Reproductive health privacy is once again in the legal spotlight with a recent federal district court decision that struck down nearly all of a recent rule under the Health Insurance Portability and Accountability Act (HIPAA) that protected reproductive healthcare-related information privacy.

In a ruling issued on June 18, 2025, in Purl v. Department of Health and Human Services, the District Court for the Northern District of Texas largely vacated the privacy rule adopted in April 2024 to support reproductive health care privacy (the 2024 Rule). This abrogation is effective nationwide, meaning that many HIPAA-regulated entities who had made changes to their privacy policies and procedures as a result of the 2024 Rule are no longer required to adhere to those regulations under HIPAA. The decision raises several considerations, including whether the Department of Health & Human Services (HHS) can ever regulate reproductive health information and how the patchwork of state laws may fill this federal gap.

HIPAA Privacy Rule Background

HIPAA was passed in 1996 to improve the portability and continuity of health insurance coverage and to simplify the administration of health insurance. Congress gave HHS the authority to enforce HIPAA and its regulations.

In 2000, HHS promulgated the HIPAA Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule) to enforce standards that protect the privacy of protected health information (PHI). Generally, the Privacy Rule prohibits HIPAA-regulated entities from disclosing an individual’s PHI without authorization unless that disclosure is for a specific permissible purpose.

HIPAA-regulated entities include health care providers, health plans, health care clearinghouses, and business associates. We will refer to organizations affected by the Purl decision as “health care providers” in this post for simplicity’s sake, but keep in mind that the decision affects all HIPAA-regulated entities.

The HIPAA Reproductive Health Privacy Rule

In 2024, HIPAA amended the Privacy Rule to prohibit health care providers from using or disclosing an individual’s PHI related to reproductive health care for certain non-health care purposes. We previously covered the 2024 Rule here.

Under the Rule, these prohibited uses included:

1. Conducting a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, or facilitating reproductive health care;
2. Imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care; and/or
3. Identifying any person for the above purposes.

The 2024 Rule’s prohibition applied where “the relevant activity [was] in connection with any person seeking, obtaining, providing, or facilitating” reproductive health care and the healthcare provider had reasonably determined that:

1. The care was lawful under the law of the state in which such health care was provided under the circumstances in which it was provided; or
2. The care is protected, required, or authorized by federal law, including the United States Constitution, under the circumstances in which the healthcare was provided, regardless of the state in which it was provided.

The 2024 Rule instructed health care providers to presume that the health care was lawful unless they knew or were shown otherwise.

The 2024 Rule also required those seeking disclosure of reproductive health care from a health care provider to provide an attestation containing a description of the type of information requested and a clear statement that the use or disclosure was not for a prohibited purpose. If the health care provider determined that the attestation was false, the provider was to refuse to disclose the requested information pursuant to the 2024 Rule.

The 2024 Rule came on the heels of the U.S. Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, 142 S. Ct. 2228 (2022), which effectively overruled Roe v. Wade, 410 U.S. 113 (1973),and held that the U.S. Constitution does not confer a constitutional right to abortion, instead returning the power to regulate abortion to each individual state.

The Purl Decision

The Purl lawsuit was brought by Dr. Purl, a Texas health care provider who owns Dr. Purl’s Fast Care Walk In Clinic. According to the plaintiff, the clinic receives requests from Texas Child Protective Services 10 to 12 times a year when the agency is investigating suspected child abuse. The agency’s requests can sometimes include the request for the unredacted medical record for a suspected child abuse victim. The plaintiff sued HHS because the 2024 Rule allegedly restricted the clinic’s ability to respond to such requests.

The Rule’s Definitions

Dr. Purl challenged several definitions in the 2024 Rule, which sets forth the following definitions:

• Person – a natural person (meaning a human being who is born alive).
• Public health – population-level activities to prevent disease in and promote the health of populations, specifically excluding the below activities that are included in HIPAA’s previous definition of public health:
  • Conducting a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating health care;
  • Imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating health care; and
  • Identifying any person for the activities listed above.

