In a June 2025 decision in Purl v. United States Department of Health and Human Services, the United States District Court for the Northern District of Texas vacated the 2024 HIPAA reproductive health rule (the “Reproductive Health Rule”), which the US Department of Health and Human Services (HHS) issued to limit how reproductive health care information could be disclosed by HIPAA regulated entities (e.g., Covered Entities and business associates), as we wrote about here.

Now, HHS has let the August 18, 2025 appeal deadline pass without challenging the Purl decision, yet its website still says that it “will determine next steps after a thorough review of the court’s decision.”

HHS’s decision not to appeal Purl, however, does not relieve HIPAA regulated entities from their obligations to protect reproductive health care information, rather it challenges HIPAA regulated entities to ensure that their existing HIPAA policies and procedures adequately protect sensitive PHI, like reproductive health care information, now that the protections that were in the HIPAA Reproductive Health Rule are now defunct. 

Privacy Obligations for Reproductive Health Information Live On, Even after Purl

In the wake of the U.S. Supreme Court's decision in Dobbs v. Jackson Women's Health Organization, many employers enhanced the health benefits they were offering and expanded the benefits related to reproductive health care, even offering other benefits (e.g., travel benefits). The more robust the benefits became; the more employees used those benefits. This led to increased generation and gathering of information about reproductive health care for which GHPs were responsible, prompting many employers to realize that there could be a “treasure trove” of sensitive information that needed protection. 

Many employers took steps to update their HIPAA policies and procedures by revising plan documents, adopting attestation forms, modifying business associate agreements, adding a “protecting reproductive health care information” slide to training materials, and/or working with insurers and third-party administrators to develop procedures for determining when disclosures could or should be made and how to obtain attestations for disclosures.

Employers that have taken some or all of these steps should not consider them to have been made in vain. While the Purl court found that HHS overstepped its rule-making authority, the case can be credited with shining a bright light on the flexibility of HIPAA, even without the Reproductive Health Rule, for regulated entities to implement protections by keeping a careful inventory of PHI, defining categories of sensitive health information, and designing processes and procedures for disclosures, rather than treating all PHI the same.

Additionally, some states have enhanced protections for this specific category of sensitive health information that may fill the gap.