Texas federal court vacates most of HIPAA Reproductive Privacy Rule
By on Posted in Data Privacy, Health Care

Here’s what businesses need to know.

Until recently, the privacy rule under the Health Insurance Portability and Accountability Act, (“HIPAA”), was not the focus of political or legal controversy. However, in June 2025, a federal judge in Texas vacated most of a privacy rule that would apply to reproduction.

Background: The 2024 Final Rule

The U.S. Department of Health and Human Services (“HHS”) issued the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (“Final Rule”) in April 2024, modifying portions of the 1996 HIPAA Privacy Rule. Building on President Biden’s Executive Order 14076, HHS issued the Final Rule in response to the U.S. Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization. In Dobbs, the Court held that there was no right to abortion under the U.S. Constitution, but that the right should be determined by state law. The preamble to the Final Rule states that it was promulgated in an effort to protect related information and to strengthen patient-provider confidentiality.

The Final Rule prohibits covered entities, such as health care providers and business associates, from using or disclosing protected health information tied to “reproductive healthcare,” including abortion, contraception, and fertility treatments. Also encompassed by the Final Rule is PHI included in appointment logs, laboratory results, and provider communications.  

Significant provisions of the Final Rule include the following:

  • Prohibitions relating to certain uses and disclosures of reproductive health information across state lines.
  • Requirements for new attestations before releasing PHI related to reproductive care.
  • Mandates for updating Notices of Privacy Practices.

Covered entities were required to comply with the Final Rule by December 23, 2024.

Final Rule is vacated

A coalition of states and provider groups opposed the Final Rule in the lawsuit Purl v. United States Department of Health and Human Services.

The plaintiffs alleged that the Final Rule violated the Administrative Procedure Act because it was arbitrary and capricious and not authorized by statute; that Congress, not the HHS, should address issues of “vast political and economic significance,” especially when the issues cross state lines; and that the Final Rule violates principles of federalism.

In his June 2025 decision vacating most of the Final Rule, Judge Matthew Kacsmaryk (a Trump appointee) held that under President Biden, the HHS used the Final Rule as a means to advance a reproductive rights policy without clear authorization from Congress. Judge Kacsmaryk also found that the Final Rule violated the APA because it was procedurally deficient and not adequately justified by the HHS.

Finally, Judge Kacsmaryk agreed with the Plaintiffs that, under the Major Questions Doctrine, Congress should be responsible for regulating reproductive PHI, not federal agencies.

The surviving provisions of the Final Rule are unrelated to reproductive health. They include updates to Notices of Privacy Practices regarding substance use disorder records.

Practical implications for covered entities and business associates

On September 10, 2025, the U.S. Court of Appeals for the Fifth Circuit dismissed the appeal of Purl. The HHS has indicated that it continues to review the ruling and implications for its HIPAA rulemaking, and it appears likely that the HHS will issue updated guidance. 

Entities should review current policies and procedures, training programs, and Business Associate Agreements and Notices of Privacy Practices, to ensure compliance with current law.

It is also essential for entities to remain alert to subsequent legal developments and to comply with applicable state privacy laws (for example, in California and Washington).

The Constangy Cyber Team assists businesses of all sizes and industries with compliance needs. If you would like additional information, please contact us at cyber@constangy.com.

TAGS: Cyber Team, CyberMonday, Cybersecurity, Data Privacy, Dobbs v. Jackson Women's Health Organization, Healthcare, HIPAA, HIPAA privacy, Purl v. United States Department of Health and Human Services
Facebook Twitter/X Linkedin Email
  • Professional headshot of Anna Schall Kreamer, Senior Counsel of the Constangy Cyber Team. She is smiling confidently with arms crossed, wearing a grey blazer over a black top, and has shoulder-length blonde hair styled in loose waves.
    Anna S. Kreamer
    Senior Counsel

    Anna draws on a diverse background in government service and private practice. She has counseled organizations across a range of industries—including financial, healthcare, nonprofit, and technology organizations—on ...

    More from Anna: Full Bio | Contact Author | Blog Posts

The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation. 

Search

Get Updates By Email

Subscribe

Archives

Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek