By Gregory Freeman
A recent court ruling has a significant effect on HIPAA compliance as it pertains to reproductive health. It can be seen as relief from a rule that some criticized as burdensome and unnecessary. When the Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization prompted states to restrict access to reproductive health services, Health and Human Services (HHS) issued a rule strengthening reproductive health privacy protections under HIPAA. Attorneys general on behalf of 14 states and a Texas-based clinician, Carmen Purl, brought four lawsuits challenging the HIPAA reproductive health privacy rule.
Judge Matthew Kacsmaryk, JD, a district court judge in Texas, ruled in favor of Purl and vacated the majority of the rule. The ruling in Carmen Purl et al. v. U.S. Department of Health and Human Services et al, No. 2:24-cv-00228-Z (N.D. Tex. June 18, 2025), the U.S. District Court for the Northern District of Texas, affects HIPAA compliance nationwide. Purl had challenged the final amendments to the HIPAA privacy rule regarding reproductive healthcare privacy by asserting that HHS exceeded its authority, says Andrea Frey, JD, partner with the Hooper Lundy Bookman law firm in San Francisco. Purl additionally claimed that the requirements under the final rule conflicted with state-level reporting requirements, she says.
“For covered entities and business associates subject to the amendments, the ruling just sort of rewinds the clock, as far as the HIPAA Privacy Rule is concerned, back to the language that was in there previously without the extra protections for reproductive health information issued under the rule, particularly with respect to requirements around regulated entities being prohibited from producing PHI (protected health information) for the purpose of conducting criminal, civil, or administrative investigations or imposing liability on individuals for the act of seeking or providing reproductive healthcare,” Frey explains.
However, there were updates under the final rule with respect to covered entities, the Notice of Privacy Practices (NPPs), that do remain intact. The reproductive health final rule incorporated some of those changes with respect to covered entities that also are substance abuse programs subject to Part 2 federal regulations, she says.
“Ultimately, in vacating this final rule, the court released covered entities from compliance obligations related to implementing the heightened protections with respect to reproductive healthcare information under HIPAA. So that included, for example, having to update their policies, update their training, workforce requirements with respect to making sure that employees and contractors were aware of these additional protections, potentially amending their business associate agreements (BAAs), implementing the attestation form and procedure and the like.”
All those compliance obligations are void with the vacating of the final rule, she says. However, covered entities do still need to be aware of state laws that may provide these kinds of enhanced privacy protections for reproductive health or other sensitive health information, she notes. A covered entity in California, for example, may decide to keep in place some of these compliance obligations to the extent they have already rolled them out to be in compliance with the state’s Confidentiality of Medical Information Act.
“At the end of the day, if there aren’t those additional state-level protections, the covered entity can determine whether or not to keep these compliance measures in place,” Frey says. “They are no longer mandated now under the Privacy Rule.”
Frey does not expect any appeal of the Purl decision. “I do think that it is a settled matter. I think where we can expect to see change, though, is with additional states stepping into this void and trying to fill that gap, at least in blue states,” she says. “I think that’s going to be an area of change that we can expect going forward.”
Attestation Forms Recently Added
The rule in question primarily required that, when any third party requested PHI potentially related to reproductive health, the covered entity or business associate must obtain an attestation that the information would not be used for any inappropriate purpose, like investigating the individual for seeking reproductive healthcare, says William P. Dillon, JD, shareholder with the Gunster law firm in Tallahassee, FL.
“Covered entities had to take a lot of efforts to redo their policies and get these attestation forms in place. The wording related to reproductive healthcare was very broad, so a lot of people just assume, ‘Oh, it’s related to abortion.’ Well, that’s not how it was worded,” he explains. “Pretty much just about any request that a covered entity received could arguably have information in the records relating to reproductive healthcare — just regular, routine doctor visits that discuss menstrual cycles or anything like that.”
Covered entities and business associates often responded with caution, requiring attestations for anything that possibly could be required under the rule, but Dillon says most requestors did not protest because they were not actually interested in reproductive healthcare information.
“Maybe others did, but it seemed it was just like, ‘Okay, it’s another thing we’ve got to do, because in most cases people probably were not requesting it for any improper purpose, and so they didn’t have a problem signing these attestations,” he says.
The ruling can be seen as relief for entities that felt the rule was oppressive or cumbersome, Dillon says. “It relieves the obligation that was put on them. It still doesn’t mean that they don’t have to evaluate the request for information and make sure that they’re done appropriately and properly,” Dillon says. “But with regard to these attestation requirements, they’re not going to be held to that anymore.”
