United States 
Canada (EN) 
México 
France 
Deutschland 
United Kingdom 
Quick Hits
- The U.S. District Court for the Northern District of Texas recently invalidated an HHS rule that imposed additional limits and conditions on disclosure of a person’s reproductive health information for the purpose of criminal and civil investigations and prosecutions.
- The court ruled that health plans and healthcare providers can disclose a person’s reproductive health information to comply with state reporting mandates.
- The court left intact part of the regulations that implemented notice of privacy practices requirements for Part 2 substance abuse disorder protections.
On June 18, 2025, the U.S. District Court for the Northern District of Texas struck down a 2024 HHS rule that bestowed extra privacy protections on reproductive health information that is personally identifiable. The ruling applies nationwide.
As a result, the modifications to the privacy rule under the federal Health Insurance Portability and Accountability Act (HIPAA) that further limited situations in which health plans and healthcare providers could disclose reproductive health information in the context of criminal or civil prosecutions is no longer in effect.
In Purl v. U.S. Department of Health and Human Services, the court reasoned that the HHS rule is “contrary to law” because it “unlawfully limits” state public health laws. In particular, the court found the HHS rule “impermissibly redefines ‘person’ and ‘public health’ in contravention of federal law and in excess of statutory authority.” Furthermore, the court stated, “HHS regulations cannot preempt a contrary state law with more stringent health-information protection requirements.”
HIPAA states that federal law does not “invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention.”
In this case, a healthcare clinic owner in Texas sued, claiming the HHS rule impaired her ability to fulfill a state-mandated obligation to report child abuse to authorities. Many states mandate that certain professions, such as teachers, social workers, and healthcare providers, report to the police when they have reasonable cause to suspect child abuse or child neglect.
Background on the Rule
The HIPAA Privacy Rule to Support Reproductive Health Care Privacy took effect on June 25, 2024, and covered entities were required to comply by December 23, 2024.
That regulation was published after the Supreme Court of the United States decided in 2022, in Dobbs v. Jackson Women’s Health Organization, thatstates could ban abortions. A few states passed laws to permit criminal charges against women for getting an abortion, or against individuals who helped women travel to obtain an abortion. In response, the Biden administration issued an executive order requiring HHS to find methods to protect and expand access to reproductive healthcare services. HHS issued regulations to restrict the disclosure of reproductive health information for certain purposes.
The final rule specifically added “reproductive health care” to the types of medical information protected by HIPAA, if the medical care was lawful where and when it was provided. This term includes abortion, contraception, emergency contraception, pregnancy-related conditions, miscarriage management, and infertility diagnosis and treatment.
The final rule restricted HIPAA-regulated entities when disclosing reproductive health information for the following purposes:
- to conduct a criminal, civil, or administrative investigation;
- to impose criminal, civil, or administrative liability on a person for seeking, obtaining, providing, or facilitating reproductive health care; or
- to identify any person for the purpose of conducting such an investigation or imposing such a liability.
At least sixteen states challenged the final rule in court. They argued the Biden-era rule exceeded HHS’s statutory authority and unlawfully restricted state-mandated reporting obligations, particularly those related to child abuse. The Trump administration revoked the previous executive order but has issued no further guidance. As of the date of publication, HHS has flagged the court’s vacatur of most of the regulations and the retention of the Part 2 provisions related to the notice of privacy practices, and it has stated that it “will determine next steps after a thorough review of the court’s decision.”
Next Steps
HIPAA-regulated entities may wish to review their policies and practices related to disclosing information about reproductive health care, including abortion. Pursuant to Purl v. U.S. Department of Health and Human Services, they will not be held liable for revealing a person’s reproductive health information to cooperate with a criminal or civil investigation.
The court decision upheld one part of the 2024 final rule that required HIPAA-regulated entities to communicate Part 2 requirements, when applicable, to obtain written consent before disclosing any information that identifies an individual as having a substance use disorder. Thus, health plans and healthcare providers are still required to amend their notice of privacy practices by February 16, 2026, to comply with the regulation related to Part 2’s substance use disorder information requirements.
Ogletree Deakins will continue to monitor developments and will provide updates on the Cybersecurity and Privacy, Healthcare, and Employee Benefits and Executive Compensation blogs as new information becomes available.
Jeremy W. Hays is Of Counsel in Ogletree Deakins’ Dallas office.
Stephen A. Riga is counsel in Ogletree Deakins’ Minneapolis and Indianapolis offices.
This article was co-authored by Leah J. Shepherd, who is a writer in Ogletree Deakins’ Washington, D.C., office.
Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts
