Data Privacy

Texas District Court Vacates Majority of HIPAA Reproductive Privacy Rule

On June 19, 2025, the U.S. District Court in the Northern District of Texas vacated the vast majority of the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the “HIPAA Reproductive Privacy Rule” or “Rule”). The Department of Health and Human Services (“HHS”) published the Rule in the Federal Register in April 2024 with a compliance date of December 23, 2024. The District Court’s decision to vacate the reproductive privacy aspects of the Rule has an immediate and nationwide effect.

The Rule prohibits HIPAA covered entities and their business associates from using or disclosing protected health information (“PHI”) for the purpose of identifying, investigating, or prosecuting a person for the mere act of “seeking, obtaining, providing, or facilitating reproductive health care” (“RHC”) if lawful in the U.S. state in which the health care was provided. The Rule was designed to protect patients from criminal, civil, and administrative liability for seeking reproductive health care, and expressly references Dobbs v. Jackson.

The District Court’s ruling leaves several non-reproductive privacy related modifications in place. The still-effective portions of the Rule are relevant to HIPAA covered entities handling records subject to 42 USC § 290dd-2 (also known as “Part 2”). For example, covered entities that create or maintain Part 2 records must (1) provide notice to individuals of the ways in which covered entities may use and disclose such records, and (2) provide an adequate Notice of Privacy Practices that clarifies where certain uses or disclosures of PHI are subject to other applicable law more stringent or permissive than the HIPAA Privacy Rule, including but not limited to requirements under Part 2.

Purl Alleged the Rule Prevented Her from Complying with State Law Reporting Obligations

The vacatur comes as part of the court finding summary judgment for plaintiff Dr. Purl. Last year, Purl, who owns a general practice clinic in Texas, sued to invalidate the Rule under the federal Administrative Procedure Act, alleging it impaired her practice’s “state-mandated obligation to report ‘child abuse’ or participate in public health investigations.” In December 2024, the Court temporarily enjoined enforcement of the Rule against her practice.

The District Court outlines three arguments for why the Rule is “contrary to law,” discussed in turn below.

Finding #1: HIPAA Did Not Authorize HHS to Specially Regulate RHC and Abortion

The Court found that HHS did not have the statutory authority to promulgate the Rule. The Court relied significantly on the major-questions doctrine of Congressional delegation, as well as the recent death of “Chevron” deference, characterizing the Rule as “special protection for politically controversial medical care now returned [by Dobbs] to the states.”

Post-Chevron, if a regulation’s underlying subject matter presents a “major question,” an agency may only regulate in the area with “clear congressional authorization” that “agency action is necessary.” A “major question” arises in areas of “vast economic and political significance,” and may also arise from federal activity in areas that are “primarily” regulated by states.”

The Court found RHC to be a “major question,” but one HHS was not congressionally empowered to answer. Focusing on abortion and gender confirmation care, the Court first cited voluminous case law to categorize RHC as entailing “politically favored medical procedures” with enormous political significance, presenting a “major question”. The Court then cited Dobbs as returning the “issue of abortion” to the states. The Court found that the statutory mandate HHS relied on to issue the Rule, “grant[ing] power to promulgate standards for the uses and disclosures of PHI,” at best “implicit[ly]” or “plausibly” confers authority to create special protections for RHC information – short of the “clear congressional authorization” required for the Rule to stand.

Finding #2: The Rule Improperly Preempts State Laws on Child Abuse and Public Health

HIPAA regulations “cannot preempt a contrary state law with ‘more stringent’ health-information protection requirements,” or otherwise invalidate or limit any state law providing for, relevantly, “child abuse… [or] [a] public health investigation or intervention.”

The District Court found the Rule impinged on states’ rights by regulating RHC in four ways:

  1. The Rule “prohibits reporting child abuse if such a report would be based solely on lawful RHC,” which the Court held infringes on states’ rights to the extent state law mandates child abuse reporting for health care providers.

  2. The Rule “requires covered entities to scrub PHI whenever they receive a lawful PHI request, to determine whether it contains any [RHC] information,” which is overly burdensome for covered entities. 

  3. The Rule’s lawfulness analysis requires “covered entities… [to] scrutinize confusing abortion and gender-identity jurisprudence, legislation, and regulations to decipher whether the RHC was lawful,” slowing down “request[s] or disclos[ures] per… state public health law” and generally “limit[ing] a state’s ability to conduct public health investigations.”

