Texas Judge Vacates Abortion Privacy Protections
A Texas Judge has ruled that the HIPAA Privacy Rule update issued by the U.S. Department of Health and Human Services (HHS) in 2024 to strengthen reproductive health care privacy was unlawful and has vacated the rule.
Background and HHS Rulemaking on Reproductive Healthcare Privacy
In response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization in 2022 and the overturning of Roe v. Wade, the HHS issued a notice of proposed rulemaking (NMPR) to strengthen reproductive health information privacy. The Supreme Court’s decision eliminated the federal right to abortion and returned the authority to regulate abortion to individual states. Following the decision, many U.S. states introduced laws banning or severely restricting abortions for state residents.
A consequence of those restrictions is that individuals wishing to terminate their pregnancies had to travel to states with more permissive reproductive healthcare laws to have those procedures performed legally. Due to concerns that states with strict abortion laws could try to prosecute state residents for having a legal abortion performed out of state or for helping an individual obtain a legal abortion out of state, the HHS, under the Biden administration, sought to strengthen privacy protections for reproductive healthcare information.
The main concern was that states could demand that healthcare providers disclose protected health information to support investigations and judicial/administrative proceedings into out-of-state abortions. HIPAA permits, but does not require, disclosures of protected health information (PHI). The HHS believed that the HIPAA Privacy Rule needed to be strengthened to specifically prohibit disclosures of reproductive health information to support law enforcement investigations into legal abortions.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The HIPAA Privacy Rule to Support Reproductive Health Care Privacy prohibits disclosures of PHI potentially related to legal reproductive health care. Specifically, HIPAA-regulated entities were prohibited from using or disclosing PHI for the following activities:
- To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
- The identification of any person for the purpose of conducting such investigation or imposing such liability.
Before PHI related to reproductive healthcare could be legally disclosed, the requesting entity had to provide a written attestation that the PHI was not being sought for a prohibited purpose. Under the final rule, a regulated entity must presume that reproductive healthcare was lawfully provided, unless it had actual knowledge or a substantial factual basis to believe that the reproductive healthcare was not provided legally.
The final rule of the HIPAA Privacy Rule to Support Reproductive Health Care Privacy was published in the Federal Register on April 26, 2024, took effect on June 25, 2024, and all entities subject to the final rule were required to comply with its provisions by December 23, 2024, with the exception of the notice of privacy practices requirements.
District Court Judge Overturns HIPAA Reproductive Health Care Rule
The legality of the final rule was challenged in Texas – Purl v. United States Department of Health and Human Services. On June 18, 2025, the U.S. District Court for the Northern District of Texas issued an order vacating the HIPAA Privacy Rule to Support Reproductive Health Care Privacy under its authority under the Administrative Procedure Act (APA). Under the ACA, states are permitted to overturn the actions of federal agencies if they are determined to be “in excess of statutory jurisdiction, authority, or limitations, or short of statutory right.” In such cases, the courts have the power to set aside agency actions that are unlawful.
In Purl v. United States Department of Health and Human Services, plaintiffs Dr. Carmen Purl and her medical clinic argued that the HHS had exceeded its statutory authority by issuing the final rule, which unlawfully restricts state-mandated reporting obligations, in particular with respect to child abuse investigations. The Texas District Court ruled in favor of the plaintiffs, determining that the final rule unlawfully limits state public health laws, impermissibly redefined a ‘person’ and ‘public health’ in violation of Federal law and in excess of its statutory authority, and the rule was adopted without authority expressly delegated by Congress.
As such, United States District Court Judge Matthew J. Kacsmaryk vacated the final rule; however, he allowed the section relating to 45 C.F.R. 164.520 (notice of privacy practices) concerning substance use disorder records to remain in place. “HIPAA confers authority to promulgate regulations protecting ‘individually identifiable health information.’ But it confers no authority to distinguish between types of health information to accomplish political ends like protecting access to abortion and gender-transition procedures,” wrote Judge Kacsmaryk.
The overturning of the final rule means HIPAA-regulated entities must revert to their HIPAA compliance programs prior to the final rule being issued. As previously confirmed by the HHS following the overturning of Roe v. Wade, HIPAA permits, but does not require, the disclosure of protected health information related to reproductive health information, including for law enforcement purposes and in response to a subpoena. Under HIPAA, regulated entities are not obliged to provide PHI to support investigations into legal abortions. Regulated entities must, however, ensure that they comply with healthcare privacy laws in the states where they operate.
