Reproductive Health Privacy Rule Vacated: Key Impacts for Healthcare Practices

Summary

On June 18, 2025, the U.S. District Court for the Northern District of Texas vacated nearly all HIPAA Privacy Rule amendments issued in April 2024 concerning reproductive health care privacy — a rule that had established heightened protections and attestation requirements for protected health information (PHI) related to services such as abortion, contraception, IVF and gender‑affirming care.

The court found that the rule exceeded HHS authority, conflicted with state law obligations (e.g., mandatory child abuse reporting), redefined statutory terms (such as “person” and “public health”) and improperly regulated politically significant topics absent clear Congressional mandate.

The HIPAA Privacy Rule remains fully enforceable for all PHI, including reproductive health information. The vacatur removes the additional restrictions that the 2024 rule would have imposed, but does not eliminate baseline HIPAA compliance obligations.

What Healthcare Practices Need to Know and Do

• Policies & Procedures -- Remove any language, processes or guidelines tied to attestation, special notice or use/disclosure restrictions introduced by the 2024 reproductive health rule. Rever to pre-2024 HIPAA procedures.
• Training & Workforce Education -- Update staff and compliance training materials to eliminate references to heightened reproductive health protections associated with the 2024 amendments. Emphasize that standard HIPAA rules still apply.
• Notice of Privacy Practices (NPP) - If your NPP was already updated under the 2024 rule, remove reproductive health-specific provisions and redistribute within 60 days of the June 18, 2025, ruling (by approximately August 17, 2025). Continue compliance with other non-vacated NPP changes such as SUD-related disclosure provisions by the February 2026 deadline.
• Business Associate Agreements (BAAs) - Eliminate sections referencing the attestation process or special reproductive health protections if added under the 2024 rule. If BAAs were not updated, no new additions are required.
• Handling Request for Reproductive Health PHI - Requests may now proceed under the ordinary HIPAA framework (e.g. for law enforcement, publich health, court orders) with no attestation required, but disclosures must still align with HIPAA's minimum necessary and permitted-use rules.
• State Law Compliance - Continue to comply with any state privacy or consumer laws regarding reproductive or gender-affirming care. Some states maintane enhanced protections, and those obligations remain unchanged.
• Monitor Developments - The HHS has 60 days to appreal; though considered unlikely, legal and regulatory developments could emerge. Practices should watch for HHS guidance, further litigation, or updates in state law.

Final Thoughts

The Texas court decision in Purl vs. HHS represents a significant rollback of federal reproductive health privacy enhancements under HIPAA. Healthcare organizations should pivot quickly to ensure that policies, training, patient messaging, and third-party agreements reflect the status quo -- that standard HUPAA protections apply, but the special restrictions of the 2024 amendments to the HIPAA Privacy Rule are no longer required. Vigilance remains essential given the evolving legal landscape.

If you have any questions about federal or state privacy laws, please contact us at 1-800-282-4882 or at [email protected]