The HIPAA Reproductive Health Rule Has Been Overturned: Next Steps for Compliance

The HIPAA Reproductive Health Final Rule took effect on December 23, 2024, to strengthen privacy protections for reproductive healthcare information. The rule limited how healthcare providers can use and disclose patient records related to reproductive services.

The rule added new privacy protections for reproductive healthcare records, and it restricted how healthcare providers could use and disclose information related to lawful services like abortion, contraception, and fertility.

On June 18, 2025, a federal court in Texas vacated the rule nationwide. The court ruled that the U.S. Department of Health and Human Services (HHS) lacked the legal authority to impose these additional requirements without prior congressional approval.

As a result, healthcare providers must follow the previous HIPAA standards and evaluate their obligations under state laws, which may continue to restrict disclosures related to reproductive care.

Quick Facts: The HIPAA Reproductive Health Rule Court Ruling

What was the rule? The HIPAA Reproductive Health Final Rule was a 2024 update to the HIPAA Privacy Rule that added protections for information related to lawful reproductive healthcare, including abortion and fertility services.

What did the rule require? Covered entities had to limit certain PHI disclosures, collect signed attestation forms for specific requests, and revise their Notices of Privacy Practices to reflect the new privacy protections.

What changed in June 2025? A federal district court in Texas vacated the rule nationwide, ruling that HHS lacked the authority to impose these additional privacy requirements.

What was struck? The court invalidated all provisions related to reproductive healthcare privacy. This includes the attestation requirement, new disclosure restrictions for law enforcement and oversight purposes, and the mandatory updates to Notices of Privacy Practices.

What was not struck? The ruling does not affect HIPAA’s core Privacy Rule or other updates unrelated to reproductive care. For example, changes involving the use and disclosure of substance use disorder records remain in effect.

What should clinics do now? Organizations should remove attestation workflows, update privacy notices, train staff, and review state-specific obligations with legal counsel.

What Was the HIPAA Reproductive Health Final Rule?

The 2022 Dobbs v. Jackson Women’s Health Organization Supreme Court decision shifted authority over abortion laws to the states. Lawmakers grew concerned about the potential misuse of reproductive care records in legal investigations against patients or providers. 

To respond to these concerns, HHS updated the HIPAA Privacy Rule to create stronger protections around PHI related to reproductive healthcare. HHS finalized these changes in April 2024, and they took effect on December 23, 2024. 

Key Protections Introduced by the Rule

The Final Rule introduced several important privacy safeguards to limit how healthcare providers use and disclose reproductive health information. These included:

• Restrictions on PHI disclosure for non-healthcare purposes. Covered entities and their business associates were prohibited from disclosing PHI related to lawful reproductive healthcare in connection with investigations, lawsuits, or other proceedings intended to impose liability on patients or providers. This protection applied when the care was legal in the state where it occurred.
  
• New attestation requirements. Before disclosing PHI for law enforcement, judicial, administrative, or oversight purposes, requestors had to submit a signed attestation form. This form confirmed that the request was not related to any reproductive care protected by the rule. Covered entities were expected to maintain these attestations and could not fulfill applicable requests without one.
  
• Required updates to Notices of Privacy Practices (NPPs). Providers and health plans were required to revise their NPPs to inform patients about the new privacy protections. This was intended to promote transparency and ensure patients understood their rights when seeking care.
  
• Clarified scope of reproductive healthcare. The rule defined reproductive care broadly, including abortion, contraception, fertility treatments, miscarriage management, and related services or counseling. It also addressed privacy for patients who traveled across state lines to access legal care.

What Happened in June 2025: The Federal Court Ruling

On June 18, 2025, a federal judge in the U.S. District Court for the Northern District of Texas issued a ruling that invalidated the HIPAA Reproductive Health Final Rule. The lawsuit argued that the Department of Health and Human Services (HHS) exceeded its legal authority in creating new privacy protections without congressional approval.

The court agreed with the plaintiffs. In the written opinion, the judge outlined three primary legal issues that led to the decision to block the rule:

• HHS exceeded its statutory authority. The court ruled that HHS introduced privacy protections not authorized by Congress, overstepping the limits of the HIPAA statute. In the court’s view, these decisions represented major policy changes that should have come from lawmakers.
  
• The rule conflicted with state enforcement. Texas and other states argued that the rule blocked investigations under state laws, including those involving abortion and child protection. The court agreed that it interfered with state authority to pursue lawful enforcement actions.
  
• The rule invoked the major questions doctrine. Significant policy changes require approval from Congress under the major questions doctrine. Since this rule significantly changed how medical privacy works, the court decided it exceeded the authority of HHS.

This decision marked a major change in federal privacy law. The reproductive health protections added to HIPAA in 2024 are no longer in effect, and HHS cannot enforce any of the associated requirements unless a higher court overturns the ruling or Congress passes new legislation.

What Changed After the Ruling?

The federal court’s decision to vacate the HIPAA Reproductive Health Final Rule means that HIPAA-covered entities are no longer required to comply with the rule’s specific provisions regarding reproductive health privacy. 

The court’s decision to vacate the HIPAA Reproductive Health Final Rule removed specific provisions regarding reproductive health privacy.

As of June 18, 2025, providers must return to the standard HIPAA Privacy Rule framework that was in place before the Final Rule took effect on December 23, 2024.

This change affects several areas of compliance that organizations may have updated in response to the now-invalidated rule. Key changes include:

• Attestation form requirements. Covered entities no longer need to obtain signed attestation forms from law enforcement, oversight agencies, court officials, or coroners before disclosing protected health information related to reproductive healthcare.
  
