Legal Alert: Enforcement of the HIPAA Reproductive Health Care Privacy Rule Vacated Nationwide

On June 18, 2025, a federal district court in Texas vacated a significant portion of the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (“Final Rule”), which was implemented on April 24, 2024, on a nationwide basis. The Final Rule, which was implemented in response to the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization (effectively overturning Roe v. Wade), was intended to protect the ability of individuals to receive reproductive health care when the care is provided lawfully under the circumstances without risk of an individual’s identity or health information being disclosed for purposes of state criminal, civil or administrative investigations (or for imposing liability related to lawfully providing or obtaining reproductive healthcare).

The Final Rule and District Court Decision

Among other things, the Final Rule required group health plans, health care providers, and health care clearinghouses (collectively, “Covered Entities”) to:

• Update their HIPAA Privacy policies and procedures by December 23, 2024 to meet the requirements of the Final Rule, which included updating their HIPAA staff on the new changes (and how to identify and respond to any requests that may be impacted by the Final Rule) and ensuring that the Covered Entity obtains a signed, written attestation from the requester related to any request for use or disclosure of PHI potentially related to reproductive health care requested for health oversight, judicial or administrative proceedings, law enforcement purposes, or disclosures to coroners or medical examiners.
• If necessary, update their HIPAA business associates agreements by December 23, 2024, to ensure any business associates were obligated to meet these new requirements in the same manner as the Covered Entity.
• Update their Notice of Privacy Practices by February 16, 2026, to notify individuals of their rights to have this information protected by the Covered Entity.

The lawsuit challenging the reproductive health care privacy provisions of the Final Rule was brought by a health care practitioner in the state of Texas who believed following the Final Rule would inhibit their ability to meet other state law requirements, including mandatory reporting requirements related to child abuse. 

The federal district court agreed with the health care practitioner and further determined that the final rule impermissibly exceeded the scope of the Department of Health and Human Service’s authority by, among other things, expanding the definition of “person” to include unborn children. Accordingly, the district court judge vacated the reproductive health care privacy protections under the Final Rule nationwide, which prohibits the agency from enforcing these requirements of the Final Rule.

The Final Rule was believed to be one of the rules, among others, which is under review pursuant to the Executive Order Directing the Repeal of Unlawful Regulations issued by President Trump in April 2025. Thus, it is unclear whether the Trump Administration will appeal this decision, though it seems unlikely.

What Does This Mean for Employers

This decision only impacts the changes to the Privacy Rule related to Reproductive Health Care Privacy Protections included in the Final Rule. It does not impact Covered Entities’ or Business Associates’ other obligations under the HIPAA privacy and security rules, nor does it impact any state law protections that may limit the disclosure of this information, which vary from state to state. 

Thus, Covered Entities, including sponsors of self-funded group health plans or sponsors of fully insured group health plans who have access to PHI or electronic PHI, must still maintain HIPAA privacy and security policies and procedures, issue notices of privacy practices to their group health plan participants, have business associate agreements (“BAA”) in place with their business associates, and comply with any applicable state law privacy protections.

If a Covered Entity updated their BAAs, their policies and procedures, or their Notice of Privacy Practices to capture the reproductive health care privacy requirements included in the Final Rule, they can amend those documents to remove these provisions.

Note: This alert is limited to those provisions of the Final Rule regarding reproductive health care privacy which were vacated by the district court decision. HHS intends to update the model Notice of Privacy Practices at some point prior to February 16, 2026 to incorporate other, required changes unrelated to reproductive health care privacy that were addressed in the Final Rule. A new alert will be issued when the model notice is released.

About the Author. This alert was prepared for Alera Group by Barrow Lent LLP, a national law firm with recognized experts on ERISA and the Affordable Care Act. Contact Stacy Barrow or Nicole Quinn-Gato at sbarrow@marbarlaw.com or nquinngato@marbarlaw.com.

The information provided in this alert is not, is not intended to be, and shall not be construed to be, either the provision of legal advice or an offer to provide legal services, nor does it necessarily reflect the opinions of the agency, our lawyers, or our clients. This is not legal advice. No client-lawyer relationship between you and our lawyers is or may be created by your use of this information. Rather, the content is intended as a general overview of the subject matter covered. This agency and Barrow Lent LLP are not obligated to provide updates on the information presented herein. Those reading this alert are encouraged to seek direct counsel on legal questions. 

© 2025 Barrow Lent LLP. All Rights Reserved.