In the wake of the decision, HIPAA-covered entities and their business associates need to revisit measures taken to comply with the Reproductive Health Privacy Rule, says Vicki J. Tankle, JD, partner with the Reed Smith law firm in Philadelphia. HIPAA-regulated organizations should review policies and procedures and update them as necessary to reflect the current regulatory landscape as altered by the ruling, she says. Relevant policies and procedures may include those related to responding to requests for PHI in connection with judicial and administrative proceedings or health oversight purposes and disclosures to law enforcement officials. These policies should be reverted to reflect the pre-2024 Privacy Rule standards for use and disclosure of PHI.
Certain workforce members may need to be informed about the change in legal requirements to account for immediate operational changes, such as removal of the related attestation requirement, she says. HIPAA training programs may likewise require revision. “HIPAA-regulated organizations may also need to review and update business associate agreements. While the Reproductive Health Privacy Rule did not expressly require updates to BAAs, some HIPAA-regulated entities revised or amended agreements to address specific requirements related to reproductive health information,” she says. “These BAAs may need to be revised yet again in light of the current state of the HIPAA Privacy Rule.”
Additionally, the Reproductive Health Privacy Rule required covered entities to revise their NPPs provided to patients and health plan members and posted on covered entities’ websites as of Feb. 16, 2026, Tankle notes. The required changes included new provisions addressing the special protections afforded to reproductive healthcare information by the Reproductive Health Privacy Rule, and the confidentiality of substance use disorder patient records set forth outside of HIPAA at 45 C.F.R. (Part 2).
“Covered entities that have already updated their NPPs may need to update them again to reflect current HIPAA requirements,” she says. “The requirements for NPPs specific to the Part 2 regulations are not impacted by the Purl decision. All this said, the legal landscape remains dynamic.”
At the federal level, HIPAA-regulated organizations should monitor appeals, new rulemaking, or enforcement or guidance from HHS that could alter privacy obligations or influence HIPAA compliance strategies in the future, she says. Note, for example, that while not explicit, the HIPAA Privacy Rule still provides protection for PHI related to reproductive healthcare, she says. HHS entered into its first settlement against a healthcare provider centered around, and specific to, an impermissible disclosure of an individual’s reproductive health information under the HIPAA Privacy Rule in December 2024, prior to the effective date of the Reproductive Health Privacy Rule,” she says. “The settlement demonstrates that HHS has recently considered reproductive health information as highly sensitive and may take enforcement action accordingly under the HIPAA Privacy Rule as it currently stands post-Purl.”
Some states have their own laws, typically governing healthcare providers and facilities, that afford greater protections for reproductive healthcare information than other types of health information, Tankle says.“HIPAA-regulated organizations also regulated by these state laws should continue to assess whether such laws impose stricter requirements than HIPAA and comply accordingly,” she says.
Time to Roll Back
Under the now-vacated rule, there were significant requirements that would have required HIPAA-covered entities to establish new workflows and documentation procedures to abide by the rule’s requirements, says John F. Howard, JD, senior attorney with the Clark Hill law firm in Scottsdale, AZ. This would have included establishing new attestation mechanisms and review procedures for any requests for reproductive health information.
“This would have been above and beyond the already established procedures for requests for protected health information. Now that the rule has been vacated, HIPAA-covered entities will have to review and roll back a lot of these changes to ensure that they are not creating barriers or extending timelines for responding to lawful requests for information under HIPAA,” he says.
This could include requests from public health authorities or other previously permitted purposes. “On the other side of the coin, HIPAA covered entities will now have one less legal tool to rely on for disclosures that they prefer not to make in order to protect patients or providers as it relates to reproductive health services,” Howard notes. “In the current political climate in several jurisdictions this could become the greater concern for a lot of HIPAA-covered entities.”
A review of all current policies and procedures, especially any that were modified in response to the now-vacated rule, should be conducted to ensure compliance with HIPAA, Howard advises. Efforts also should be made to work with administrative staff and providers to ensure that they understand what the change means and that all workforce members are well-versed to respond to questions from patients, providers, or information requestors, if needed.
“PHI access and permissible use and disclosure polices should be modified to remove any requirements to obtain attestations as was required under the now-vacated rule. In addition, covered entities should review their notice of privacy practices to ensure that they remain accurate, as statements regarding the protections around reproductive health information will likely need to be revised or removed,” Howard says. Additionally, any policies that deal with public health disclosures or legal requests for PHI should be reviewed to ensure HIPAA compliance after the Purl ruling.
Returning to Original Privacy Rule
For HIPAA-covered entities, the Purl ruling essentially means that they are returning to the original version of the Privacy Rule that was in effect prior to the implementation of the Revised Rule in June 2024 and, under which there are no special requirements or protections for PHI related to reproductive healthcare, says Hillary M. Stemple, JD, partner with the ArentFox Schiff law firm in Washington, DC. Under the original Privacy Rule, covered entities are permitted to disclose, without a patient’s authorization, a patient’s reproductive health information for law enforcement purposes and as required by law, she says.
