The decision vacating the Reproductive Health Privacy Rule (the Order) was issued in a case brought by a Texas physician and her practice challenging the Reproductive Health Privacy Rule on the grounds that it unlawfully limited mandatory child abuse reporting, impermissibly redefined key statutory terms such as “person” and “public health,” and exceeded HHS’s statutory authority by using HIPAA to impose special rules for reproductive health care information. Purl v. United States HHS, No. 2:24-CV-228-Z, 2025 U.S. Dist. LEXIS 116234 (N.D. Tex. June 18, 2025).

Plaintiffs sued HHS’s Office for Civil Rights (OCR), the agency that enforces HIPAA, and their respective leaders. During the pendency of the litigation, the administration transitioned and the leadership of HHS and OCR changed. As a result, Defendants’ positions on the merits shifted. Though Defendants filed their own motion for summary judgment in 2024 under the Biden administration’s leadership, HHS’s OCR under the Trump administration did not respond to the merits of Plaintiffs’ motion for summary judgment.

Plaintiffs have standing

As a threshold matter, the court first addressed Defendants’ arguments that Plaintiffs lacked standing to challenge the Reproductive Health Privacy Rule. The case was originally filed in October 2024, before the Reproductive Health Privacy Rule took effect. Plaintiffs argued they would be irreparably harmed by the requirements of the Reproductive Health Privacy Rule if it were to take effect. Specifically, Plaintiffs alleged:

• The Reproductive Health Privacy Rule imposes obligations and prohibitions that interfere with Plaintiffs’ ability to comply with state laws requiring reporting of abuse, neglect, or exploitation of children and vulnerable adults. Violating the Reproductive Health Privacy Rule could subject them to penalties and criminal consequences, and they also face consequences for, e.g., failing to report child abuse.
• The Reproductive Health Privacy Rule would require Plaintiffs to expend time and resources developing new policies and procedures, revising training programs for staff, updating notices of patient privacy, and obtaining legal services, all of which they claim are expensive and unavoidable.
• Plaintiffs feel they are subject to uncertain legal risk because the Reproductive Health Privacy Rule requires them to make legal judgments about whether specific instances of reproductive health care were “lawful” and risk exposure if they guess wrong.
• The Reproductive Health Privacy Rule allegedly interferes with Plaintiff Dr. Carmen Purl’s practice of medicine because it interferes with her ability to report suspected child abuse, including cases involving unborn children, minors receiving gender affirming care, or patients pressured into abortions.
• The Reproductive Health Privacy Rule conflicts with Plaintiff Dr. Carmen Purl’s ethical and medical beliefs, particularly regarding “elective abortion” and “gender transition interventions.”

The court held that Plaintiffs have standing for several reasons. First, the court found that Plaintiffs are “objects of the [Reproductive Health Privacy Rule],” which both “requires and forbids actions by Plaintiffs.” Purl, 2025 U.S. Dist. LEXIS 116234, at *22. Moreover, when a plaintiff is “subject to regulations that are contrary to law,” then that is “a concrete injury sufficient to give them standing.” Id. at *18 (quoting Tex. Med. Ass’n v. U.S. Dep’t of Health & Hum. Servs., 110 F.4th 762, 773 (5th Cir. 2024)). Second, the court found Plaintiffs demonstrated standing because they identified concrete financial harm in the form of increased costs to comply with the Reproductive Health Privacy Rule. The court noted that even small financial burdens can establish an injury sufficient to confer standing.

The Reproductive Health Privacy Rule is contrary to law

The court found that HHS made three primary mistakes when promulgating the Reproductive Health Privacy Rule.

First, the court found that the Reproductive Health Privacy Rule is contrary to law because it improperly limits state laws requiring the reporting of child abuse or neglect. Defendants argued that no such limitation existed because 1) the HIPAA Privacy Rule permits child abuse reports, and the Reproductive Health Privacy Rule amends that permission in no way, distinguishing “reporting” from “requests for information” and arguing that “reporting” only contemplates affirmative child abuse reports, and 2) the Reproductive Health Privacy Rule only applies when a covered entity responds to a request for information rather than affirmatively discloses protected information.

Nonetheless, the court concluded that the Reproductive Health Privacy Rule “can be ‘construed to invalidate or limit the authority, power, or procedures’ of laws that protect child abuse reporting, or ‘public health investigation or intervention.’” Purl, 2025 U.S. Dist. LEXIS 116234, at *54–55 (citing 42 U.S.C. § 1320d-7(b)). The court went on to note that Congress ordered “[n]othing [emphasis added]. . . shall be construed” to do just that, and concluded that the Reproductive Health Privacy Rule does so in several ways.

First, it prohibits reporting child abuse if such a report would be based solely on lawful [reproductive health care, or “RHC”], and it prohibits States from ever considering reproductive health alone as abuse or part of a public health investigation. Second, the 2024 Rule requires covered entities to scrub PHI [protected health information] whenever they receive a lawful PHI request, to determine whether it contains any “health care” information “relating to the reproductive system and to its functions and processes.” 89 Fed. Reg. at 33063. Third, covered entities must scrutinize confusing abortion and gender-identity jurisprudence, legislation, and regulations to decipher whether the RHC was lawful. And finally, covered entities must flawlessly enforce an intricate attestation requirement whenever they receive a request to disclose PHI – no matter the requester’s motivation.

