Keenan Briefings

Briefing

Court Vacates 2024 Reproductive Health Care Rule

On Jun. 18, 2025, the U.S. District Court for the Northern District of Texas vacated (nullified) the majority of the 2024 HIPAA Privacy Rule to Support Reproductive Health Care Privacy. As you may recall, this rule added and clarified definitions, imposed a new attestation requirement for requests of Protected Health Information (PHI) potentially related to reproductive health care, and required covered entities to make changes to their Notice of Privacy Practices.

The only part of the 2024 Privacy Rule that remains in effect pertains to the Notice of Privacy Practices related to substance use disorder patient records, with a compliance deadline of Feb. 16, 2026. Health and Human Services (HHS) is expected to issue a revised model Notice of Privacy Practices before this date, and we will notify our clients with an updated Compliance Alert once it is available.

Sponsors and administrators of HIPAA-regulated entities (including employers sponsoring self-funded/level funded group health plans, FSAs, and most types of HRAs) should revise, if necessary, their HIPAA policies, procedures, and training materials to align with the pre-2024 Privacy Rule requirements. Likewise, employers who updated their HIPAA Notice of Privacy Practices in anticipation of the 2026 deadline should amend them to reflect the court’s decision by only including changes related to substance use disorder records.

The full text of the court's decision in Purl v. United States Department of Health and Human Services can be found here.

Summary of Vacated Provisions

The following is a summary of the NOW VACATED changes required by the 2024 HIPAA Privacy Rule to Support Reproductive Health Care. These rules were invalidated on Jun. 18, 2025, by the U.S. District Court for the Northern District of Texas.

2024 Privacy Rule Overview

Deemed necessary by the Department of Health and Human Services (HHS) following the U.S. Supreme Court's decision in Dobbs v. Jackson Women's Health Organization and its aftermath of state-level abortion laws, the Biden-era HHS issued the 2024 HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the “2024 Privacy Rule”). The 2024 Privacy Rule amended the HIPAA privacy rule to afford greater protection to PHI related to reproductive health care, with the goal of maintaining the necessary trust between patient and healthcare provider. The 2024 Privacy Rule also supported President Biden’s Executive Order on protecting access to reproductive health care, which directed HHS to consider additional actions, including under HIPAA, to enhance protection for information related to reproductive health care.

The primary purpose of the 2024 Privacy Rule was to further restrict the use or disclosure of PHI related to reproductive health care. Previously, HIPAA-regulated entities (i.e., covered entities and business associates) were permitted to disclose PHI for certain public policy-related reasons, including law enforcement. The 2024 Privacy Rule further restricted this permission by prohibiting such entities from disclosing PHI related to lawful reproductive health care in certain situations. To support this effort, the 2024 Privacy Rule added and clarified definitions, imposed a new attestation requirement to be used upon receipt of a request for PHI potentially related to reproductive health care, and required covered entities to make changes to their HIPAA Notice of Privacy Practices. While most of the changes have now been nullified, compliance with the changes related to substance use disorder patient records is still required by Feb. 16, 2026.

New Definitions Under the 2024 Privacy Rule (since vacated)

Person

The term “person” is defined by the HIPAA rules as “a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.” This definition was clarified under the 2024 Privacy Rule to mean “a natural person (meaning a human being who is born alive), trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.” As of Jun. 18, 2025, the previous definition of “person” should now be used.

Reproductive Health Care

A new term, “reproductive health care,” was added as a subset of the term “health care,” to mean health care “that affects the health of the individual in all matters relating to the reproductive system and to its functions and processes.” This definition included, but was not limited to:

• contraception, including emergency contraception;
• preconception screening and counseling;
• management of pregnancy and pregnancy-related conditions, including pregnancy screening, prenatal care, miscarriage management, treatment for preeclampsia, hypertension during pregnancy, gestational diabetes, molar or ectopic pregnancy, and pregnancy termination;
• fertility and infertility diagnosis and treatment, including assisted reproductive technology (e.g., in vitro fertilization (IVF));
• diagnosis and treatment of conditions that affect the reproductive system (e.g., perimenopause, menopause, endometriosis, adenomyosis); and
• other types of care, services, and supplies used for the diagnosis and treatment of conditions related to the reproductive system (e.g., mammography, pregnancy-related nutrition services, postpartum care products).
• As of Jun. 18, 2025, “Reproductive Health Care” no longer has any legal force or effect.

Public Health

A new definition of “public health” added by the 2024 Privacy Rule was in the context of surveillance, investigation, or intervention referred to “population-level activities to prevent disease and promote the health of populations,” and was to be clearly distinguished from a criminal investigation. As of Jun. 18, 2025, the previous definition of “public health” should be used.

