Texas court vacates HIPAA reproductive health privacy rule

Background

In April 2024, the Biden administration issued the HIPAA Privacy Rule to Support Reproductive Health Care Privacy, nearly two years after the U.S. Supreme Court overturned Roe v. Wade, ending the federal constitutional right to abortion.

Effective June 2024, the rule prohibited the use or disclosure of protected health information (PHI) when it is sought for the purposes of imposing criminal, civil or administrative liability on an individual who is obtaining or providing legal reproductive healthcare.

The rule also required covered entities to obtain a signed attestation that requests for PHI related to reproductive healthcare are not for the prohibited purposes. What's more, covered entities were also required to modify their notice of privacy practices to account for reproductive healthcare data privacy.

"Many Americans are scared their private medical information will be shared, misused and disclosed without permission. This has a chilling effect on women visiting a doctor, picking up a prescription from a pharmacy or taking other necessary actions to support their health," former HHS Secretary Xavier Becerra said in an April 2024 press release announcing the final rule.

HHS' final rule was met with numerous legal challenges, including a lawsuit against HHS from Texas Attorney General Ken Paxton, alleging that the rule unlawfully prevents states from using their investigative authority.

But the decision to ultimately vacate the rule stemmed from a lawsuit filed in 2024 by Carmen Purl, M.D., owner of Dr. Purl's Fast Care Walk-In Clinic in Dumas, Texas. According to the filing, Purl often treats children and pregnant women and has treated "hundreds" of child-abuse victims. As such, Purl's office responds to requests for PHI from Texas Child Protective Services "approximately 10– 12 times per year."

Purl and her clinic sued to declare the rule "arbitrary and capricious" and "in excess of statutory authority" in violation of the Administrative Procedure Act, which governs the process by which federal agencies issue regulations.

"Dr. Purl argues the 2024 Rule will impair her and her employees' state-mandated obligation to report 'child abuse' or participate in public health investigations," court documents stated.

Understanding the Texas judge's ruling

Kacsmaryk vacated the 2024 final and cited his legal justification for the ruling.

"The HHS errors are threefold. First, the HIPAA Privacy Rule to Support Reproductive Health Care Privacy is 'contrary to law' because it unlawfully 'limits' state public health laws," Kacsmaryk wrote.

"Second, the 2024 Rule impermissibly redefines 'person' and 'public health,' in contravention of Federal law and 'in excess of statutory authority.' Third, under the 'major-questions doctrine,' the 2024 Rule arrogates to HHS authority not expressly delegated by Congress."

Kacsmaryk asserted that HIPAA gives HHS no authority to issue regulations that provide special protections for certain procedures, and that HIPAA cannot preempt any state laws that enact more stringent protections.

"But until the people speak through their representatives, agencies must fall silent on issues of abortion or other matters of great political significance," Kacsmaryk's ruling stated. "Thus, HHS lacked the authority to promulgate the 2024 Rule."

The only aspects of the rule that remain are amendments to 45 CFR Part 2, which require updates to the notice of privacy practices for Part 2 records maintained by a covered entity. The compliance deadline for this aspect of the rule is Feb. 16, 2026.

Implications for HIPAA-covered entities

Given that the HIPAA Privacy Rule to Support Reproductive Health Care Privacy went into effect in June 2024, with a compliance deadline in December 2024, many HIPAA-covered entities have already put effort into complying with this rule.

Covered entities have expended resources to revise policies, provide training and modify health information management processes, Beth Pitman, partner at Holland & Knight, said in an email interview with Healthtech Security.

"The requirement to obtain an attestation prior to responding to such requests was considered by many covered entities to be one of the most burdensome aspects of the rule. The elimination of this requirement will likely be a welcome reduction in administrative burden," Pitman noted.

"However, covered entities and business associates are still required to scrutinize requests for records, including through subpoenas, for compliance with HIPAA's privacy rule and state privacy laws."

The judge's order to vacate the final rule applies nationwide, though Pitman noted that it is still unknown whether HHS will appeal the order or whether it will face other challenges.

Pitman noted that healthcare providers should continue to monitor compliance with other data privacy and information sharing regulations, such as the Cures Act Information Blocking provisions. What's more, covered entities should review their business associate agreements to ensure that contracts account for current law.

"Covered entities and business associates should pay attention to state laws that provide additional protections for reproductive health information," Pitman added. "This includes states laws with specific privacy regulations restricting collection and use of geolocation data, such as California, Washington, Connecticut, New York and Nevada."

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.