Id. at *55.

Second, Judge Kacsmaryk found that the Reproductive Health Privacy Rule impermissibly redefines “person” and “public health,” in contravention of federal law and “in excess of statutory authority.” Id. at *56–61.

Specifically, Judge Kacsmaryk concluded that the Reproductive Health Privacy Rule’s definition of “person,” which “facially excludes unborn humans and explicitly bars doctors and covered entities from acting on behalf of unborn patients,” “conflicts with the Dictionary Act’s prohibition that it ‘shall [not] be construed to affirm, deny, expand, or contract any legal status or legal right applicable to any [human] at any point prior to being ‘born alive.’” Id. at *57–58(citing 1 U.S.C. § 8(c)). Under the Reproductive Health Privacy Rule, Judge Kacsmaryk reasoned, “[c]overed entities cannot disclose PHI to report child abuse or neglect of unborn children – no matter their legal status. But States routinely confer ‘legal status’ on unborn children as it relates to child abuse.” Id. at *60.

Judge Kacsmaryk also found the Reproductive Health Privacy Rule’s definition of “public health” impermissibly redefined the term in an attempt to expand the preemptive effect of HIPAA, and in doing so, exceeded the authority delegated to HHS by Congress. Id. at *62–70.

Third, under the “major questions doctrine,” the court held that the Reproductive Health Privacy Rule arrogates to HHS authority not expressly delegated by Congress. The court found that the Reproductive Health Privacy Rule triggers the major questions doctrine because it regulates an area of “great political significance” since “matters involving [reproductive health care], particularly abortion and gender-transition operations, are quintessential matters of great political significance.” Purl, 2025 U.S. Dist. LEXIS 116234, at *76. The court further reasoned that the Reproductive Health Privacy Rule triggers the major questions doctrine for the independent reason that it “intrudes into an area that is the particular domain of state law” because “Dobbs left no doubt: the regulatory realm of abortion lies no more with unrepresentative courts or agencies – it lies with the people.” Id. at *79 (citations omitted). Because HHS could not point to a “clear congressional authorization” to treat reproductive health care information (or, as the court refers to it, “politically favored medical procedures”) differently than other PHI, the court held HHS lacked the authority to issue the Reproductive Health Privacy Rule. Id. at *83–84.

The court leaves no doubt that its ruling vacates the Reproductive Health Privacy Rule. Judge Kacsmaryk explains that in the Fifth Circuit, vacatur is the default remedy for unlawful agency action, and that vacatur has “nationwide effect, is not party-restricted, and affects persons in all judicial districts equally.” Id. at *88 (citing Braidwood Mgmt., Inc. v. Becerra, 104 F.4th 930, 951 (5th Cir. 2024)).

HIPAA compliance – now what?

In the wake of the Order, HIPAA-covered entities and their business associates will need to revisit measures taken to comply with the Reproductive Health Privacy Rule. Businesses should review policies and procedures and update them as necessary to reflect the current regulatory landscape. Relevant policies and procedures may include those related to requests for PHI in connection with judicial and administrative proceedings or health oversight purposes and disclosures to law enforcement officials. Training programs for workforce members may need to be revised to account for related operational changes.

Regulated entities may also need to review and update business associate agreements (BAAs). While the Reproductive Health Privacy Rule did not expressly require updates to BAAs, some HIPAA-regulated entities revised or amended agreements to address specific requirements related to reproductive health information. These BAAs may need to be revised yet again in light of the current state of the HIPAA Privacy Rule.

Additionally, the Reproductive Health Privacy Rule required covered entities to revise their notices of privacy practices (NPPs) provided to patients and health plan members and posted on covered entities’ websites as of February 16, 2026. The required changes included new provisions addressing 1) the special protections afforded to reproductive health care information by the Reproductive Health Privacy Rule, and 2) the confidentiality of substance use disorder patient records set forth outside of HIPAA at 45 C.F.R. Part 2 (Part 2). Covered entities that have already updated their NPPs may need to update them again to reflect current HIPAA requirements. The requirements for NPPs specific to the Part 2 regulations are not impacted by the Order.

Importantly, while not explicit, the HIPAA Privacy Rule still provides protection for PHI related to reproductive health care. As we noted in an earlier blog post, OCR entered into its first settlement against a health care provider centered around, and specific to, an impermissible disclosure of an individual’s reproductive health information under the HIPAA Privacy Rule in December 2024, prior to the effective date of the Reproductive Health Privacy Rule. The settlement demonstrates that OCR considers reproductive health information highly sensitive and will take enforcement action accordingly under the HIPAA Privacy Rule as it currently stands.

Next steps

To ensure their operations align with current HIPAA requirements, HIPAA-covered entities and business associates should:

• Review policies and procedures and update them as necessary to align with the HIPAA Privacy Rule, as currently enforceable.
• Revise training programs to address operational changes.
• Review and update business associate agreements as necessary.
• Consider whether and when to update NPPs (covered entities only).

In-depth 2025-163