HIPAA Final Rules and Reproductive Data Privacy

Last year, a rare update to the Health Insurance Portability and Accountability Act (HIPAA) was enacted under Final Rule 2024. [1] The 2024 Rule aimed to update provisions for what health information can be used in various types of investigations by law enforcement. [2] Texas and other states decided to contest the legality of the HIPAA Rules, filing in September of 2024 a suit against the Department of Health and Human Services. [3] This case and others have become the center of the legal battleground of state rights over abortion. This case is one of many concerned with the state’s ability to prosecute and access information from people seeking care in both their own and other states. These rules define what protected data is, and by whom and for what purpose this information can be accessed. 

The preceding update to the 2024 Privacy Rule was in 2004, when guidelines for Protected Health Information were established. [4] Protected Health Information refers to what information is protected under law and how it can be released from organizations that are subject to HIPAA regulations. [5] This Privacy Rule is meant to protect sensitive health information of individuals while also allowing this information to be held and used by the proper organizations. [6] Covered entities that are subject to HIPAA regulations include health plans, healthcare providers, and business associates who perform certain tasks on behalf of covered entities. [7]

The specific provisions of the 2024 Final Rule strengthen privacy regulations by prohibiting the disclosure of protected health information by a covered entity to conduct a criminal, civil, or administrative investigation related to reproductive health care or identifying an individual with the intention to conduct an investigation. [8] However, covered entities are still able to disclose protected health information to defend themselves in an investigation or proceeding. [9] A party requesting such information must obtain a signed attestation that the disclosure of information is not for a purpose barred in the 2024 Final Rule, and holds those releasing the information liable if released for an unlawful purpose or through unlawful means. [10] These attestations are required when the request is for the following purposes: health oversight activities, judicial and administrative proceedings, law enforcement purposes, and coroners and medical examiners. [11]

Texas v. HHS alleged that the 2000 and 2024 Privacy Rules interfered with the state’s powers. [12] The case specifically brings up questions of the agency’s authority under HIPAA and states’ rights. [13] In the complaint, Texas raises its arguments for how the Privacy Rules violate HIPAA’s preserved State investigative authority, and reduce the scope of Texas’s investigative abilities with entities citing the Rule when refusing to disclose protected information. [14] Texas sued under the Administrative Procedure Act, alleging these Rules violate it on the basis of being “arbitrary and capricious,” a standard established in FCC v. Prometheus Radio Project, which requires an agency action to be reasonable and explained. [15] Texas is relying on the main argument that these Rules go beyond the statutory authority of the HHS, specifically mentioning multiple provisions, including the 2000 Rule’s three-part test for providing medical information, which are not referenced in HIPAA. [16] Texas claims that these HHS rules were enacted to bar the state’s ability to enforce its abortion and reproductive healthcare laws. [17] Texas sees HIPAA and its Rules as an attack on state sovereignty to enforce its own laws and an overreach of administrative legal authority. [18] 

HHS’s response included a request for dismissal or summary judgment on the basis of lack of Jurisdiction. [19] HHS’s claim for summary judgment rests on three bases: Texas's lack of jurisdiction to challenge the rules under Article III of the Constitution, lack of sufficient evidence to demonstrate injury-in-fact, and the six-year statute of limitations having passed. [20] The agency claims that the 2024 Rule was enacted after concerns from covered entities and patients regarding Protected Health Information disclosure, specifically relating to reproductive health. [21] The authority of the HHS to modify its rules at the agency’s discretion is also mentioned, including sufficient reasoning for its prohibitions in the 2024 Rule. [22] 

Several other suits were also filed challenging the Rule both in other states and by an individual plaintiff in Purl v. HHS. [23] Texas v. HHS was ordered to stay in an order from August 28th, 2025, in light of an appeal in Purl v. HHS that was later dismissed on September 10th, 2025. [24, 25] Legal opinions regarding this case are mixed; the Courts may be headed toward a stronger states’ rights approach, as agencies move toward a larger trend of deregulation, as with the EPA. [26] Proponents of the Rule’s vacatur argue that it would restore the states’ ability to investigate its own criminal laws. However, the HHS is claiming that they are acting within the best interest of patients and providers and within their administrative authority to strengthen privacy laws. [27] States like Texas are trying to curb the number of people seeking reproductive care in states with more lenient laws, and see the Rules as hindering their ability to enforce their own laws within the state. The HHS is looking to use its administrative power to make and enforce regulations on health information as a way to enact pro-abortion policies after federal protections for abortion have been overturned. The district court sees the HHS’s Rules as an overreach of administrative power, hindering states’ rights and police power. The question remains — do states have the right to prosecute a resident of their own state if they receive reproductive care elsewhere that is illegal within their state? The Court has shown that states can prosecute within their state, but the future of prosecution for those who seek illegal care out of state remains uncertain. 

Sources

1. 89 Fed. Reg. 32,976 (April 26, 2024).

2. Ibid.

3. State of Texas v. The Department of Health and Human Services et al., No. 5:24-cv-00204 (N.D. Tex. 2025).

4.  65 Fed. Reg. 82,462 (December 28, 2000).

5. Ibid.

6. Hipaa Privacy Rule Final Rule to support reproductive health care privacy: Fact sheet. HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy: Fact Sheet | HHS.gov. (n.d.). https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html

7. Ibid.

8. Ibid.

9. Ibid.

10. Ibid.

11. Ibid.

12. Complaint, Texas v. Health and Human Services. 2024. No. 5:24-cv-00204 (N.D. Tex.)

13. Ibid, [2]. 

14. Ibid.

15. Federal Communications Commission v. Prometheus Radio Project, 592 U.S. __ (2021).

16. Texas, No. 5:24-cv-00204 at 5-6. 

17. Ibid.

18. Ibid .

19. Defendants’ Motion to Dismiss or, in the Alternative, For Summary Judgment, Texas v. Health and Human Services. 2024. No. 5:24-cv-00204 (N.D. Tex.)

20. U.S. Const. art. III, § 2; Texas, No. 5:24-cv-204-H, at 7–9.

21. Texas, No. 5:24-cv-204-H at 7.

22. Ibid., 25.

23. Purl, M.D., et al. v. United States Department of Health and Human Services, No. 2:24-cv-00228 (N.D. Tex. 2025).

24. Order, Texas v. Health and Human Services. 2024. No. 5:24-cv-00204 (N.D. Tex.)

25. Order on Motion to Dismiss, Purl, M.D., et al. v. United States Department of Health and Human Services, No. 2:24-cv-00228 (N.D. Tex. 2025).

26. United States Environmental Protection Agency. “EPA Launches Biggest Deregulatory Action in U.S. History.” Washington, DC: EPA, 2025. https://www.epa.gov/newsreleases/epa-launches-biggest-deregulatory-action-us-history. 

27. Texas, No. 5:24-cv-204-H