackson Women's Health Organization decision reversing Roe v. Wade, HHS published a HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the "2024 Rule") on April 26, 2024, with an enforcement date of December 23, 2024. The 2024 Rule included two key components. First, the 2024 Rule prohibited a regulated entity from using or disclosing any PHI for purposes of investigating or imposing liability on a person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care (or to identify any person for such a purpose). The prohibition applied only if the reproductive health care was lawful under the law of the state in which it was furnished or if it was protected, required, or authorized by federal law. The second key component was that a regulated entity could not disclose PHI that was potentially related to reproductive health care for purposes of health oversight activities, judicial or administrative proceedings, law enforcement purposes, or—in the case of a decedent—disclosures to coroners or medical examiners unless the regulated entity first received an attestation from the requesting entity. The attestation, among other things, must have stated that the requestor was not seeking the PHI for a purpose prohibited under the 2024 Rule (such as to investigate a person for the mere act of obtaining or providing lawful reproductive health care).
The 2024 Rule also included a number of other miscellaneous changes. It mandated changes to covered entities' NPPs, requiring NPPs to address the reproductive health care protections and to reference additional safeguards for substance use disorder (SUD) records under 42 C.F.R. part 2. The 2024 Rule clarified that certain activities related to investigating and imposing liability on persons for health care services did not constitute "public health" activities. HIPAA does not preempt certain types of state public health laws and so the purpose of this change was to limit the scope of state laws that are not preempted by HIPAA. The 2024 Rule also defined "reproductive health care" and clarified the definition of "person" to limit the term to "a human being who is born alive."
For a more complete description of the 2024 Rule, see our earlier post: HHS Amends HIPAA To Further Protect Privacy of Reproductive Health Care Information.
In practice, the biggest challenge presented by the 2024 Rule had been its attestation requirement. First, regulated entities often found it difficult determining when an attestation was required. For example, regulated entities needed to determine whether requested PHI potentially related to reproductive health care and whether the purpose of the request required an attestation. By way of example, a disclosure in response to a subpoena generally would require an attestation but not if the requesting attorney also included an individual's authorization (since a regulated entity may disclose PHI based on an authorization without an attestation). Regulated entities also saw that attestations created friction with government agencies and others. For example, a hospital may not have had any good options if HIPAA required an attestation to disclose certain PHI to a state auditor—who may control the hospital's certification and ability to bill federal health insurance programs—but the auditor refused to sign the attestation.
The Purl Decision
In Purl, a physician (on her own behalf and on behalf of her practice) alleged that the 2024 Rule unlawfully interfered with her ability to respond to child protective services requests and report suspected child abuse. HHS sought dismissal of the case, alleging that Dr. Purl lacked standing because her claims were based on unrealistic and unsubstantiated theories of harm.
In its June 18 decision, the district court granted Purl's motion for summary judgment and vacated the 2024 Rule as unlawful, except for changes to NPP requirements related to 42 C.F.R. part 2.
On the issue of standing, the court held that Purl had standing based on the compliance obligations imposed by the 2024 Rule, which require and forbid certain actions and required her to conduct additional training, update policies, and amend her practice's NPP.
The court further held that the 2024 Rule was not in accordance with the statute because it limits a state's authority with respect to child abuse laws in numerous respects. Some of the court's reasoning does not seem entirely consistent with the 2024 Rule. For example, the court states that a covered entity must comply with an attestation requirement whenever it receives a disclosure request for PHI related to reproductive health care. The 2024 Rule, however, only required an attestation only in limited circumstances and did not require an attestation for child abuse reporting (which falls under 45 C.F.R. § 164.512(b) and which was not one of the provisions for which an attestation was required).
The court also applied the major-questions doctrine, which limits federal agencies' authority to promulgate regulations on issues of major economic or political significance without clear authorization from Congress. The court held that Congress's broad authority for HHS to promulgate standards with respect to the uses and disclosures of PHI does not demonstrate clear congressional authorization for HHS to wade into the abortion debate and "harness HIPAA to protect information sourced from politically favored medical procedures."
Based on the above, the court held that the 2024 Rule was unlawful and that vacating the 2024 Rule nationally is the appropriate remedy. The court recognized that the question of whether the Administrative Procedure Act authorizes a district court to nationally vacate a rule is a matter that the Supreme Court is likely to address this term when it determines whether a district court may grant nationwide injunctive relief. Until the scope of vacatur is resolved, however, the court indicated that it is bound by 5th Circuit precedent that supports vacating the 2024 Rule nationally in this instance. The court's ruling extends to all of the 2024 Rule except for NPP requirements related to 42 C.F.R. part 2 (the rule governing SUD records).
Next Steps
Based on the Purl decision, regulated entities no longer need to comply with the majority of the 2024 Rule. In particular, this means that regulated entities no longer need to obtain attestations from requestors. Regardless of how a regulated entity may feel about the politics surrounding reproductive health care, the end of the attestation requirement is likely a relief.
HHS has 60 days to appeal the decision. Given the current administration, an appeal may be unlikely. Nevertheless, HHS actively sought dismissal of the lawsuits challenging the 2024 Rule, so an appeal of the Purl decision is not outside the realm of possibility.
Covered entities that create or maintain SUD records that are subject to 42 C.F.R. part 2 still will need to revise their NPPs by February 16, 2026, to include statements related to these records.
Finally, with the 2024 Rule vacated, additional states may pass laws to shield information about reproductive health care from disclosure. Regulated entities should be sensitive to potential state law restrictions any time they receive a request for information that includes references to reproductive health care. Additionally, while the 2024 Rule has been vacated, the HIPAA Privacy Rule's long-standing restrictions on uses and disclosures of PHI remain in place.
[View source.]
