Texas Court Overturns Abortion Privacy Ruling

A Texas Judge decided that the update on the HIPAA Privacy Rule released by the U.S. Department of Health and Human Services (HHS) in 2024 concerning reproductive health care privacy was illegal and annulled the rule.

April 26, 2024, was the date of the registry of the final rule on the HIPAA Privacy Rule Supporting Reproductive Health Care Privacy in the Federal Register. The final rule became effective on June 25, 2024, and requires all covered entities to comply with its terms by December 23, 2024, except for the notice involving privacy practices requirements.

Before allowing the legal disclosure of PHI linked to reproductive healthcare, the asking entity must give a written document stating that the PHI is not being requested for a prohibited reason. As per the final rule, a covered entity should presume that reproductive healthcare was legally given, except if it had actual information or a considerable factual reason to think that the reproductive medical care wasn’t given legally.

The legitimacy of the final rule was questioned in the case of Texas-Purl v. United States Department of Health and Human Services. On June 18, 2025, the U.S. District Court for the Northern District of Texas released an order cancelling the HIPAA Privacy Rule to strengthen Reproductive Health Care Privacy as authorized by the Administrative Procedure Act (APA). With the APA, states are allowed to overturn the decisions of government agencies when they are found to be above statutory jurisdiction, authority, or restrictions, or lacking statutory right. In these instances, the courts are authorized to put aside agency decisions that are not lawful.

The Purl v. United States Department of Health and Human Services lawsuits’ plaintiffs Dr. Carmen Purl with her medical clinic, contended that the HHS went beyond its statutory authority by publishing the final rule, which illegally limits state-ordered reporting responsibilities, particularly regarding child abuse investigations. The Texas District Court decided in support of the plaintiffs, stating that the final rule illegally restricts state public health regulations, impermissibly redefined an individual and public health, violating Federal law and going beyond its statutory power, and the rule was followed without authority specifically assigned by Congress.

Therefore, United States District Court Judge Matthew J. Kacsmaryk annulled the final rule, but he permitted the part associated with 45 C.F.R. 164.520 (notice of privacy practices) regarding substance use disorder data to stay as is. HIPAA grants authority to enforce regulations securing ‘individually identifiable health information.’ However, it confers no authority to differentiate between types of medical data to achieve political ends such as safeguarding access to abortion and gender-transition operations.

The repeal of the final rule means HIPAA-covered entities need to go back to their HIPAA compliance programs before the issuance of the final rule. As earlier affirmed by the HHS after the repeal of Roe v. Wade, HIPAA allows, but doesn’t require, the disclosure of PHI associated with reproductive health data, such as for law enforcement reasons and in reply to a subpoena. HIPAA-covered entities are not required to provide PHI to help with investigations into lawful abortions. Covered entities should, however, make sure that they are compliant with healthcare privacy regulations in the states their organizations operate.