By: HUB’s EB Compliance Team

As covered in this prior article, the U.S. Department of Health and Human Services (“HHS”) finalized rules designed to provide additional protections for reproductive health records on April 26, 2024 and required employer compliance by December 23, 2024. Those rules were subsequently challenged in federal district court and vacated by the court on June 18, 2025. Normally, a ruling of the lowest-level court in the federal system is not a cause for most employers to take action. However, given the low likelihood of an appeal, this ruling is expected to remain in effect; therefore, plan sponsors should take note of this development.

Background

A Texas health care provider sued in district court to invalidate the rule. Among other arguments, the provider contended that the restrictions on the use or disclosure of reproductive health information in the rule conflicted with state laws that mandate the reporting of suspected child abuse. This conflict, the provider contended, forced health care providers into an impossible position: they would either have to violate HIPAA’s restrictions by failing to disclose the requested information or break state mandated reporter laws by complying with HIPAA. The providers argued that as a result, the new rules went beyond HHS’ scope of authority. The court agreed and invalidated the rules under the Administrative Procedures Act.

Avid Supreme Court watchers may wonder whether the Supreme Court’s recent decision in Trump v. CASA affects this ruling. That case involved the use of universal injunctions, where the Supreme Court held that district courts generally lack the authority to order universal injunctions. However, in a footnote, the Court specifically stated that the CASA ruling did not address the remedy of invalidating agency rules under the Administrative Procedures Act.

What This Means

In short, this ruling in Purl v. HHS means reproductive health records are no longer afforded the special additional protections provided by the rule, such as requiring an attestation before disclosing HIPAA-protected reproductive health information in connection with an investigation.

What This Doesn’t Mean

Reproductive health information is still PHI, so it is not suddenly unprotected as a result of this ruling. Therefore, its use or disclosure is still restricted under existing HIPAA rules. For example, HIPAA permits PHI disclosures in response to a court or administrative order, provided that only the PHI expressly authorized by the order is included. Similarly, PHI can be disclosed in response to a subpoena, discovery request, or other lawful process without a court order only if the covered entity receives satisfactory assurances (as outlined in the HIPAA regulations) that reasonable efforts have been made to notify the individual of the request for PHI or that reasonable efforts have been made to secure a qualified protective order. Disclosures otherwise required by law may also be made, provided that the disclosure is limited to what is required by that law.

In addition, state laws may provide more restrictive protections than those outlined by HIPAA. Given that HIPAA adopts a floor preemption approach, meaning that it only preempts less restrictive state laws governing PHI, a state could impose more onerous requirements. It is unclear whether such disclosures could be made by multi-state health plans, where a law enforcement official from State A is requesting information from a covered entity in State B with more restrictive laws, for example.

As a separate note, the HIPAA regulations in question also included changes to the Notice of Privacy Practices related to recent changes governing substance use disorder records. Those changes remain in effect.

What to Do

As previously stated, a lower-level district court decision of this type would not warrant immediate action by employers. As prior HUB articles can attest, the typical response is to wait and watch for subsequent appeals, but given the change in administrations since this lawsuit was filed, it seems unlikely that HHS will appeal this decision and the ruling is likely to remain in place as-is.

The first step is to watch out for releases from HHS. It is possible HHS will issue a press release or other statement in response detailing how the agency will respond to this ruling.

Most of the changes, other than the Notice of Privacy Practices changes, were required to be implemented by December 23 of last year. Given that the rules are no longer effective, employers can remove any internal HIPAA training and administrative processes related specifically to these rules. Employers should consult with counsel on whether BAAs that were already amended to comply with the rules should be amended again to remove the additional language, or whether the reproductive health language can be disregarded, as this will likely depend on how the prior BAA revisions were drafted.

If you have any questions, please contact your HUB Advisor. View more compliance articles in our Compliance Directory.

NOTICE OF DISCLAIMER
Neither Hub International Limited nor any of its affiliated companies is a law or accounting firm, and therefore they cannot provide legal or tax advice. The information herein is provided for general information only and is not intended to constitute legal or tax advice as to an organization’s or individual's specific circumstances. It is based on Hub International's understanding of the law as it exists on the date of this publication. Subsequent developments may result in this information becoming outdated or incorrect and Hub International does not have an obligation to update this information. You should consult an attorney, accountant, or other legal or tax professional regarding the application of the general information provided here to your organization’s specific situation in light of your or your organization’s particular needs.