On June 18, 2025, the U.S. District Court for the Northern District of Texas issued an order in Purl v. United States Department of Health and Human Services, No. 2:24-CV-228-Z (N.D. Tex. 2025) (the June 18 Order) that vacated recent modifications to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule intended to strengthen reproductive healthcare privacy. In light of this decision, Covered Entities and their Business Associates (Regulated Entities) should consider unwinding any measures they have taken to comply with those HIPAA Privacy Rule modifications. We dive into the details below.

Background

In Dobbs v. Jackson Women’s Health Organization, 597 U.S. 215 (2022), the Supreme Court overturned its landmark decision of Roe v. Wade, 410 U.S. 113 (1973), and relegated the authority to regulate abortion to the individual states. In response, the U.S. Department of Health and Human Services (HHS) published the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the Reproductive Health Rule or Rule) on April 26, 2024. The Reproductive Health Rule, which had a compliance deadline of December 23, 2024, aimed to strengthen privacy protections for individuals seeking lawful reproductive healthcare.

The HIPAA Privacy Rule outlines permissible uses and disclosures of protected health information (PHI) without an individual’s authorization and generally bars such disclosures in the absence of a purpose the Privacy Rule specifically permits. The Reproductive Health Rule limited the circumstances in which PHI related to “reproductive health care” could be used or disclosed for non-healthcare purposes. The Rule broadly defined “reproductive health care” to include any healthcare affecting an individual’s health in matters relating to the reproductive system. This included, among other things, mammograms, contraception, pregnancy and maternity care, screening and treatment for sexually transmitted diseases, gender-affirming care, and abortion services.

The Rule prohibited Regulated Entities from using or disclosing such reproductive healthcare information for “prohibited purposes,” including to: (1) conduct criminal, civil, or administrative investigations; (2) impose criminal, civil, or administrative liability; or (3) otherwise identify any person for either (1) or (2) solely for their act of seeking, obtaining, providing, or facilitating lawful reproductive care.

In issuing the rule, HHS cited concerns that state-level abortion restrictions could “chill an individual’s willingness” to seek reproductive healthcare, particularly where PHI could be used against patients for seeking such care in another state or against providers for offering such care.

The Reproductive Health Rule required Regulated Entities to obtain a written attestation from persons or entities requesting reproductive-related PHI for health oversight, judicial or administrative proceedings, law enforcement, and disclosures to coroners and medical examiners involving decedents. The requestor was required to attest that the request for PHI was not for purposes of an investigation, to impose liability, or to identify any person for purposes of an investigation or to impose liability.

Under the Rule, Regulated Entities were required to presume that reproductive healthcare was lawful unless they had (1) actual knowledge or (2) a substantial factual basis to believe the care was not lawful. A new attestation was required for each specific PHI use or disclosure request, of which Regulated Entities were required to maintain written copies.

For Covered Entities, compliance involved revising their Notices of Privacy Practices and implementing new operational procedures.

In practice, Regulated Entities became responsible for determining whether a law enforcement agency’s (or other government agency’s) request was for a “Prohibited Purpose.” Some Regulated Entities reported difficulties in navigating the Rule’s requirements alongside state-level disclosure requirements. 

The Rule also amended the HIPAA Privacy Rule’s provisions on Notice of Privacy Practices pertaining to substance use disorder regulations (Substance Use Amendments).

The Order

The challenge to the Reproductive Health Rule was brought by Dr. Purl, the owner of an urgent care clinic in Texas, who expressed concern that, among other things, the Rule impaired her clinic’s obligations under state law, including mandatory reporting of child abuse and participation in public health investigations. In the June 18 Order, the Court found that the Reproductive Health Rule exceeded HHS’s statutory authority and the appropriate remedy was vacatur of almost the entirety of the Rule.

The Court opened its analysis with a reference to the Supreme Court’s recent landmark decision in Loper Bright Enterprises. v. Raimondo that overruled 40 years of judicial deference to federal agency decisions because agencies possess “only the authority that Congress has provided” and courts must independently interpret statutory text rather than defer to agency interpretations. 603 U.S. 369, 416 (2024).

After rejecting HHS’s argument that Dr. Purl and her clinic did not have standing to challenge the Rule, the Court focused on three legal issues arising from HHS’s promulgating the Reproductive Health Rule. First, the Court explained that the Reproductive Health Rule unlawfully limited state public health laws. Specifically, state-level mandated reporting of child abuse or neglect may be constrained, with similar effects to public health investigations or interventions. Second, the Court took issue with the Rule’s broad definitions of “person” and “public health,” noting that the definition of “person” excluded “unborn humans,” which the Court found conflicted with other federal laws.

Finally, the Court applied the “major questions doctrine,” which requires clear congressional authorization when agencies attempt to regulate matters of vast economic and political significance. The Court found that the Rule triggered the major questions doctrine because it addressed matters of “great political significance,” such as abortion and gender-transition procedures, and because it intruded into an area that is “the particular domain of state law,” especially given that Dobbs returned abortion regulation “to the people and their elected representatives.” Because HIPAA’s general language authorizing standards for PHI use and disclosure did not provide the requisite “clear congressional authorization” to create special protections for politically controversial medical procedures, the Court held that HHS exceeded its statutory authority.

The June 18 Order was effective immediately and applies nationwide. While it is possible that HHS could appeal the order, that seems unlikely at this time. The Court’s ruling does not affect Regulated Entities’ obligation to comply with the HIPAA Privacy Rule’s existing restrictions when using or disclosing PHI without patient authorization. The June 18 Order did not vacate the Substance Use Amendments to 45 CFR § 164.520. Compliance with those changes is still required by February 16, 2026. 

Key Takeaways

In light of this significant decision, Regulated Entities should consider taking the following steps:

• Review and update existing policies and procedures in light of the June 18 Order. Previous efforts to comply with the Reproductive Health Rule in policies and procedures and training programs, as well as attestation forms, should be reconsidered. Regulated Entities must still comply with the other requirements of the HIPAA Privacy Rule when using and disclosing PHI, including information related to reproductive healthcare. Because the Rule addressed permissive disclosures, some organizations may decide to continue with the policies and procedures they implemented to safeguard individuals’ reproductive healthcare information. That is, Regulated Entities may still limit PHI they disclose in response to requests permitted under 45 C.F.R. § 164.512 or require an attestation from the requester or patient authorization.

• Revise references to the Reproductive Health Rule in Business Associate Agreements. While the implementation of such references was optional, Regulated Entities often opted to include this language.

• Review Notice of Privacy Practices to determine whether such notices should be revised.

• Ensure compliance with existing state laws that provide enhanced privacy protections and monitor state legislative activity for efforts to address developments following the June 18 Order.  

• Identify whether certain uses and disclosures of reproductive health information may still give rise to potential federal civil rights issues and work with legal counsel to determine their obligations.

• Continue to plan for the Substance Use Amendments to 45 CFR 164.520 that were not vacated. Compliance with the changes to those provisions is still required by February 16, 2026. 

Akerman’s Healthcare Practice Group is equipped to assist Regulated Entities in navigating this change and will continue to monitor ongoing developments in this evolving area.