ARTICLE
8 July 2025

Texas Judge Vacates HIPAA Reproductive Health Care Rule…What Happens Now?

GG
Groom Law Group

Contributor

Groom Law Group logo
Groom Law is the nation’s preeminent benefits, retirement, and health care law firm. We built our success over decades of solving complex ERISA/employee benefits challenges in the public and private sectors, providing innovative legal solutions, value, and true partnership to our clients every step of the way.
Explore Firm Details
On June 18, 2025, Judge Matthew Kacsmaryk of the Northern District of Texas largely vacated the HIPAA Reproductive Health Care ("RHC") rule and severed the rule's provisions...
United States Texas Employment and HR
Vivian Hunter Turner,Tamara Killion,Christy Tinnes
+1 Authors
 Your Author LinkedIn Connections

On June 18, 2025, Judge Matthew Kacsmaryk of the Northern District of Texas largely vacated the HIPAA Reproductive Health Care ("RHC") rule and severed the rule's provisions updating the HIPAA Privacy Notice for substance use disorder information, as required by the Confidentiality of Substance Use Disorder Patient Records final regulations. Purl v. United States Dep't of Health & Hum. Servs., 2:24-cv-00228-Z (N.D. Tex. June 18, 2025).

Below we provide background on the rule, a short summary of the opinion, and practical considerations for HIPAA covered entities and business associates going forward.

Background

The HIPAA RHC rule was issued under the Biden Administration and was applicable as of December 23, 2024. The rule was issued in response to concerns from health care providers and health plans that third parties may request sensitive RHC information as part of investigations into state laws that limited treatment for RHC services, in particular abortion services and gender affirming care.

The rule defined RHC information as health care that affects the health of an individual in all matters relating to the reproductive systems and their functions. The preamble to the RHC rule provided a non-exhaustive list of examples, including fertility, pre-natal, maternity, and menopausal care, along with abortion services. Legal challenges brought in the State of Texas also asserted that regulated RHC services would include gender affirming care.

The RHC rule:

  • prohibited a HIPAA covered entity or business associate from disclosing RHC information requested by a third party as part of an investigation into the provision or payment of RHC services that were lawfully provided;
  • required HIPAA covered entities and business associates to obtain an attestation from third parties that requested PHI under certain HIPAA exceptions that the disclosure was permissible under the RHC rule; and
  • required HIPAA covered entities to update their HIPAA Privacy Notices as of February 16, 2026 to reflect the RHC rule. The rule also required HIPAA covered entities to update their HIPAA Privacy Notices related to substance use disorder information pursuant to a separate law (42 CFR Part 2).

A detailed summary of the HIPAA RHC rule can be found in our previous alert here.

Court Decision

The Purl decision was based on a complaint brought by a Texas health care provider, who claimed that the U.S. Department of Health and Human Services ("HHS") did not have authority to issue the RHC rule. Judge Kacsmaryk previously issued a preliminary injunction against HHS from enforcing the rule only against Dr. Purl, while the court considered whether the injunction should apply more broadly. In the opinion issued on June 18th, Judge Kacsmaryk found that the RHC rule should be vacated with nationwide effect.

More specifically, the court found:

  • The plaintiffs had standing because they were the "object" of the regulation and would incur increased compliance costs due to the rule.
  • The RHC rule was "contrary to law," in particular the Administrative Procedure Act, because the RHC rule could be "construed to invalidate or limit the authority, power, or procedures" of laws that protect child abuse reporting or public health investigations.
  • The RHC rule changed the definition of a "person" under HIPAA to exclude an unborn human and defined "public health" as being limited to population-based activities, rather than individualized action, which could be contrary to how some states interpret public health investigations. The court stated that HHS could not redefine these statutory terms under HIPAA to "preempt" state laws without additional congressional action.
  • The RHC rule violated the "major questions doctrine" adopted under Supreme Court case law, which generally requires an agency to have clear congressional authority for its actions with respect to questions of "great political significance" or that seek to "intrude into an area that is the particular domain of state law." The court found that, while the HIPAA statute confers authority to protect "individually identifiable health information," the statute did not confer "authority to distinguish between types of health information to accomplish political ends like protecting access to abortion and gender transition care."

Thus, the court vacated all of the RHC rule's requirements related to RHC, including the specific prohibition on disclosing RHC information as part of an investigation, the attestation requirement that applies to certain HIPAA exceptions, and the related modifications to the HIPAA Privacy Notice.

The court severed the RHC rule's provisions related to updates to the HIPAA Privacy Notice for substance use disorder information, as required by 42 CFR Part 2. The final Part 2 rules related to substance use disorder information are effective February 16, 2026, which also is the applicability date for the updated HIPAA Privacy Notice.