  4. The Rule requires “covered entities… [to] flawlessly enforce an intricate attestation requirement whenever they receive a request to disclose PHI,” adding “weighty” bureaucracy to states’ lawful public health investigations.

Throughout, the Court’s discussion focused on child abuse and did not explicitly address how reproductive health care is or could be “public health.”  

Finding #3: The Rule Impermissibly Redefines Statutory Terms

The Rule defines “person” and “public health,” each of which are already given meaning by the Dictionary Act (1 USC §§ 1 et seq) and HIPAA respectively. The Court found each new definition inconsistent with existing definitions:

  • The Rule and the Dictionary Act appear to define “person” consistently by requiring the human be “born,” though the Dictionary Act requires the term not be interpreted to deny or restrict “any legal status or legal right applicable to any [human] at any point prior to being born alive.” The Court found the Rule operates to this effect, again focusing on child abuse. Twenty-one U.S. states “explicitly define substance abuse during pregnancy as child abuse or neglect,” but the new definition would prevent health care professionals from reporting this as child abuse under the HIPAA Privacy Rule, “strip[ping] unborn humans of any legal status they had under [these twenty-one] state laws.”

  • “Public health” is used in HIPAA but is not defined. The Rule’s definition references the statute, defining the term as “identifying, monitoring, preventing, or mitigating ongoing or prospective threats to the health or safety of a population,” except where performed to “attach liability to persons for specific acts of seeking, obtaining, providing, or facilitating health care.” The District Court noted that while HHS may generally have broad authority to define terms not defined in HIPAA, HHS may not define terms in HIPAA’s preemption provisions unless Congress expressly delegates that authority. Congress did not grant that authority in this instance.

Looking Forward: State Reproductive Privacy Laws and Enforcement Poised to Take the Lead  

The District Court’s invalidation of the HIPAA Reproductive Privacy Rule is likely to complicate the health data landscape for organizations that collect data related to health, fitness, and wellness, and especially reproductive care. It provided a uniform, nationwide standard, and without it these organizations will be left to navigate the often-confusing array of state laws applicable to collection and use of broadly defined “health data.” These laws are primarily enforced by state attorneys general, though some laws, such as Washington’s My Health, My Data Act (“MHMDA”) and Virginia’s SB 754, allow for suits by private plaintiffs.

While HIPAA covered entities no longer need to comply with the vacated Rule, at least 13 U.S. states—including California, New York, and Washington state—have passed laws commonly referred to as “shield laws” featuring still-effective elements similar to the vacated Rule. Shield laws limit the disclosures that health care providers, service plans, and other in-scope entities may make to out-of-state law enforcement about abortion services lawfully provided in their own state, and like the vacated Rule, they are intended to prevent abortion-related lawsuits brought in states that have restricted access to abortion care.

 It is unlikely that HHS will appeal this decision, given the new administration’s position on reproductive care and the federal government increasingly abdicating responsibility for abortion-related issues to the states – making it more likely that, moving forward, state laws like MHMDA and shield laws are more aggressively enacted and enforced.

If your organization complied with the HIPAA Reproductive Privacy Rule by updating its standard operating procedures and/or NPP to address RHC information requests, training its medical records department on attestation requirements, or otherwise implemented special requirements for RHC information or RHC itself, those policies and procedures should be reviewed to ensure they are only applicable to the states where a shield law or other reproductive health privacy law is in place. If your organization processes information protected by Part 2, an update to the current NPP based on the intact provisions is still recommended.

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on global privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.

Cameron Cantrell is an Associate at Hintze Law PLLC representing companies on AI, privacy, and cybersecurity issues.

Felicity Slater is an Associate at Hintze Law PLLC advising clients on global data protection issues.

State Privacy Regulators Announce Formation of Collaboratory Consortium

State Privacy Regulators Announce Formation of Collaboratory Consortium

by Felicity Slater and Susan Hintze

On April 16, 2025, the California Privacy Protection Agency (CPPA) and state Attorneys General from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon announced the formation of the bipartisan "Consortium of Privacy Regulators." The focus of the Consortium will be to foster multi-state coordination, including sharing of expertise and resources, in investigation of potential violations of and enforcement of their state's respective comprehensive privacy laws.

