Data Privacy,
Data Security,
Healthcare
Ruling: HHS Lacks Authority to Differentiate Types of PHI for Restrictions
A recent ruling from a federal court in Texas has invalidated changes to the HIPAA Privacy Rule that were enacted by the Biden administration in 2024, aimed at protecting reproductive healthcare information from law enforcement access. This decision could ease the path for state authorities seeking information related to abortions and gender-affirming treatments.
The ruling in question followed a lawsuit brought by Dr. Carmen Purl of Dr. Purl’s Fast Care Walk-In Clinic, which provides essential services to vulnerable populations, including children and pregnant women. Dr. Purl argued that the previous HIPAA modifications imposed burdens that conflicted with her legal obligations to report child abuse and participate in public health investigations.
While the Texas court’s decision nullified the 2024 modifications regarding reproductive healthcare privacy protections, it notably retained regulations concerning substance use disorder treatment confidentiality as specified in 42 C.F.R. Part 2. Consequently, organizations must adapt their privacy notices by February 2026 to comply with the remaining provisions.
In a broader context, the modifications introduced by HHS were designed to enhance privacy for individuals seeking legal reproductive healthcare, particularly following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, which overturned federal abortion rights. HHS Secretary Xavier Becerra had indicated that these measures sought to mitigate the risks posed by various state-level abortion restrictions.
Judge Matthew Kacsmaryk, who presided over the case, concluded that HHS lacked the authority to differentiate between types of health information for political purposes, stating that HIPAA could not be utilized to shield reproductive health data from the scrutiny of state authorities.
Experts have conveyed that this ruling carries significant implications for privacy laws surrounding reproductive health information. According to privacy attorney Adam Greene, the vacated rules represented a pivotal shift in HIPAA regulations since the modifications established by the HITECH Act. The absence of the 2024 regulations eliminates the requirement for covered entities to manage attestations concerning reproductive health-related protected health information (PHI), effectively reverting to previous compliance practices.
Despite the rollback, regulated entities remain liable under state laws that impose restrictions on the handling of reproductive health information. As Aleksandra Vold, a regulatory attorney, pointed out, the removal of enhanced protections does not equate to unrestricted disclosures of PHI. Organizations must still navigate HIPAA regulations that delineate permissible disclosure conditions, and the considerations surrounding patient safety and legal liabilities persist.
The ruling highlights the delicate balance between patient privacy and regulatory mandates, raising concerns about the potential risks involved in disclosing sensitive health information. Legal expert Iliana Peters warned that organizations may face increased litigation risks pertaining to sensitive disclosures, regardless of HIPAA’s general permissiveness. Organizations will need to carefully evaluate legal obligations concerning third-party information requests moving forward, particularly in an environment marked by heightened scrutiny of reproductive health issues.
HHS is currently facing additional legal challenges regarding its HIPAA modifications, including lawsuits filed by various state attorneys general. It remains to be seen whether these lawsuits will proceed or be impacted by the recent Texas ruling.
