On June 18, 2025, the United States District Court for the Northern District of Texas vacated most of the rules designed to enhance reproductive healthcare privacy promulgated by the U.S. Department of Health and Human Services (HHS) in 2024. More specifically, the court ruled in Purl v. United States Department of Health and Human Services et al, No. 2:2024cv00228 (N.D. Tex. 2025) (the Decision) that the “Health Insurance Portability and Accountability Act Privacy Rule to Support Reproductive Health Care Privacy” (the “2024 HIPAA Rule”) is contrary to law because it unlawfully limits state public health laws; impermissibly redefines certain terms in contravention of federal law and in excess of statutory authority; and exceeds HHS’s authority. Regulations promulgated under HIPAA prior to the 2024 HIPAA Rule remain unchanged.

The Texas court’s ruling effectively nullifies the enhanced privacy protections for protected health information (PHI) related to reproductive healthcare under the 2024 HIPAA Rule, which HHS considered to be part of its statutory mandate to promulgate, administer, and enforce the Privacy Rule. The Texas court’s ruling is effective nationwide, leaving intact only the non-reproductive healthcare-related amendments of the Rule. An appeal of the Decision by HHS is possible but unlikely under the new administration.

Case Background and History

In 2024 HHS amended certain parts of the HIPAA Privacy Rule to counteract potential effects of Dobbs v. Jackson Women Health Organization, which HHS considered would “enabl[e] states to significantly restrict access to abortion.” 89 Fed. Reg. at 32,987.

HIPAA generally protects the privacy of individuals by limiting covered entities’ and their business associates’ disclosure of PHI to certain permitted purposes. For example, the HIPAA Privacy Rule permits HIPAA covered entities to use and disclose PHI to the government in certain contexts without a patient’s approval, such as: for law enforcement purposes, in response to court orders, and for agencies’ oversight activities like civil, administrative, or criminal investigations. Moreover, permitted disclosures under HIPAA may be required under the 21st Century Cures Act information blocking prohibitions for providers, certified health IT developers, and health information networks and health information exchanges, unless otherwise prohibited by law or an exception applies.

The 2024 HIPAA Rule amended the existing HIPAA Privacy Rule to prohibit covered entities from using or disclosing PHI for the purpose of identifying, investigating, or imposing liability, including criminal liability, on persons involved in reproductive healthcare for “the mere act of seeking, obtaining, or facilitating reproductive health care.” The 2024 HIPAA Rule also defined “reproductive health care” and imposed several other obligations on covered entities, such as obtaining pre-disclosure attestations in certain circumstances from persons requesting the PHI to ensure that it would not be used for the newly prohibited purposes.

Case Background

Dr. Carmen Purl, a physician, and her clinic, filed a lawsuit against HHS in 2024, seeking declaratory and injunctive relief against the enforcement of the 2024 HIPAA Rule. In her complaint, Dr. Purl asserted that the 2024 HIPAA Rule impeded her ability to make state-mandated reports of child abuse, including cases involving unborn children when they are victims of crime or abuse, and other mandated disclosures under the Texas laws. She also alleged that the 2024 HIPAA Rule would prevent her from reporting information about a patient being pressured to undergo an abortion.

Court’s Decision and Reasoning

The Texas court in Purl found that the HHS’s 2024 HIPAA Rule was unlawful under the Administrative Procedure Act in three key ways:

1. The 2024 HIPAA Rule is "Contrary to Law.” The court found that the 2024 Rule violated HIPAA, which specifically states that nothing in the statute should be construed to invalidate or limit any law that requires reporting of child abuse. For example, the court reasoned that the 2024 Rule impeded child-abuse reports that are based solely on lawful reproductive healthcare.
2. The 2024 HIPAA Rule Unlawfully Redefines Statutory Terms. The court found that the 2024 HIPAA Rule unlawfully redefined statutory terms. For example, the court reasoned that while the Rule’s definition of “person,” which excludes unborn human beings, is consistent with the definition in the Dictionary Act, it nevertheless violated the Act, since the Dictionary Act prohibits using the Act’s definition to deny any legal status or legal right applicable to anyone prior to being born alive. Additionally, the court reasoned that the new definition of “public health” improperly restricts states’ authority to define child abuse, as Congress did not delegate the authority to HHS to redefine this term.
3. HHS Lacks Authority. The court reasoned that the 2024 HIPAA Rule triggered the Major Questions Doctrine, which mandates courts to evaluate whether Congress clearly conferred the authority to the agency that issues a regulation of “vast economic and political significance.” Finding that the abortion and gender-identity procedures are matters of significant political and social importance, the court concluded that HHS failed to demonstrate that it had clear congressional authority under HIPAA to implement heightened protections on certain types of PHI to accomplish political ends.

The court left intact, however, certain new Notice of Privacy Practice requirements relating to substance use disorder regulations under 42 CFR Part 2.

Key Takeaways and Possible Next Steps

1. Vacatur of the 2024 HIPAA Rule & HHS’s Potential Response: The court vacated the provisions of the 2024 HIPAA Rule that imposed additional restrictions on use of disclosure of PHI that relate to reproductive healthcare, explicitly stating that the vacatur has a nationwide effect. The U.S. Supreme Court’s June 27, 2025, decision in Trump v. Casa, Inc., 606 U.S. __ (2025), which put limits on federal district courts’ power to issue a nationwide injunctions, likely does not immediately impact the Decision, as the Supreme Court clarified in Casa that Casa does not “resolve[ ] the distinct question whether the Administrative Procedure Act authorizes federal courts to vacate federal agency action.” Given the current administration’s public support for Dobbs that prompted the 2024 HIPAA Rule, HHS is unlikely to appeal this decision.
2. Next steps for HIPAA-regulated entities: Regulated entities should review and revise their policies and practices to ensure compliance with the reinstated HIPAA standards by determining whether they can disclose PHI in response to an administrative subpoena without considering the reproductive healthcare-related prohibitions in the 2024 HIPAA Rule that have been vacated. Regulated entities should also closely monitor any state law requirements that could prohibit or impose additional reporting obligations relating to reproductive health. Lastly, regulated entities should assess applicability and ensure compliance with the parts of 2024 HIPAA Rule that the court left intact, which includes updating the Notice of Privacy Practices by the February 16, 2026, deadline.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. If you have any questions or need assistance with HIPAA compliance, please do not hesitate to contact Jodi Daniel, Tracy Shapiro, Lidia Niecko-Najjum, Hale Melnick, Yeji Kim, or any other member of our Data, Privacy, and Cybersecurity practice.