Texas Sues HHS to Overturn HIPAA Privacy and Reproductive Healthcare Privacy Final Rules
Texas Attorney General Ken Paxton (R) has filed a lawsuit against the Department of Health and Human Services (HHS), HHS Secretary Xavier Becerra, and Office for Civil Rights (OCR) Director Melanie Fontes Rainer alleging the HIPAA Privacy Rule, which has been in effect for more than two decades, and the 2024 HHS final rule on reproductive healthcare privacy are unlawful and should be vacated.
The HHS issued the 2024 final rule – HIPAA Privacy Rule to Support Reproductive Health Care Privacy – on April 22, 2024, to strengthen the privacy protections of the Health Insurance Portability and Accountability Act for lawfully provided reproductive healthcare in response to the overturning of Roe v. Wade.
In 1971, a pregnant woman (Roe) brought a class action lawsuit – Roe v. Wade – challenging the constitutionality of a Texas statute that prohibited procuring or attempting an abortion, except when such a procedure was necessary to save the mother’s life. In 1973, the Supreme Court held that the U.S. Constitution protected the right to an abortion prior to the viability of the fetus. That ruling stood until 2022 when it was officially overturned by the Supreme Court. The overturning of Roe v. Wade removed the federal right to an abortion that had stood for almost 50 years, and it was left to individual states to decide whether abortions could be provided. Currently, 22 US states have passed laws that either ban or restrict abortion procedures, including Texas, where abortion is banned under almost all circumstances. In Texas, private citizens are permitted to sue abortion providers and individuals who help patients seeking abortions after 6 weeks of pregnancy.
As a result of restrictions on abortions, women – and in some cases children – have been forced to travel out of state to have abortion procedures to healthcare providers in states that have not introduced bans; however, having such a procedure performed legally out of state when there is a ban in place in the person’s home state carries legal risks. State authorities may attempt to prosecute individuals who travel out of state for abortions as well as individuals who assist them.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The HHS published a final rule to better protect the privacy of patients seeking legal reproductive healthcare. The final rule prohibits the use or disclosure of protected health information (PHI) when it is sought to impose liability on individuals, healthcare providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify persons for such activities. HIPAA-covered entities must obtain a signed attestation that certain requests for PHI potentially related to reproductive healthcare are not for prohibited purposes before information can be provided.
The lawsuit challenges the portions of the HIPAA Privacy Rule that limit disclosures to state investigators and the 2024 HIPAA Privacy Rule update. The issue with the 2000 HIPAA Privacy Rule relates to 45 C.F.R. § 164.512(f)(1)(ii)(C), which permits disclosures of protected health information in response to a state’s administrative subpoena; however, only if three conditions are met
(1) The information sought is relevant and material to a legitimate law enforcement inquiry;
(2) The request is specific and limited in scope to the extent reasonably practicable in light of
the purpose for which the information is sought; and
(3) De-identified information could not reasonably be used.
The lawsuit claims that the HIPAA statute does not reference any three-part test and does not permit the HHS to introduce such conditions on limiting how regulated entities may share information with state governments. Further, the 2024 final rule was implemented specifically to prevent states from being provided with protected health information to investigate their own laws on abortions and other laws that relate to reproductive healthcare information. The lawsuit alleges the final rules violate the Administrative Procedure Act (APA) of 1946, which governs how federal agencies make and enforce rules.
According to the lawsuit, “These rules significantly harm the State of Texas’s investigative abilities because covered entities frequently cite the 2000 Privacy Rule as a reason they cannot comply with a valid investigative subpoena for documents, and have already begun invoking the 2024 Privacy Rule for similar purposes.” The lawsuit alleges the final rules have no statutory authority and are arbitrary and capricious.
Paxton claims the final rules weaken Texas laws that permit state investigations into medical procedures, including abortions, and is seeking to have them vacated, set aside, and prevent them from being enforced. “This new rule actively undermines Congress’s clear statutory meaning when HIPAA was passed, and it reflects the Biden Administration’s disrespect for the law,” said Attorney General Paxton. “The federal government is attempting to undermine Texas’s law enforcement capabilities, and I will not allow this to happen.”
If the lawsuit is successful, it could have serious implications for patient privacy and not just the privacy of reproductive health information. While the lawsuit is focused on ensuring that states can enforce their laws on abortions and other reproductive healthcare matters, the lawsuit is seeking to have the HIPAA Privacy Rule vacated in its entirety.
The decision of the Texas Attorney General to try to overturn the privacy rules has caused concern among privacy advocates and states that have chosen to retain reproductive healthcare rights and protect the providers of that care. Illinois is one such state that has enacted robust shield laws to protect providers and patients in Illinois from out-of-state attempts to access healthcare records.
“The Texas Attorney General’s challenge to medical privacy protections is a cruel attack that only serves to instill fear and punish people across the country for accessing medical care. This action is a move to reach outside of Texas’ own borders and impose its abortion restrictions on states like Illinois where we respect bodily autonomy and a woman’s right to choose,” Illinois Attorney General Kwarme Raoul said in a statement provided to The HIPAA Journal. “No matter where you live, every person deserves to have their personal medical information remain private and confidential – and that unequivocally includes any medical records related to reproductive and gender-affirming health care… I am committed to ensuring that all health care information remains private and cannot be weaponized against seeking and providing lawful reproductive and gender-affirming care.”
