Understanding Employee Benefits and key developments in the employee benefits field and items of interest to our clients. MORE

By: Lisa Rippey and Elena Humphrey

In a landmark decision, a federal district court in Texas struck down nearly all of the 2024 amendments to the HIPAA Privacy Rule, known as the Reproductive Health Privacy Rule (the “Rule”), ruling that the Department of Health and Human Services (“HHS”) exceeded its statutory authority. The ruling, which applies nationwide, essentially eliminates the enhanced federal privacy protection for reproductive health care information. However, it is important to note that certain regulated entities are still required to comply with applicable state privacy and consumer laws regarding the disclosure of reproductive health care information.

Background

The Reproductive Health Privacy Rule, effective late 2024, introduced protections for reproductive health care information, broadly defined to include services like abortion, IVF, contraception, and gender-affirming care. Key provisions included:

  • Prohibiting the use or disclosure of reproductive health information for investigations regarding or imposing liability on any person for seeking, obtaining, providing or facilitating lawful reproductive health care.
  • Requiring pre-disclosure attestations to ensure information would not be used for prohibited purposes.
  • Defining terms like “reproductive health care” and adjusting related HIPAA compliance obligations.

For a more in-depth discussion of the Reproductive Health Privacy Rule, please see this blog post.

The rule was challenged by a Texas physician and her practice, who argued it unlawfully restricted mandatory child abuse reporting, redefined statutory terms like “person” and “public health,” and violated the “major questions doctrine” by regulating politically significant areas without clear congressional authorization.

Court’s Ruling

The court found the Reproductive Health Privacy Rule invalid for three primary reasons:

  1. Conflict with State Laws: The Rule improperly limited state child abuse reporting laws by prohibiting disclosures based solely on lawful reproductive health care and imposing complex attestation requirements.
  1. Impermissible Redefinitions: The Rule’s definitions of “person” (excluding unborn humans) and “public health” conflicted with federal law, exceeding HHS’s authority.
  1. Major Questions Doctrine: The Rule regulated politically significant issues, such as abortion and gender-affirming care, without explicit congressional approval, and intruded upon the state’s authority as outline in Dobbs.

Compliance Considerations

Although the court has vacated the Reproductive Health Privacy Rule, it is important to understand that the original HIPAA Privacy Rule and its protections remain in effect.

In addition, many states have their own privacy and consumer protection laws that may impose additional obligations on health plans when handling reproductive health care information.  For instance, California recently amended its Confidentiality of Medical Information Act to restrict the disclosure of abortion-related information by health care providers, health plans, contractors and employers in certain situations.

Given this regulatory shift, HIPAA-covered entities and business associates should revisit any compliance measures that were implemented in response to the now-vacated rule.  Recommended next steps include:

  • Policy Updates: Review and revise policies related to PHI disclosures for judicial, administrative, or law enforcement purposes to ensure alignment with the current HIPAA Privacy Rule and applicable state laws.
  • Training Revisions: Update workforce training programs and staff materials to reflect operational or procedural changes.
  • Business Associate Agreements (BAAs): Reassess and, if needed, amend BAAs that were amended in light of the Reproductive Health Privacy Rule.
  • Notices of Privacy Practices (NPPs): Covered entities that updated NPPs in anticipation of the February 16, 2026 compliance deadline should consider making additional updates. Note that NPP requirements related to substance use disorder records under 45 C.F.R. Part 2 remain unchanged. HIPAA regulations indicate revised NPPs should be distributed within 60 days of a material change. In other words, employers should revise and distribute their updated NPPs by August 17, 2025.

Please contact Lisa Rippey or Elena Humphrey if you have any questions about what impact this may have on your group health plan.