“These disclosures can include disclosures to comply with state reporting mandates. Additionally, covered entities and their business associates are no longer required to obtain an attestation for PHI requests that are potentially related to reproductive healthcare,” Stemple says. “Essentially we’ve returned to the pre-June 2024 HIPAA status quo, where reproductive health information receives the same protections under HIPAA as any other type of protected health information.” Covered entities should carefully review their internal HIPAA policies and procedures related to the disclosure of PHI, particularly as it relates to disclosures for judicial, administrative, or law enforcement purposes. These policies should align with the requirements for such disclosures in the original Privacy Rule, as well as any applicable state laws. In many cases, covered entities may be able to revert back to prior versions of their HIPAA policies.”
Covered entities also should provide training to members of its workforce on these updated policies and procedures, she says. To the extent covered entities amended any BAAs in response to the 2024 Revised Rule, they should assess whether those agreements need to be amended again, she says.
“Covered entities may need to revise HIPAA privacy policies and procedures. In particular, covered entities may need to revise their policies that are related to disclosures of reproductive health care information for judicial, administrative, or law enforcement purposes to ensure compliance with the original HIPAA Privacy Rule, which is once again the operative version of the rule,” Stemple says. “Additionally, many states have implemented privacy and consumer protection laws that place restrictions on disclosing reproductive healthcare information. As a result, any revisions to HIPAA policies and procedures should still comply with applicable state law requirements.”
Stop the Attestation Process
HIPAA-covered entities should immediately stop using their attestation process for responding to reproductive health rule records requests, says Meghan O’Connor, JD, partner with the Quarles law firm in Milwaukee. “Covered entities should shift back to the HIPAA compliance obligations in place before the 2024 Reproductive Health Rule but post-Dobbs decision,” she says. “Understanding the compliance obligations sandwiched between the Dobbs decision and publication of the final HIPAA Reproductive Health Rule are key for covered entities because states (are) legislating regarding reproductive healthcare — sometimes falling within gender-affirming care — since Dobbs.”
Covered entities should revise workforce training materials — particularly role-based training for health information management, release of information (ROI), and legal departments — to account for new procedures, she says.
Covered entities also should update BAAs and other contracts, such as ROI vendors, as necessary to address changes in HIPAA but remain compliant under state law. “With the Purl order, enforcement of the HIPAA Reproductive Health Rule’s extra protections for reproductive health data is halted nationwide, effective immediately. However, the HIPAA Privacy Rule is still in effect, and entities subject to HIPAA must comply with its requirements regarding use and disclosure of protected health information when assessing law enforcement requests,” O’Connor says. “HIPAA still includes requirements for protected health information regarding reproductive health care.”
“While we do not have a crystal ball, there is potential for continued litigation. Certain stakeholders have noted that the Purl court’s decision that HHS lacked the specific congressional authorization to promulgate rulemaking regarding ‘politically favored medical procedures’ would not be preferable to the current administration, including as potential precedent for rulemaking regarding other types of potentially ‘political healthcare,’ such as gender-affirming care, vaccines, and in vitro fertilization,” O’Connor says. “While the time to appeal runs, stakeholders and lobbyists are considering opportunities to push the administration to appeal the Purl decision, arguing the appeal makes room for future rulemaking.”
Greg Freeman has worked with Clinican.com and its predecessor companies since 1989, moving from assistant staff writer to executive editor before becoming a freelance writer. He has been the editor of Healthcare Risk Management since 1992 and provides research and content for other Clinician.com products. In addition to his work with Clinician.com, Greg provides other freelance writing services and is the author of seven narrative nonfiction books on wartime experiences and other historical events.
Sources
- William P. Dillon, JD, Shareholder, Gunster, Tallahassee, FL. Telephone: (850) 521-1708. Email: [email protected].
- Andrea Frey, JD, Partner, Hooper Lundy Bookman, San Francisco. Telephone: (415) 875-8507. Email: [email protected].
- John F. Howard, JD, Senior Attorney, Clark Hill, Scottsdale, AZ. Telephone: (480) 684-1133. Email: [email protected].
- Meghan O’Connor, JD, Partner, Quarles, Milwaukee. Telephone: (414) 277-5423. Email: [email protected].
- Hillary M. Stemple, JD, Partner, ArentFox Schiff, Washington, DC. Telephone: (202) 350-3638. Email: [email protected].
- Vicki J. Tankle, JD, Partner, Reed Smith, Philadelphia. Telephone: (215) 241-7974. Email: [email protected].
A recent court ruling has a significant effect on HIPAA compliance as it pertains to reproductive health. It can be seen as relief from a rule that some criticized as burdensome and unnecessary. When the Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization prompted states to restrict access to reproductive health services, Health and Human Services issued a rule strengthening reproductive health privacy protections under HIPAA.
You have reached your article limit for the month. Subscribe now to access this article plus other member-only content.
- Award-winning Medical Content
- Latest Advances & Development in Medicine
- Unbiased Content