In June of 2024, the Department of Health and Human Services (HHS) issued rules amending the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in the wake of the 2022 Supreme Court decision in Dobbs v. Jackson Women’s Health Organization (the “2024 Privacy Rule”). These rules were designed to support President Biden’s Executive Orders on protecting access to reproductive health care—in particular, by protecting information related to reproductive health care and bolstering patient-provider confidentiality. On June 18, 2025, the U.S. District Court for the Northern District of Texas issued an order vacating a majority of the 2024 Privacy Rule. HIPAA “Covered Entities” (e.g., health care providers and group health plans) and their business associates will need to evaluate the impact of this ruling on their HIPAA compliance obligations.
What Did the 2024 Privacy Rule Require of Covered Entities?
HHS explained that the 2024 Privacy Rule was necessary to “protect patient confidentiality and prevent medical records from being used against people for providing or obtaining lawful reproductive health care.” In the 2024 Privacy Rule, HHS broadly defined “reproductive health care” to include the health of an individual in all matters related to the reproductive system… .” Examples of reproductive health care include: contraception, pregnancy related health care (such as miscarriage management and pregnancy termination), treatment for menopause, gender affirming care, and fertility related health care.
To comply with these rules, Covered Entities were not allowed to use or disclose protected health information (PHI) for any of the following activities:
- Investigations: Conducting a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care.
- Imposing Liability: Imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care.
- Identification: Identifying an individual, health care provider or other person for purposes related to such an investigation or proceeding.
In addition, the 2024 Privacy Rule required Covered Entities to gather an attestation from the entity requesting the reproductive health care, to determine whether the use or disclosure of reproductive health care related PHI was permitted under the 2024 Privacy Rule. Furthermore, Covered Entities were required to update their Notice of Privacy Practices to reflect the heightened protections for reproductive health care related PHI.
Background on the Texas Order
A federal judge in Texas vacated a majority of the 2024 Privacy Rule in the ruling Purl v. United States Department of Health and Human Services. By way of background, Dr. Carmen Purl and her clinic sued HHS in 2024 challenging the 2024 Privacy Rule on the grounds that it “impaired her and her employees’ state mandated obligation to report child abuse or participate in public health investigations.” The court agreed with Purl and found that HHS acted “in excess of statutory authority” in violation of the Administrative Procedure Act. As a result, the court vacated the 2024 Privacy Rule related to reproductive health care privacy and clarified that this ruling would have “nationwide effect… and affects persons in all judicial districts equally.”
SUD Records Requirements Still in Effect
In addition to the protections for reproductive health care related PHI, the 2024 Privacy Rule also required changes to a Covered Entity’s Notice of Privacy Practices to account for the confidentiality of substance use disorder (SUD) requirements. While the Texas court vacated all of the reproductive health care related portions of the 2024 Privacy Rule and found those provisions unlawful, it left undisturbed the SUD requirements from those rules. Accordingly, these SUD requirements continue to apply to Covered Entities. Under these rules, a Covered Entity’s Notice of Privacy Practices must be updated by February 16, 2026, to explain the following:
- SUD treatment records received by a group health plan from a Part 2 Program (e.g., an entity that is federally assisted and provides substance use disorder diagnosis or treatment) will not be used or disclosed in civil, criminal, administrative or legislative proceedings against the individual without the following: (i) written consent from the covered individual, or (ii) a court order after notice and an opportunity to be heard is provided;
- If a Covered Entity that creates or maintains SUD treatment records intends to use or disclose those records for fundraising, the impacted individual must first be provided with notice and the opportunity to opt out of receiving the fundraising communications.
Next Steps for Covered Entities
- Update HIPAA Policies and Procedures. Covered Entities will need to review their HIPAA policies and procedures to ensure that these procedures are current and do not reflect the parts of the 2024 Privacy Rule that were vacated.
- Update HIPAA Training. The Covered Entity’s workforce members should receive updated training which reflects current HIPAA rules (e.g., the training should be updated to explain that the heightened reproductive health care related PHI protections no longer apply).
- Eliminate attestation requirement. Covered Entities should update their administrative processes so that attestations are no longer required for reproductive health care related PHI requests.
- Revise Business Associate Agreements. To the extent that the 2024 Privacy Rule regarding increased protections for reproductive health care related PHI were added to group health plan vendor Business Associate Agreements, this language should be removed.
- Revise Notice of Privacy Practices. The Covered Entity must update its Notice of Privacy Practices to remove any language related to the 2024 Privacy Rule reproductive health care related PHI protections, and such updated Notice should be timely distributed in accordance with existing HIPAA privacy rules. Also, as noted above, a Covered Entity must revise its Notice to include language about the confidentiality of SUD records received from a Part 2 Program.
- Coordinating with Third Party Administrators. Covered Entities should coordinate with their group health plan vendors to confirm that these vendors are administering plans in accordance with the current HIPAA rules.
Handling Requests for Reproductive Health Care Related PHI Under Current HIPAA Rules
Although the extra protections of the 2024 Privacy Rule do not currently apply to reproductive health care related PHI, it is important to note that the HIPAA rules still provide protections for HIPAA PHI (including reproductive health care related PHI). Accordingly, if a Covered Entity receives a request for reproductive health care related PHI, it should only disclose such PHI as allowed under the current HIPAA rules (e.g., pursuant to a participant authorization, and only the minimum necessary amount, etc.) It is worth noting that HHS has previously determined that a health care provider violated the HIPAA rules by disclosing a patient’s reproductive health care related PHI to a prospective employer without obtaining her prior written authorization for the disclosure. In this instance, the health care provider had to enter into a settlement agreement with HHS, pay a monetary penalty, and undertake a corrective action plan to resolve the compliance issue. This HHS determination was made under HIPAA rules that were in effect prior to the 2024 Privacy Rule.
If you have any questions about the changes under the 2024 Privacy Rule and/or its current application, please contact us.