New Category of Prohibited Use or Disclosure of PHI (since vacated)

Prohibited Purposes

Under certain conditions described below, HIPAA-regulated entities were prohibited by the 2024 Privacy Rule from using or disclosing PHI for the following purposes:

• To conduct a criminal, civil, or administrative investigation into a person, or to impose civil, criminal, or administrative liability on any person, for the mere act of seeking, obtaining, providing, or facilitating reproductive health care; or
• To identify any person for any purpose described above.

The use or disclosure of PHI for one of the above purposes was prohibited under the 2024 Privacy Rule if the HIPAA-regulated entity that received the request for PHI could have reasonably determined that one or more of the following three conditions existed:

• The reproductive health care was lawful under the law of the state in which the care is provided and under the circumstances in which it was provided;
• The reproductive health care was protected, required, or authorized under federal law, including the U.S. Constitution, under the circumstances provided, regardless of the state in which care was provided; or
• The reproductive health care was provided by a person other than the HIPAA-regulated entity that received the request for PHI and the presumption (described below) applies.

The presumption under the 2024 Privacy Rule was that reproductive health care provided by a person other than the HIPAA-regulated entity receiving the request for PHI was lawful unless the HIPAA-regulated entity had actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided; or the HIPAA-regulated entity received factual information from the person making the request for the use or disclosure of PHI that demonstrated a substantial factual basis that the reproductive health care was not lawful under the circumstances in which it was provided.

The Attestation

When a HIPAA-regulated entity received a request for PHI potentially related to reproductive health care, the 2024 Privacy Rule stated that the entity was to first obtain a signed attestation from the person requesting the information that the use or disclosure was not for a prohibited purpose. The requirement for an attestation applied when the request for PHI was for any of the following reasons: health oversight activities; judicial and administrative proceedings; law enforcement purposes; and disclosures to coroners and medical examiners.

A valid attestation was to have included a clear statement that the use or disclosure of PHI was not for a prohibited purpose as well as a statement that a person may be subject to criminal penalties for knowingly obtaining or disclosing PHI in violation of the 2024 Privacy Rule. The attestation was to have been written in plain language and could not have been combined with any other document (through other additional supporting documentation).

It would have been a violation of the 2024 Privacy Rule to rely on a defective attestation in the use or disclosure of PHI, for example one that contained an element or statement that was not required by the 2024 Privacy Rule (i.e., that went above and beyond what was required). An attestation would have also been deemed defective if the HIPAA-regulated entity had actual knowledge that material information in the attestation was false, or when a reasonable entity in the same position would not have believed that the attestation was true. In considering whether an attestation was true, the 2024 Privacy Rule required the entity to consider the “totality of the circumstances surrounding the attestation,” including who the requestor was and the permission upon which the requestor relied.

Although HHS had provided a model attestation form that covered entities and business associates were allowed to use when meeting this requirement, it has since been removed from the HHS.gov website.

Effective Date

Until the 2024 Privacy Rule was vacated, compliance with the above amendments to the HIPAA Privacy Rule were required as of Dec. 22, 2024.

Changes to HIPAA Notice of Privacy Practices

The 2024 Privacy Rule also required covered entities to make changes to their HIPAA Notice of Privacy Practices that addressed both the new prohibited purposes of use or disclosure of PHI related to reproductive health care as well as the confidentiality of substance use disorder patient records that were originally addressed in a separate final rule that was released on Feb. 16, 2024 (the Part 2 Final Rule). While the first set of changes have now been nullified, compliance with the changes to the HIPAA Notice of Privacy Practices related to substance use disorder patient records is still required by Feb. 16, 2026. An updated model Notice of Privacy Practices is expected to be released by that time.

Summary

Employers were previously required to revise their HIPAA policies, procedures, and training materials as of Dec. 22, 2024, to account for the new category of prohibited use or disclosure of Protected Health Information. Those changes should now be undone, reverting to the pre-2024 requirements. However unlikely, if the Trump administration appeals and the order is stayed, we will of course send out another Compliance Alert at that time.

Finally, while a small change to HIPAA Notices of Privacy Practices is still required by Feb. 16, 2026, most plan sponsors are choosing to wait until HHS releases its model notice later in 2025 before making their own revisions.

This briefing was written by Tom Seltz, Regulatory Compliance Executive at AssuredPartners. Keenan is a part of the AssuredPartners family of companies.

Keenan is not a law firm and no opinion, suggestion, or recommendation of the firm or its employees shall constitute legal advice. Clients are advised to consult with their own attorney for a determination of their legal rights, responsibilities, and liabilities, including the interpretation of any statute or regulation, or its application to the clients’ business activities.