Read More

Takeaways From the New DOJ Guidance on Its Cross-Border Data Rule

Takeaways From the New DOJ Guidance on Its Cross-Border Data Rule

By Sam Castic

On Friday April 11, 2025, the DOJ released a Compliance Guide and more than 100 FAQs on the Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons Rule (the “DOJ Rule”).  It also released an Implementation and Enforcement Policy, which indicates it will not prioritize enforcement against companies making good faith efforts to comply until July 8, 2025. 

Read More

GenAI in the Workplace: Hong Kong PCPD Releases Checklist for Employer Policies

GenAI in the Workplace: Hong Kong PCPD Releases Checklist for Employer Policies

By Leslie Veloz and Jennifer Ruehr

The Hong Kong Office of the Privacy Commissioner for Personal Data (“PCPD”) recently published its Checklist on Guidelines for the Use of Generative AI by Employees (“Checklist”). The goal of the Checklist is to help organizations draft internal policies and procedures governing employee use of generative AI (“GenAI”) tools, especially where GenAI is used to process personal data.

Read More

Virginia Governor Signs Reproductive Health Data Restrictions into Law

Virginia Governor Signs Reproductive Health Data Restrictions into Law

by Cameron Cantrell and Felicity Slater 

On March 24, 2025, Governor Youngkin (R) of Virginia signed SB 754—which amends the Virginia Consumer Protection Act (VCPA) to restrict the collection and processing of “reproductive or sexual health information” and is enforceable through a private right of action—into law. The law will take effect July 1, 2025. 

Read More

Fourth Circuit Publishes Landmark Ruling on 21st Century Cures Act “Information Blocking”

By Cameron Cantrell and Kate Black

On March 12, 2025, the Fourth Circuit Court of Appeals ruled that (1) the information blocking prohibition in the federal 21st Century Cures Act (“Cures Act”) was plausibly violated when an Electronic Health Record (EHR) provider blocked bot access to its systems without sufficient justification, and (2) this violation may support a Maryland state law unfair competition claim, despite the Cures Act not having its own private right of action. This decision notably appears to be the first Circuit Court decision concerning the information blocking prohibition and, for parties subject to the rule, raises the risk that information blocking may be enforceable through a de facto state privacy right of action.

Read More
Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night — Hintze

Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night

Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night

By Felicity Slater and Kate Black

The Maryland Online Data Privacy Act (“MODPA” or the “Act”), which takes effect October 1, 2025, establishes a set of novel requirements that will have a particular impact for companies operating in the health and wellness sectors. 

Read More
Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night — Hintze

Hintze & Partners Recognized by Chambers in 2025 Global Rankings

Hintze & Partners Recognized by Chambers in 2025 Global Rankings

Hintze Law and its lawyers have once again been recognized in Chambers & Partners for expertise in Privacy and Data Security in the 2025 Chambers Global Guide. These recognitions include Hintze Law’s fifth year being ranked as an Elite Law Firm for Privacy and Data Security as well as the firm’s second year receiving recognition for Privacy and Data Security: Healthcare.

Read More

Final COPPA Rule Amendments: Definitional Changes

Final COPPA Rule Amendments: Definitional Changes

By Susan Hintze, Emily Litka, and Amy Lanchester 

This is Part 2 in a series of blog posts about the 2025 COPPA Final Rule. It provides a comprehensive review of the revised definitional changes to the Rule.  Subsequent posts in the coming days will delve more deeply into the direct and online notice, parental consent, and data governance requirements. Our unofficial redlined copy of the Final Rule can be found here.

Read More
Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night — Hintze

The FTC Issues Final COPPA Rule Amendment

The FTC Issues Final COPPA Rule Amendment

By Susan Hintze and Emily Litka

This is Part 1 in a series of blog posts about the 2025 COPPA Final Rule. It provides a high-level overview of the Final Rule. Subsequent posts in the coming days will delve more deeply into individual aspects of the Final Rule and FTC comments, the issues raised, and implications for specific industry sectors.Our unofficial redlined copy of the Final Rule can be found here.

Read More
Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night — Hintze

10 areas for US-based privacy programs to focus in 2025

10 areas for US-based privacy programs to focus in 2025

By Sam Castic

The post below was originally published by the IAPP at https://iapp.org/news/a/10-areas-for-privacy-programs-to-focus-in-2025.

This past year was another jammed one for privacy teams and it was not easy to stay on top of all the privacy litigation, enforcement trends, and new laws and regulations in the U.S.

Read More