Explained in more detail below, under the recent vacatur of most of the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the “Reproductive Health Rule”):

  • The broad prohibitions on disclosing protected health information (“PHI”) relating to reproductive health for law enforcement or investigatory purposes are vacated nationally.
  • The attestation requirement that was included as part of the Reproductive Health Rule no longer applies to requests for such information.

Note, however, the more recent U.S. Supreme Court decision in Trump v. CASA, Inc. (S. Ct. 2025) may limit the scope of the Texas District Court’s decision.

What This Means for HIPAA-Covered Entities

  • Providers and plans should:
    • Revisit their policies, notices, and related materials to determine what  changes should be made. They also should be looking at the activities of business associates acting on their behalf (and consider any recent changes to business associate agreements).
    • Audit previous attestation workflows, disclosures, and programming.
    • Communicate any implemented changes.
    • Re-train staff who handle PHI or receive subpoenas to ensure workflows align with and policy revisions.
  • HIPAA’s core Privacy Rule remains unchanged, so protected uses/disclosures (e.g., treatment, payment, health oversight or law enforcement under the usual standards) still apply.
  • Compliance with substance use disorder (“SUD”)-related Notice of Privacy Practices updates, per the CARES Act, must continue.

State Law Dynamics

  • Remember that more stringent protections for health information under state law that conflicts with HIPAA’s Privacy Rule are not preempted by HIPAA.
  • For example, many states have enacted their own enhanced protections, like limits on geofencing or disclosure of reproductive health data.
  • As a result, providers and plans must make sure that their policies comply not only with HIPAA’s Privacy Rule, but with applicable state law requirements.

2024 Reproductive Health Rule

In 2024, HIPAA covered entities, including healthcare providers and health plans, began taking steps to comply with the Department of Health and Human Services 2024 Reproductive Health Rule under the HIPAA Privacy Rule. See our prior articles on these regulations:  New HIPAA Final Rule Imposes Added Protections for Reproductive Health Care Privacy | Workplace Privacy, Data Management & Security Report and HIPAA Final Rule For Reproductive Health Care Privacy with December 23, 2024, Compliance Deadline | Benefits Law Advisor

Fast forward to June 18, 2025, when U.S. District Judge Matthew Kacsmaryk (N.D. Tex.), issued a nationwide injunction in Purl v. HHS, vacating most of the Reproductive Health Rule. Key holdings include:

  • HHS exceeded its statutory authority, overstepped via the “major‑questions doctrine,” and unlawfully redefined terms like “person” and “public health.”
  • The agency impermissibly intruded on state authority to enforce laws, including child abuse reporting.

The essence of the ruling is that it blocks most of the protections in the Reproductive Health Rule, including the attestation requirement. However, unrelated SUD-related Notice of Privacy Practices provisions are not affected and remain in force.

Although the court determined that vacatur is the default remedy for unlawful agency actions challenged under the Administrative Procedures Act, it also noted that the Supreme Court would need to address vacatur and universal injunctions. On June 27, 2025, the Supreme Court did just that in Trump v. CASA, Inc., when it held that universal injunctions likely exceed the equitable authority that Congress gave to federal courts. In Casa, the Court granted the government’s applications for a partial stay of the injunctions at issue, but only to the extent that the injunctions were broader than necessary to provide complete relief to each plaintiff with standing to sue. Stay tuned for further developments on how Casa will impact the nation-wide vacatur discussed in this post.

Tags: attestation, CASA Inc., healthcare providers, nationwide injunction, Notice of Privacy Practices, Privacy Rule, Purl v. HHS, reproductive health
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the…

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Read more about Joseph J. Lazzarotti
Show more Show less
Photo of Melissa Ostrower Melissa Ostrower

Melissa Ostrower is a principal in the New York City, New York, office of Jackson Lewis P.C. and co-leader of the firm’s Employee Benefits practice group. She counsels clients in a broad range of employee benefit matters, including general compliance and administration of…

Melissa Ostrower is a principal in the New York City, New York, office of Jackson Lewis P.C. and co-leader of the firm’s Employee Benefits practice group. She counsels clients in a broad range of employee benefit matters, including general compliance and administration of qualified retirement plans and nonqualified retirement plans.

Melissa assists clients with welfare plan issues involving cafeteria plans, health plans, flexible spending accounts, COBRA and the Affordable Care Act. She regularly speaks on all benefits issues including federal health care reform, fiduciary compliance and executive compensation.

Melissa regularly advises on executive compensation matters, including issues related to compliance with Section 409A, 162(m) and 280G of the Internal Revenue Code.

Melissa represents clients in connection with Internal Revenue Service and the Department of Labor audits and information requests. She also regularly assists clients in fixing plan operational and document errors. Melissa negotiates with benefits providers, volume submitter and prototype vendors, TPAs, insurers and auditors.

Melissa also advises clients in connection with phantom and equity based compensation arrangements.

Read more about Melissa Ostrower
Show more Show less
Related Posts
Health Fitness, OCR's Risk Analysis Initiative, and the ERISA Fiduciary Duty to Select Plan Service Providers
March 24, 2025
Industry Groups Urge Rescission of Proposed HIPAA Security Rule Updates
March 6, 2025
Happy Privacy Day: Emerging Issues in Privacy, Cybersecurity, and AI in the Workplace
January 28, 2025