by Cameron Cantrell and Felicity Slater
On June 19, 2025, the U.S. District Court in the Northern District of Texas vacated the vast majority of the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the “HIPAA Reproductive Privacy Rule” or “Rule”). The Department of Health and Human Services (“HHS”) published the Rule in the Federal Register in April 2024 with a compliance date of December 23, 2024. The District Court’s decision to vacate the reproductive privacy aspects of the Rule has an immediate and nationwide effect.
The Rule prohibits HIPAA covered entities and their business associates from using or disclosing protected health information (“PHI”) for the purpose of identifying, investigating, or prosecuting a person for the mere act of “seeking, obtaining, providing, or facilitating reproductive health care” (“RHC”) if lawful in the U.S. state in which the health care was provided. The Rule was designed to protect patients from criminal, civil, and administrative liability for seeking reproductive health care, and expressly references Dobbs v. Jackson.
The District Court’s ruling leaves several non-reproductive privacy related modifications in place. The still-effective portions of the Rule are relevant to HIPAA covered entities handling records subject to 42 USC § 290dd-2 (also known as “Part 2”). For example, covered entities that create or maintain Part 2 records must (1) provide notice to individuals of the ways in which covered entities may use and disclose such records, and (2) provide an adequate Notice of Privacy Practices that clarifies where certain uses or disclosures of PHI are subject to other applicable law more stringent or permissive than the HIPAA Privacy Rule, including but not limited to requirements under Part 2.
Purl Alleged the Rule Prevented Her from Complying with State Law Reporting Obligations
The vacatur comes as part of the court finding summary judgment for plaintiff Dr. Purl. Last year, Purl, who owns a general practice clinic in Texas, sued to invalidate the Rule under the federal Administrative Procedure Act, alleging it impaired her practice’s “state-mandated obligation to report ‘child abuse’ or participate in public health investigations.” In December 2024, the Court temporarily enjoined enforcement of the Rule against her practice.
The District Court outlines three arguments for why the Rule is “contrary to law,” discussed in turn below.
Finding #1: HIPAA Did Not Authorize HHS to Specially Regulate RHC and Abortion
The Court found that HHS did not have the statutory authority to promulgate the Rule. The Court relied significantly on the major-questions doctrine of Congressional delegation, as well as the recent death of “Chevron” deference, characterizing the Rule as “special protection for politically controversial medical care now returned [by Dobbs] to the states.”
Post-Chevron, if a regulation’s underlying subject matter presents a “major question,” an agency may only regulate in the area with “clear congressional authorization” that “agency action is necessary.” A “major question” arises in areas of “vast economic and political significance,” and may also arise from federal activity in areas that are “primarily” regulated by states.”
The Court found RHC to be a “major question,” but one HHS was not congressionally empowered to answer. Focusing on abortion and gender confirmation care, the Court first cited voluminous case law to categorize RHC as entailing “politically favored medical procedures” with enormous political significance, presenting a “major question”. The Court then cited Dobbs as returning the “issue of abortion” to the states. The Court found that the statutory mandate HHS relied on to issue the Rule, “grant[ing] power to promulgate standards for the uses and disclosures of PHI,” at best “implicit[ly]” or “plausibly” confers authority to create special protections for RHC information – short of the “clear congressional authorization” required for the Rule to stand.
Finding #2: The Rule Improperly Preempts State Laws on Child Abuse and Public Health
HIPAA regulations “cannot preempt a contrary state law with ‘more stringent’ health-information protection requirements,” or otherwise invalidate or limit any state law providing for, relevantly, “child abuse… [or] [a] public health investigation or intervention.”
The District Court found the Rule impinged on states’ rights by regulating RHC in four ways:
The Rule “prohibits reporting child abuse if such a report would be based solely on lawful RHC,” which the Court held infringes on states’ rights to the extent state law mandates child abuse reporting for health care providers.
The Rule “requires covered entities to scrub PHI whenever they receive a lawful PHI request, to determine whether it contains any [RHC] information,” which is overly burdensome for covered entities.
