Last year, in response to the U.S. Supreme Court's 2022 ruling in Dobbs v. Jackson Women's Health Organization (Dobbs) (which overturned Roe v. Wade and its constitutional protection of abortion), the federal agency responsible for HIPAA privacy compliance finalized rules supporting reproductive health care privacy (2024 Final Rule). See our Alert here (opens a new window). The 2024 Final Rule, among other things, prohibited the disclosure of protected health information (PHI) related to lawful reproductive health care in certain circumstances. The rules became effective on Dec. 23, 2024, although changes to the Notice of Privacy Practices (NPP) had a delayed effective date of Feb. 16, 2026.
On June 18, 2025, almost exactly one year after the 2024 Final Rule went into effect, a federal district court in Texas vacated the 2024 Final Rule, meaning that HHS (the federal agency in charge of HIPAA) cannot enforce its Rule to prohibit covered entities, such as health care providers and employer group health plans, from giving information about reproductive health care to state law enforcement agencies. The current administration is unlikely to appeal the district court decision. State legislatures may or may not take actions considering the decision.
Executive Summary
The US District Court for the Northern District of Texas issued a nationwide order vacating the 2024 HIPAA Final Rule supporting reproductive health care privacy. The Court found the 2024 Final Rule exceeded statutory authority in several ways:
The HIPAA statute itself does not authorize HHS to issue regulations treating information related to abortion, gender identity or other “reproductive health care” differently than other types of care.
The 2024 Final Rule restricted healthcare professionals from disclosing information to state officials and law enforcement in cooperation with efforts to obtain evidence of a crime, potential violations of state law, or threats to public health related to “reproductive health care.” Not to mention, HIPAA covered entities are left to determine the lawfulness of the reproductive health care to avoid possible civil or criminal liability.
HHS went beyond its statutory authority by redefining certain terms in HIPAA (e.g., “person” excluded unborn humans under the rule).
Employers who incorporated the vacated regulations in HIPAA materials will want to revise their NPP and policies and procedures to their former form by removing the special circumstances surrounding reproductive health care.
Background
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to “covered entities,” such as employer group health plans, that touch PHI. The HIPAA rules protect the privacy and security of this PHI in the hands of an employer’s group health plan by requiring the plan to jump through numerous hoops and hurdles in order to safeguard PHI (e.g., set up policies and procedures, implement firewalls, train employees with access to PHI, etc.) and by limiting the circumstances in which PHI may be used and disclosed by the plan.
After the Supreme Court’s 2022 decision in Dobbs removed the constitutional right to an abortion, HHS determined that the changing legal landscape necessitated modifications to HIPAA to preserve the interests that HIPAA seeks to protect. As a result, the HIPAA modifications in the 2024 Final Rule related to limiting the circumstances in which the privacy rule permits the use or disclosure of an individual’s PHI about reproductive health care for certain non-health care purposes. More detail on the limitations is available in our May 2024 Alert (opens a new window).
District court vacates the 2024 Final Rule…
The underlying suit triggering the vacation involves a physician and her practice. The case argued that the HHS rule exceeded its authority in implementing HIPAA and limits states’ abilities, through law enforcement and various state agencies (e.g., related to child welfare and public health), to obtain necessary information. For example, the Rule created a new and broad definition of reproductive health care, and by doing so, it inserted abortion, gender identity and other topics into regulations meant to implement the HIPAA statute. As argued by the doctor and her clinic, HIPAA was not meant to treat medical information on these topics any differently than other privileged information, therefore, HHS had no authority to regulate in this manner.
Similarly, in another sign of overreaching, it was argued that the statute didn’t authorize HHS to define “persons” to exclude unborn children, nor to add to the definition of “public health” to exclude abortion and medical interventions concerning gender identity. This interfered with the doctor’s ability and legal obligation to disclose information about unborn children when they are the victims of crime, neglect, or abuse, and in other instances.
Another strike against the 2024 Final Rule comes from the duty it places on covered entities to determine whether the reproductive health care was lawful. Under the old rule, for example, a disclosure was allowed in response to a state’s administrative request where the response was “required by law.” However, under the 2024 Final Rule, there was a restriction on uses and disclosures of PHI for certain non-health care purposes, e.g., a health plan cannot disclosure PHI if the request is being made to investigate a person for seeking reproductive health care. This means a covered entity is left determining if reproductive health care is lawful, and assuming the risk of an incorrect determination of state law.
Next steps …
With the 2024 Final Rule vacated, employers will want to revise their policies and procedures to their former form by removing the special circumstances surrounding reproductive health care and inform certain employees (who handle PHI and that were trained on the new rule) that the 2024 Final Rule has been vacated. If a revised NPP has already been distributed, language related to the new rule will need to be removed (essentially reverting to the former NPP).
For employers who incorporated the vacated rule in their NPP, the HIPAA regulations indicate a revised NPP should be distributed within 60 days of a material change. Consequently, employers should aim to revise (and provide) their NPP by Aug. 17, 2025, to remove the references to the vacated regulation.
Download now (opens a new window)
