A U.S. District Court in the Northern District of Texas has vacated most of the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the “Rule”) in the case of Purl v. DHHS. The ruling, which has immediate nationwide effect, invalidates all Rule provisions addressing reproductive health privacy, including requirements to obtain attestations prior to disclosing protected health information (“PHI”) potentially related to reproductive health. The only surviving portion is relatively minor requirement adjusting Notice of Privacy Practices (“NPP”) disclosure requirements.
This post provides a brief overview of the Rule, the challenge and decision in Purl, and next steps for covered entities and business associates.
Overview of the Rule
DHHS issued the Rule in April 2024, in the wake of the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, “to limit the circumstances in which provisions of the Privacy Rule permit the use or disclosure of an individual’s PHI about reproductive health care for certain non-health care purposes”. To that end, the Rule modified the HIPAA Privacy Rule to create restrictions on disclosure of PHI relating to reproductive health care. Key requirements of the Rule include:
- A default prohibition on disclosure of PHI by covered entities and business associates for purposes of (i) conducting a criminal, civil, or administrative investigation into or imposing criminal, civil, or administrative liability on any person for the act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided; or (ii) identifying any person for those purposes.
- A requirement for a covered entity or business associate to obtain an attestation that PHI will not be used for the above prohibited purposes before disclosing PHI in response to requests for PHI related to reproductive health care for health oversight activities, judicial and administrative proceedings, law enforcement purposes, or disclosures to coroners or medical examiners. Importantly, disclosure by the covered entity or business associate without this attestation would be an unauthorized disclosure of PHI that triggers the Breach Notification Rule’s requirements.
- A requirement to incorporate certain disclosures regarding these requirements into covered entity’s NPP.
The Rule took effect on June 25, 2024 with a compliance date of December 23, 2024.
Challenge and Decision in Purl
On October 21, 2024, a Texas physician and her private family medicine practice filed a lawsuit in the Northern District of Texas challenging the Rule. The physician argued the Rule would restrict her ability to report child abuse and participate in public health investigations. She also asserted that DHHS exceeded its statutory authority and violated the Administrative Procedure Act (“APA”) in issuing the Rule. The court granted the physician and practice a preliminary injunction of enforcement of the Rule against those parties in November 2024.
DHHS and the plaintiffs both moved for summary judgment. The court granted summary judgment to the physician and practice and vacated the Rule (except for relatively minor Notice of Privacy Practices requirements originally derived from a separate rulemaking that apply to covered entities who receive or maintain substance use disorder treatment records subject to the regulations at 42 CFR part 2 (“Part 2”)).
The court’s decision was based in its authority under the APA to “hold unlawful and set aside” agency actions that are “not in accordance with law” or otherwise are “in excess of statutory jurisdiction, authority, or limitations, or short of statutory right.”
The court examined HIPAA statutory provisions addressing the relationship between HIPAA requirements and state public health laws, and concluded the Rule was issued outside DHHS statutory authority and contrary to federal law in violation of the APA. For example, a HIPAA statutory provision provides that “[n]othing in [HIPAA] shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth, death, public health surveillance, or public health investigation or intervention.” The court found the plaintiff physician had mandatory abuse reporting and public health investigation cooperation obligations under Texas law, and concluded the Rule’s requirements unlawfully limited the physician’s ability to fulfill those obligations.
The court also emphasized that vacatur of the Rule “has nationwide effect, is not party-restricted, and affects persons in all judicial districts equally.” While the court acknowledged that a nationwide vacatur remedy could be an issue for resolution by the Supreme Court, it nonetheless took that step based on Fifth Circuit precedent it interpreted as allowing courts treat vacatur as the default remedy for unlawful agency action.
What Happens Next
DHHS could appeal the decision, but that seems unlikely: the Trump administration continued to defend the case but focused on standing and whether vacatur was appropriate, rather than opposing the merits of the physician’s challenge—to the point the court concluded that DHHS waived its merits arguments (though it nonetheless addressed them). Given that posture, we would be surprised if DHHS elected to appeal.
There is also another case pending in the Northern District of Texas in which Texas challenged both the Rule and the underlying HIPAA Privacy Rule originally adopted in 2000. That challenge to the underlying HIPAA Privacy Rule is unresolved, but involves similar issues and should be monitored carefully.
What Should Covered Entities and Business Associates Do?
We recommend covered entities and business associates:
- Immediately Stop Requiring Attestations to Disclose PHI. Unless DHHS appeals and obtains a stay on the district court decision, covered entities and business associates should immediately stop requiring attestations designed to address the Rule’s requirements as a condition to responding to requests for PHI relating to reproductive health information, both for future requests and pending requests where an attestation has not yet been provided.
- Reverse Policy and Procedure Revisions Designed to Address the Rule. Any revisions made to a covered entity’s HIPAA policies and procedures that were implemented to address the Rule should also be reversed. While we would prioritize this step, it is less urgent and could hold until DHHS clarifies whether it intends to appeal.
- Review NPP and Modify If Needed. To the extent a covered entity has already modified its NPP to address the vacated requirements of the Rule regarding reproductive health information, it should reverse those modifications. But covered entities should also review their NPPs to ensure they addresses, as necessary, the relatively minor changes the court did not vacate and that are related to records subject to Part 2.
- Monitor State Law Developments Regarding Reproductive Privacy. We expect at least some states will show renewed interest in addressing reproductive health privacy and recommend monitoring activity in that area. Indeed, Virginia has already adopted a law that takes effect on July 1, 2025 that will strictly regulate the collection and disclosure of “reproductive or sexual health information” and provides a private right of action with statutory penalties. Washington’s My Health My Data Act similarly regulates “consumer health data,” including data related to “reproductive or sexual health services,” and provides a private right of action and statutory penalties. While these laws do not apply to PHI subject to HIPAA, they also do not categorically exclude covered entities and business associates as defined by HIPAA. Those laws therefore merit careful consideration by covered entities and business associates given their sweeping nature and private rights of action.