The Rule’s lawfulness analysis requires “covered entities… [to] scrutinize confusing abortion and gender-identity jurisprudence, legislation, and regulations to decipher whether the RHC was lawful,” slowing down “request[s] or disclos[ures] per… state public health law” and generally “limit[ing] a state’s ability to conduct public health investigations.”
The Rule requires “covered entities… [to] flawlessly enforce an intricate attestation requirement whenever they receive a request to disclose PHI,” adding “weighty” bureaucracy to states’ lawful public health investigations.
Throughout, the Court’s discussion focused on child abuse and did not explicitly address how reproductive health care is or could be “public health.”
Finding #3: The Rule Impermissibly Redefines Statutory Terms
The Rule defines “person” and “public health,” each of which are already given meaning by the Dictionary Act (1 USC §§ 1 et seq) and HIPAA respectively. The Court found each new definition inconsistent with existing definitions:
The Rule and the Dictionary Act appear to define “person” consistently by requiring the human be “born,” though the Dictionary Act requires the term not be interpreted to deny or restrict “any legal status or legal right applicable to any [human] at any point prior to being born alive.” The Court found the Rule operates to this effect, again focusing on child abuse. Twenty-one U.S. states “explicitly define substance abuse during pregnancy as child abuse or neglect,” but the new definition would prevent health care professionals from reporting this as child abuse under the HIPAA Privacy Rule, “strip[ping] unborn humans of any legal status they had under [these twenty-one] state laws.”
“Public health” is used in HIPAA but is not defined. The Rule’s definition references the statute, defining the term as “identifying, monitoring, preventing, or mitigating ongoing or prospective threats to the health or safety of a population,” except where performed to “attach liability to persons for specific acts of seeking, obtaining, providing, or facilitating health care.” The District Court noted that while HHS may generally have broad authority to define terms not defined in HIPAA, HHS may not define terms in HIPAA’s preemption provisions unless Congress expressly delegates that authority. Congress did not grant that authority in this instance.
Looking Forward: State Reproductive Privacy Laws and Enforcement Poised to Take the Lead
The District Court’s invalidation of the HIPAA Reproductive Privacy Rule is likely to complicate the health data landscape for organizations that collect data related to health, fitness, and wellness, and especially reproductive care. It provided a uniform, nationwide standard, and without it these organizations will be left to navigate the often-confusing array of state laws applicable to collection and use of broadly defined “health data.” These laws are primarily enforced by state attorneys general, though some laws, such as Washington’s My Health, My Data Act (“MHMDA”) and Virginia’s SB 754, allow for suits by private plaintiffs.
While HIPAA covered entities no longer need to comply with the vacated Rule, at least 13 U.S. states—including California, New York, and Washington state—have passed laws commonly referred to as “shield laws” featuring still-effective elements similar to the vacated Rule. Shield laws limit the disclosures that health care providers, service plans, and other in-scope entities may make to out-of-state law enforcement about abortion services lawfully provided in their own state, and like the vacated Rule, they are intended to prevent abortion-related lawsuits brought in states that have restricted access to abortion care.
It is unlikely that HHS will appeal this decision, given the new administration’s position on reproductive care and the federal government increasingly abdicating responsibility for abortion-related issues to the states – making it more likely that, moving forward, state laws like MHMDA and shield laws are more aggressively enacted and enforced.
If your organization complied with the HIPAA Reproductive Privacy Rule by updating its standard operating procedures and/or NPP to address RHC information requests, training its medical records department on attestation requirements, or otherwise implemented special requirements for RHC information or RHC itself, those policies and procedures should be reviewed to ensure they are only applicable to the states where a shield law or other reproductive health privacy law is in place. If your organization processes information protected by Part 2, an update to the current NPP based on the intact provisions is still recommended.
Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on global privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.
Cameron Cantrell is an Associate at Hintze Law PLLC representing companies on AI, privacy, and cybersecurity issues.
Felicity Slater is an Associate at Hintze Law PLLC advising clients on global data protection issues.