June 25, 2025
Key Actions
- Consult with counsel, consultants and/or applicable vendor partners that handle PHI and HIPAA requests regarding any impacts to the health plan’s administrative elements, attestation requirements and associated restrictions that otherwise would have been required under the 2024 HIPAA Privacy Rule.
- Review and potentially update Notice of Privacy Practices (NPP) to address vacated disclosure provisions that relate to the other vacated portions of the 2024 HIPAA Privacy Rule, while maintaining the NPP amendments required under the CARES Act.
- Monitor Business Group communications for further developments, including possible appeals or agency guidance in response to the Purl decision and any revised rulemaking.
On June 18, the U.S. District Court for the Northern District of Texas vacated the majority of the 2024 “HIPAA Privacy Rule to Support Reproductive Health Care Privacy”. (2024 Rule) The decision in Purl v. Department of Health and Human Services (HHS) held that HHS exceeded its statutory authority and violated the Administrative Procedure Act (APA) by attempting to restrict disclosures of protected health information (PHI) for purposes related to investigating or enforcing state laws concerning reproductive health care. While most of the 2024 Rule is now vacated nationwide pending future court proceedings, some provisions still remain in effect.
Background on the 2024 Rule
In April 2024, the Department of Health and Human Services (HHS) finalized the HIPAA Privacy Rule to Support Reproductive Health Care Privacy which amended existing HIPAA Privacy Rules to add protections for reproductive health care information. The 2024 Rule was issued in response to concerns that, following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, individuals seeking or providing reproductive health care, including abortion and other related services, could face legal risk under state laws that prohibit or restrict such care. HHS stated that the threat of investigation or liability could deter patients from seeking lawful care and impact provider willingness to furnish it.
To address these concerns, the 2024 Rule added provisions prohibiting covered entities, including health plans and their business associates, from disclosing protected health information (PHI) for use in investigations or proceedings against individuals involved in the lawful provision or receipt of reproductive health care. Specifically, the 2024 Rule prohibited the use or disclosure of PHI by a regulated entity, including a health plan and/or their business associate if they get certain requests for PHI that would be used for either of the following activities, which are generally referred to as “prohibited purposes”:
- To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
- The identification of any person for the purpose of conducting such investigation or imposing such liability.
Prior to disclosing PHI potentially related to reproductive health care, the 2024 Rule also required regulated entities to obtain a signed attestation from the requestor affirming that the request was not for a prohibited purpose.
The 2024 Rule also finalized certain changes to disclosures in the Notices of Privacy Practices (NPP) in two main categories: related to reproductive health information, and separate provisions pertaining to substance use disorder (SUD) directives included in the Coronavirus Aid, Relief and Economic Security (CARES) Act, passed in 2020.
The 2024 Rule, as issued, was effective on June 25, 2024 with staggered compliance deadlines of December 23, 2024 for many substantive administrative and procedural requirements (e.g., the attestation requirement) and February 16, 2026 for NPP provisions.
Shortly after the 2024 Rule was finalized, it was challenged in court by Texas-based provider Dr. Carmen Purl, who argued that the rule unlawfully impeded their ability to comply with state child abuse reporting laws and exceeded HHS’s authority under the HIPAA statute.
The District Court Decision
In granting summary judgment for the plaintiffs, the court concluded that most provisions in the 2024 Rule conflicted with HIPAA’s statutory text and exceeded HHS’ regulatory authority and therefore ought to be vacated nationwide.
The decision noted that HIPAA explicitly protects state public health laws from federal preemption in areas such as disease reporting, child abuse and public health surveillance. Among other points, the court raised issues with the 2024 Rule’s interaction and potential conflict with state actions related to “child abuse” reporting and investigations. In the court’s view the 2024 Rule prohibited or restricted disclosures of reproductive health information in situations where state law may otherwise require or permit disclosure – such as mandatory reporting of child abuse. Thus, the court found that HHS had unlawfully curtailed state authority.
The court also invoked the Supreme Court’s landmark decision in last year’s Loper Bright Enterprises v. Raimondo. In Loper Bright, the Court overruled the long-standing Chevron deference framework and emphasized that courts must exercise independent judgment when interpreting statutes rather than deferring to agency interpretations. The judge in Purl applied that understanding and found that HHS lacked authority from Congress to reshape the privacy framework in the reproductive health context.
While the court vacated the vast majority of the 2024 Rule, it preserved the unrelated changes to HIPAA’s NPP requirements required under the CARES Act addressing confidentiality of SUD records. However, the court did identify and vacate three other NPP disclosure update provisions from the 2024 Rule directly related to the reproductive health privacy framework.
Next Steps for Employer Plans
Employer plans, other covered entities, and business associates will need to review and potentially revise or discontinue implementation of policies and procedures tied to the reproductive health-related elements of the 2024 Rule. These include the administrative elements (e.g. the attestation requirement and limitations on certain PHI disclosures) for which compliance was due on December 23, 2024, and the three specific reproductive health-related NPP provisions, which were set to be enforced on February 16, 2026. Such provisions are vacated and no longer in effect, pending further court proceedings and/or agency action.
However, as mentioned, not all components of the 2024 Rule were struck down. Employers should continue preparing to comply with the revisions to the NPP related to SUD confidentiality under the CARES Act. These preserved NPP provisions appear to remain subject to enforcement on the original compliance deadline of February 16, 2026.
The Business Group will continue monitoring further developments in the case and any potential actions by HHS in response. We will keep members informed of any new litigation, appeals, or revised agency guidance that may affect employer plans’ compliance obligations moving forward.
More Topics
Resource
This content is for members only. Already a member?
Login
Join today to gain access to member-only resources!
Learn More