Dr. Purl challenged, and the district court agreed, that HHS used its definition of “person” to deny legal status and rights to unborn humans because it did not allow for a child abuse report for suspected abuse of an unborn child.

Regarding the 2024 Rule’s definition of “public health,” the court also held that under an anti-preemption provision of HIPAA, nothing in the Act may be “construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth, death, public health surveillance, or public health investigation or intervention.” 42 U.S.C. § 1320d-7(b). Because this HIPAA provision includes a definition of public health that includes criminal, civil, or administrative investigations and liability, the district court held that HHS did not have the authority to create a new, narrower definition of public health.

Dr. Purl further argued that the 2024 Rule limits the clinic’s ability to report suspected child abuse in accordance with Texas state law. In response, HHS asserted that “reporting” is different from “responding to requests for information” and that the 2024 Rule’s prohibitions only apply when a provider responds to requests for information, not when the provider affirmatively reports suspected child abuse. The district court disagreed, looking to the dictionary definition of the term “reporting,” which means “to give a formal or official account or statement of” or “to make known to the proper authorities.” The court concluded that HHS’ “narrow misreading” of the term “reporting” in the 2024 Rule was “myopic” and unsupported.

Limitations on Child Abuse and Public Health Reporting

The Purl court also held that the 2024 Rule imposed at least four impermissible limits on health care providers that violated the HIPAA preemption exception:

1. Prohibition on child-abuse reporting based solely on lawful reproductive health care information;
2. Requirement to scrub PHI for reproductive health care information anytime the provider receives a disclosure request;
3. Determining whether a request for such information use/disclosure is lawful (or presume it is); and
4. Compliance with the attestation requirement whenever the provider receives a disclosure request.

HHS asserted that these requirements do not bar disclosure, but the district court held that “limits are not the same as prohibitions” and that a limit is ordinarily defined as any restriction or restraint. The district court concluded that the 2024 Rule’s requirements limit health care providers’ ability to comply with state laws related to child abuse reporting and public health in violation of the HIPAA Preemption Exception.

In finding that the 2024 Rule exceeded HHS’ authority and curtailed state rights, the Purl court vacated all but one section which relates to special protections for substance abuse disorder disclosures.

State Laws Step In

Purl has significant implications for health care providers, most of whom have already revised their HIPAA privacy policies and procedures to comply with the 2024 Rule. However, HIPAA-regulated entities should not hasten to remove all such policies.

In many cases, state laws regarding reproductive health disclosure still apply. For example, Rhode Island, California, and Connecticut each have state laws in effect that cover disclosure of reproductive health care information.

Rhode Island includes gender-affirming health care services or reproductive health care services in its definition of “legally protected [health care] activity.” R.I. Gen. Laws § 23-101-2(8) (2024). Rhode Island law explicitly prohibits compliance with out-of-state subpoenas, warrants, or court orders related to investigations or enforcement of laws asserting criminal or civil liability for legally protected health care activities, which include abortion and other reproductive health care as per the state’s definition of the term.

California law prohibits health care providers, health care service plans, contractors, and employers from releasing medical information related to individuals seeking or obtaining an abortion in response to subpoenas or requests based on another state’s laws that interfere with rights under California’s Reproductive Privacy Act. Cal. Civ. Code § 56.108 (2024).

Connecticut law prohibits the disclosure of patient communications or information related to reproductive health care services, including abortion, by covered entities unless the patient or their authorized legal representative explicitly consents in writing. Conn. Acts No. 95-27 (amending Conn. Gen. Stat. § 52-146w(a) (eff. Oct. 1, 2025).. In June 2025, Connecticut’s governor also signed into law “An Act Concerning Access to Reproductive Health Care,” which codifies under state law the ability of minors to access reproductive care without parental consent.

These state law protections and ongoing developments indicate that, even in the absence of federal regulation, states will continue to regulate reproductive health care privacy. Providers are still liable for compliance with any applicable state laws. Now is the time for health care providers and other HIPAA-regulated entities to reassess their compliance protocols, evaluate applicable state law requirements, and prepare for further regulatory and judicial developments in this space.