• Restrictions on certain PHI disclosures have been removed. The rule had placed limits on how reproductive health information could be disclosed for non-treatment purposes, such as criminal or civil investigations, which are no longer in effect.
  
• Privacy Notices do not require reproductive health updates. If you revised your Notice of Privacy Practices (NPP) to reflect the Final Rule’s protections, those changes are no longer required. Clinics may wish to remove references to reproductive health-specific privacy rights that no longer apply at the federal level.

It is essential to note that this change applies only to federal HIPAA rules. Many states have enacted their own laws governing reproductive health privacy. These laws may include stricter limits on disclosures or expanded rights for patients. In some cases, state law may now provide more robust protections than HIPAA.

Healthcare organizations should work with legal counsel to ensure their practices align with both state and federal requirements moving forward.

Are You in a State with Its Own Reproductive Health Privacy Law?

Although the federal HIPAA reproductive health protections have been vacated, several states have passed laws that offer independent privacy safeguards for reproductive healthcare information. These state laws may impose stricter obligations than HIPAA.

In the absence of the federal Final Rule, state-level protections now play a more important role in shaping how reproductive health data can be accessed, used, and disclosed. 

Examples of state protections include:

• California has enacted laws that prohibit sharing abortion-related health records with out-of-state entities if the care was lawful in California. These laws apply even when other states attempt to enforce conflicting legal standards.
  
• Washington has adopted legislation that expands consumer health privacy rights, including protections for reproductive and gender-affirming care under the My Health My Data Act.
  
• Illinois protects patient access to reproductive healthcare and limits disclosures that law enforcement could use to investigate or prosecute patients who travel from more restrictive states.
  
• New York has passed privacy laws that prevent cooperation with out-of-state investigations involving legal reproductive care performed within New York’s jurisdiction.

These laws vary in scope and enforcement, but they share a common goal: preventing the misuse of medical records in ways that could deter lawful reproductive services.

Healthcare providers should understand that HIPAA establishes a baseline for privacy, which states may supplement with additional protections. When state and federal laws conflict, covered entities are required to follow the law that offers the most protection to the individual.

What Should Clinics and Providers Do Now?

Organizations that updated their compliance protocols in response to the Final Rule should reassess those changes to ensure alignment with current federal standards.

Although the additional privacy protections for reproductive healthcare are no longer enforceable under HIPAA, the Privacy Rule remains in place. Organizations should update policies, documentation, and staff training to reflect current federal standards.

Recommended steps include:

• Review internal policies and procedures. Examine all policies related to the use and disclosure of protected health information (PHI), especially those revised between April and December 2024 to comply with the Final Rule. Remove or revise any language that references the reproductive health-specific requirements that no longer apply.
  
• Revise Notices of Privacy Practices (NPPs). If your NPP includes language explaining the reproductive health protections introduced by the Final Rule, update it to reflect the current federal position.
  
• Provide staff training and clarification. Team members who handle record requests or interact with patients may be uncertain about the status of reproductive health privacy rules. Offer clear guidance on what has changed and reinforce the ongoing obligations under standard HIPAA requirements.
  
• Evaluate state law obligations. Many states have enacted reproductive privacy laws that restrict disclosures or grant patients additional rights, even after the removal of federal protections. Consult legal counsel to identify which state-specific laws apply to your organization and whether additional safeguards are necessary.
  
• Monitor federal developments. HHS may appeal the court’s decision or propose new regulatory actions. Stay informed by following updates from the Office for Civil Rights (OCR), industry associations, or trusted legal advisors. 

Educational Resources for Staff

In a shifting legal environment, access to reliable, up-to-date information is crucial. The following resources can support continued education and help your team respond confidently to changing privacy requirements.

• HHS Office for Civil Rights (OCR) – HIPAA Guidance Hub: Official information on HIPAA standards, enforcement policies, FAQs, and compliance guidance from the federal agency responsible for privacy oversight.
• State Health Department Websites: Many states publish compliance bulletins, FAQs, and training materials on reproductive health protections and medical record access laws. Check your state’s department of health or attorney general’s website regularly for the most relevant updates.
• AHIMA (American Health Information Management Association): Offers professional guidance and best practices for managing protected health information (PHI).

Consider integrating these resources into onboarding programs, annual training refreshers, or staff policy manuals. A centralized reference list can reduce confusion, promote consistency, and empower staff to navigate privacy regulations with confidence.

How ChartRequest Supports Compliance in a Changing Legal Landscape

Privacy laws are evolving quickly, and the reversal of the HIPAA Reproductive Health Privacy Rule shows how quickly federal rules can shift. 

ChartRequest provides a secure release of information solution that supports compliance with both federal requirements and state-specific privacy laws. Key compliance features include:

• End-to-end encryption. ChartRequest encrypts all protected health information during transmission and storage to exceed HIPAA security standards.
  
• Automated audit trails. ChartRequest records and time-stamps every request and disclosure, helping your organization demonstrate compliance during audits or internal reviews.
  
• Role-based access controls. Set permissions based on job roles to ensure appropriate access, oversight, and accountability.
  
• Real-time status tracking. Track the progress of each request from submission to fulfillment to reduce delays and improve transparency for staff and requestors.
  
• Responsive support. Our team provides real-time assistance for both your staff and the patients you serve, helping keep workflows smooth and communication clear.

ChartRequest reduces administrative burden so your staff can focus on patient care, not paperwork. As laws change, we help ensure your release-of-information operations stay secure, efficient, and compliant.

To see how ChartRequest can help your organization stay compliant and reduce administrative burden, schedule a demo today.