A federal judge in Texas has invalidated the 2024 HIPAA Reproductive Health modifications to the Privacy Rule. The decision is immediate and applies nationwide.

Background on HIPAA Reproductive Health

In 2022, the Supreme Court decided Dobbs v. Jackson Women’s Health Organization, which removed the federal right to abortion. States promptly began to restrict reproductive health care, and in some cases, criminalize it. Individuals wishing to terminate pregnancy began to travel to other states with more permissive reproductive health laws to receive care that was lawful.

The newer restrictive state laws sometimes reached beyond abortion, and began to curtail other kinds of routine reproductive health care, causing fear and confusion among patients, their families, and healthcare providers.

HHS, concerned that states with strict reproductive health laws would prosecute state residents for receiving lawful care in another state, or for helping an individual to receive care in another state, developed the HIPAA Reproductive Health Rule to strengthen privacy protections for all reproductive healthcare information.

The Privacy Rule modifications were developed to prevent authorities from accessing protected health information (PHI) related to reproductive health services that are not legal in one state, but are legal in another.

On June 18, 2025, Judge Matthew Kacsmaryk ruled the HIPAA Reproductive Health Rule unlawful.

The judge stated that while HIPAA allows HHS to protect identifiable health information, it does not permit the agency to create special rules for certain types of care, such as abortion. He argued that such protections amount to political decision-making, which falls outside HHS’s authority.

Courts Can Overturn Federal Laws

The court’s power to vacate the HIPAA Reproductive Health Rule comes from the Administrative Procedure Act (APA), which governs judicial review of federal agency actions that in the opinion of the court are unlawful because they exceed the agency’s authority granted by Congress.

The modifications struck down by the judge’s opinion were designed to prohibit disclosures of reproductive health information to support law enforcement investigations into legal procedures and care.

Key provisions included:

• Prohibiting use or sharing of reproductive health data if the goal was to investigate or punish someone for receiving or providing lawful care.
• Requiring providers to get written confirmation (an attestation) that any request for such information wasn’t for those prohibited purposes.
• Requiring updates to the notice of privacy notices to reflect these new protections.

Legal Challenges

Several challenges were mounted against the HIPAA Reproductive Health Rule soon after it became final. Texas Attorney General Ken Paxton even seeks to invalidate the entire HIPAA Privacy Rule in effect since 2003. That lawsuit is pending in federal court in Lubbock. HHS is opposing Paxton’s lawsuit.

Judge Kacsmaryk’s order stemmed from a lawsuit filed by Dr. Carmen Purl, a Texas physician who said the rule could interfere with her legal duties to report child abuse. Dr. Purl regularly provided information concerning pediatric patients to Texas Child Protective Services and she argued that the rule would inhibit her practice.

Judge Kacsmaryk concluded HHS overstepped its bounds and cited three main legal issues:

1. The rule unlawfully restricted state public health laws.
2. It redefined terms like “person” and “public health” in ways that exceeded federal authority.
3. It addressed politically charged issues (like abortion) without clear congressional approval—a violation of the “major questions doctrine.”

HIPAA Regulated Entities Look Ahead 

HIPAA regulated entities (covered entities and business associates) must follow state laws regarding reproductive health. However, they may no longer follow the reproductive health modifications to the Privacy Rule and must modify their procedures accordingly.

In the absence of the HIPAA Reproductive Health Rule, notably many states are increasing health privacy protections for their residents.

It’s important to review contracts with business associates and stay informed about other privacy regulations, including state laws that may offer additional protections, especially those in California, Washington, Connecticut, New York, and Nevada.

For now, healthcare organizations should stay alert for updates.