GROOM INSIGHT: We do not expect HHS to appeal the partial vacatur of the rule and dismissal of the case given that the rule was issued during the Biden Administration, and HHS under the Trump Administration has expressed different priorities. Despite the national effect of the decision, we also do not think that the Supreme Court's recent decision in Trump v. CASA, Inc., which invalidated nationwide injunctions related to certain Executive Orders, likely would apply here because, among other reasons, the Purl decision vacated the rule under section 706(2) of the Administrative Procedure Act. However, these decisions are new – and the political landscape is fluid – so we will keep an eye out for any future developments.

Practical Implications Going Forward

  • RHC Rule No Longer Applies – The RHC rule no longer applies, so covered entities and business associates no longer are required to review requests for PHI to determine if they may involve RHC information or obtain attestations with respect to requests under certain HIPAA exceptions.
  • But Some HIPAA Privacy Notice Updates Still Apply – Covered entities still need to update their HIPAA Privacy Notices by February 16, 2025 to include new provisions that were added in the RHC rule related to substance use disorder information. While the Purl decision vacated the RHC updates to the HIPAA Privacy Notice, the decision did not vacate the updates based on the Confidentiality of Substance Use Disorder Patient Records regulations under 42 CFR Part 2.
  • Note that many health plans provide their HIPAA Privacy Notices in their SPDs or enrollment materials that are delivered in the fall during annual enrollment. These health plans may want to go ahead and update their HIPAA Privacy Notice that will be issued this fall to avoid having to deliver a "one-off" notice in February 2026.
  • HIPAA Still Applies to RHC Information Generally – Just because the HIPAA RHC rule was vacated does not mean that requests for sensitive information will go away – or that there no longer are privacy considerations. Remember that HIPAA still applies. RHC information still is PHI under HIPAA, and any request for any type of PHI should be reviewed to ensure disclosure is permissible under HIPAA.
  • For example, if a state requests any PHI (not just RHC information) pursuant to a subpoena, HIPAA requires that the covered entity or business associate have a qualified protective order or provide individuals with notice and the opportunity to object. If a state requests PHI (not just RHC information) as part of an audit or law enforcement investigation, there are other specific HIPAA parameters that must be followed.
  • In addition, any disclosure under a HIPAA exception, including a subpoena, audit, or law enforcement investigation, is subject to the HIPAA accounting rule. The covered entity or business associate must keep a record of these disclosures and include them as part of an "accounting" that individuals may request – so individuals would have a right to know the covered entity or business associate made the disclosure.
  • HIPAA Does Not Mandate Disclosures – Just because HIPAA would permit disclosure does not mean that a covered entity or business associate is required to make the disclosure. HIPAA does not mandate disclosure of PHI, except to the Secretary of HHS as part of an investigation of HIPAA compliance or to the individual under their right to access their own PHI. The covered entity or business associate could decide not to disclose the requested PHI for other reasons, such as to protect enrollee information that it promised to keep confidential. While there may be other legal consequences for failing to disclose the requested information, such as a potential enforcement action for failing to comply with a subpoena, it would be another law, not HIPAA, that would require the disclosure.

GROOM INSIGHT: As a practical matter, while HIPAA covered entities and business associates may want to update their documents now that the RHC rule has been vacated, they may not want to do away with some of these safeguards or considerations altogether. Rather, covered entities and business associates should think through how they want to handle these requests within their organizations, regardless of how HIPAA applies.

Some questions to consider include:

  • Should your organization have a more robust procedure around disclosures of certain types of sensitive information?
  • Should requests for sensitive information be approved by the Privacy Officer?
  • Should you involve other groups within your organization, such as the company privacy office, communications team, or in-house counsel?
  • Should you check with your employment lawyer or privacy lawyer before disclosing sensitive information?
  • For covered entities, do you want the business associate to notify you before making such a disclosure – or obtain your approval first? If so, you may want to build that provision into your Business Associate Agreement or at least make sure you both have the same understanding.
  • If you are a business associate, are you limited by the Business Associate Agreement or services agreement from disclosing this type of information? Would you prefer to have the covered entity make the decision whether to disclose sensitive information?
  • Should you expand your HIPAA training so that HIPAA workforce members recognize requests for more sensitive information and know how to handle or direct the request?

Going forward, health plans, health care providers, and business associates can expect more inquiries and investigations into services and payment for services related to sensitive types of care. Now is the time to think through not only the legal requirements, but also the practical side of how your organization will choose to respond and whom to involve in those decisions. Groom is happy to help you navigate these constantly changing seas.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Vivian Hunter Turner
Vivian Hunter Turner
Photo of Tamara Killion
Tamara Killion
Photo of Chelsea Pardes
Chelsea Pardes
Photo of Christy Tinnes
Christy Tinnes
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More