Compliance
Federal District Court Vacates HIPAA Privacy Protections for Reproductive Healthcare
Regulated entities must still comply with HIPAA’s general privacy requirements for protected health information.
July 2, 2025
On June 18, 2025, the U.S. District Court for the Northern District of Texas struck down a final rule issued in April 2024 to strengthen HIPAA’s privacy protections for reproductive healthcare. The final rule, which became effective December 23, 2024, prohibits health plans and other regulated entities from using or disclosing protected health information (PHI) related to lawful reproductive healthcare in certain situations. The Texas decision vacates these new protections in their entirety, and the court ruling is effective nationwide.
Privacy Protections
The HIPAA Privacy Rule sets strict limits on the use, disclosure and protection of PHI by healthcare providers, health plans, healthcare clearinghouses and their business associates (regulated entities). The Privacy Rule also allows regulated entities to use or disclose PHI for certain non-healthcare purposes, including certain criminal, civil and administrative investigations and proceedings.
The U.S. Department of Health and Human Services (HHS) issued the final rule to protect the privacy of reproductive healthcare following the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, which eliminated the constitutional right to abortion. The final rule prohibits regulated entities from using or disclosing PHI for the criminal, civil or administrative investigation of (or proceeding against) any person in connection with seeking, obtaining, providing or facilitating reproductive healthcare where such healthcare is lawful under the circumstances in which it is provided. In certain circumstances, the final rule requires regulated entities that receive requests for PHI potentially related to reproductive healthcare to obtain a signed attestation that the use or disclosure is not for a prohibited purpose.
The final rule also requires covered entities to update their privacy notices by February 16, 2026, to describe the new privacy rights for reproductive healthcare. In addition, covered entities that handle certain substance use disorder (SUD) records must update their privacy notices to describe new privacy protections for these records by this deadline.
District Court Ruling
The Texas court ruled that the final rule’s heightened protections for reproductive healthcare exceed HHS’s statutory authority and unlawfully limit states’ ability to enforce their own public health laws. Accordingly, the Texas court vacated the final rule nationwide. However, it did not vacate the new HIPAA privacy notice requirements for SUD records. Although this decision could be overturned or modified by a higher court, it seems unlikely that the Trump administration will appeal the court’s ruling.
Going forward, regulated entities must still comply with HIPAA’s general privacy requirements for PHI and any applicable state privacy laws. Employers should review the terms of their HIPAA policies to determine if updates should be made to remove the special rules for reproductive healthcare.
Reach out to your Hylant representative for further information. Don’t have one? Contact us here.
The above information does not constitute advice. Always contact your employee benefits broker or trusted advisor for insurance-related questions.