HIPAA Reproductive Health Privacy Rule Protections Struck Down

Published On

June 26, 2025

Authors

Partner

Alexander Dworkowitz

New York

212.790.4605

Download vCard
Partner

Randi Seigel

New York

212.790.4567

Download vCard
Counsel

Alice B. Leiter

Washington, D.C.

202.624.3350

Download vCard

HIPAA Reproductive Health Privacy Rule Protections Struck Down

Why It Matters

On June 18, 2025, in the case , Texas federal judge Matthew Kacsmaryk vacated the Department of Health and Human Services’ (HHS) 2024 HIPAA Privacy Rule to Support Reproductive Health Care Privacy (Rule). The decision removes a significant layer of protection from sensitive abortion-related information.

The Rule addressed post-Dobbs concerns that protected health information (PHI) may be used in investigations or proceedings against individuals who seek or provide legal reproductive health care, potentially discouraging individuals from seeking, or discussing, such care with their provider (or providers discussing reproductive care with their patients). Aiming to prevent this, the 2024 Rule prohibited the use or disclosure of PHI by HIPAA-covered entities and business associates to (1) conduct a criminal, civil or administrative investigation into or impose liability on any person for the mere act of seeking, obtaining, providing or facilitating lawful reproductive health care, and (2) identify any person for the purpose of conducting such investigation or imposing such liability. The Rule also required, in certain circumstances, attestations that PHI would not be used for such prohibited purposes.

Unless the Purl decision is overturned on appeal, HIPAA-covered entities are no longer required to comply with this Rule and will not face enforcement actions from HHS for failing to implement its requirements.

Key Takeaways

What Was Vacated, What Stands and What Comes Next

  • Nearly all protections in the Rule prohibiting disclosure of PHI linked to lawful reproductive care—broadly defined to include abortion, contraception and IVF—in criminal, civil or administrative investigations were vacated.
  • Notice of Privacy Practices requirements specific to substance use disorder data was left intact.
  • It is unclear how, if at all, this ruling will affect two other cases challenging the Reproductive Privacy Rule that are still pending in federal courts in Tennessee and Missouri, or what it means for a separate Texas lawsuit that seeks to strike down the broader 2000 HIPAA Privacy Rule.

Immediate Impact

  • Covered entities and business associates no longer must obtain attestations before releasing reproductive health-related PHI in response to law enforcement or health care oversight requests.
  • Entities must update privacy policies and forms that had been enhanced for the Rule or revert to prior versions.
  • While it is possible that Rule requirements could be reinstated if the government appeals, such an appeal appears unlikely, given the current administration’s lack of vehement defense of the Rule during the litigation (the government had focused their arguments on standing and the scope of relief, not the merits of the Rule).

Practical Implications and Next Steps

Issue

Implication

Action Steps

Disclosure Practices

PHI tied to reproductive health can now be disclosed under standard HIPAA exceptions (law enforcement, oversight, etc.).

Reassess policies and remove attestation protocols.

Notice of Privacy Practices

Only SUD-related updates are still required.

Amend notices accordingly

Ongoing Developments

HHS may appeal or modify the Rule; other challenges remain pending.

Monitor legal and regulatory updates closely.

Court’s Basis for the Ruling

  • Dr. Carmen Purl and her Texas walk-in clinic challenged the Rule on the grounds that it exceeded HHS’ statutory authority and unlawfully restricted her practice’s state-mandated reporting obligations, particularly in the context of child abuse investigations. Dr. Purl had previously won a motion for preliminary injunction against enforcement of the rule, but that injunction had applied only to the plaintiffs.
  • The Court agreed with the plaintiffs’ arguments, holding that HHS acted beyond statutory authority by treating reproductive health data differently than other types of data under HIPAA. In particular, the Court found that the Rule could not survive under the “major questions doctrine” because HHS did not identify a clear congressional authorization for such a rule.
  • The Court also declared unlawful the 2024 Rule’s definition of a “person” to mean a human being “born alive.”
  • The Court further found that the Rule undercut state public health and child abuse-reporting requirements by imposing strict attestation requirements and disclosure limits.
  • Judge Kacsmaryk wrote in his opinion that “[p]eople of good faith vehemently disagree on both” abortion but gender-affirming care. He wrote that although HIPAA provides HHS with authority to protect health information, “it confers no authority to distinguish between types of health information to accomplish political ends like protecting access to abortion and gender-transition procedures. Thus, HHS lacks the authority to issue regulations that enact heightened protections for information about political favored procedures.”
  • While acknowledging debate on the merits of nationwide injunctions, Judge Kacsmaryk nevertheless agreed to vacate the Rule with respect to all parties, not just the plaintiffs.

For more analysis on reproductive health legal issues, please contact , or .

Purl v. Department of Health and Human Services, available at:

Join our newsletter to stay up to date on features and releases.

ATTORNEY ADVERTISING, pursuant to New York DR 2-101(f)

© 2025 Manatt, Phelps & Phillips, LLP. All rights reserved.

Newsletter Subscription