HIPAA Reproductive Health Privacy Rule Vacated

Here’s what HR needs to know to stay informed

Late on Wednesday, June 18, 2025, there was a federal court decision to vacate the 2024 HIPAA Reproductive Health Privacy Rule that has left employer sponsored group health plans and other HIPAA-regulated entities navigating uncharted territory. The ruling, effective immediately, removes key privacy protections aimed at safeguarding reproductive health care information. While the ruling alters compliance requirements, it is crucial to understand what remains unchanged under the HIPAA Privacy Rule and how to stay compliant.

Here’s a breakdown of what this means and steps employer group health plans should consider.

Bottom Line First

Valid HIPAA attestations are no longer, at this moment in time, required for requests to use or disclose protected health information (PHI) potentially related to reproductive health care (“RHC”).

Group health plans should review any policies and procedures that have been modified to comply with reproductive health care privacy requirements to ensure they are still compliant after this decision.

Talk to your counsel: If your group health plan receives information requests concerning RHC, you should consult with experienced counsel prior to releasing such information to account for any state law or member claims.

What Was the Reproductive Health Privacy Rule?

• The 2024 HIPAA Reproductive Health Privacy Rule introduced enhanced protections for reproductive health information, such as contraception, abortion, vasectomies, STD screening, and IVF treatment. It prohibited using or disclosing reproductive health-related Protected Health Information (PHI) for certain purposes, such as investigating lawful reproductive health services. Additionally, it required attestations from third parties requesting PHI to ensure compliance with restricted purposes.
• However, the ruling found that the Department of Health and Human Services (HHS) exceeded its legal authority when creating the rule. The court ruled that the restrictions unlawfully interfered with state-level laws regarding child abuse reporting and public health.

What Stays the Same?

Even though the court vacated the Reproductive Health Privacy Rule, the standard HIPAA Privacy Rule protections still apply. Here’s what hasn’t changed:

• PHI Protections: Covered entities must still safeguard all health information, including reproductive health care PHI.
• Compliance with HIPAA Regulations: HIPAA-governed organizations need to ensure that PHI disclosures, such as responses to subpoenas or law enforcement requests, align with HIPAA standards.
• Thorough Review of Requests: Carefully review all administrative and subpoena requests for PHI to ensure that disclosure is compliant with HIPAA requirements.

Immediate Considerations for Employer Sponsored Group Health Plans

If your organization adjusted to comply with the currently vacated rule, take these proactive steps to reassess your policies and practices:

1. Review Policies and Procedures

Examine updates made to policies and procedures that were intended to comply with the now-vacated rule. Determine whether these updates still align with HIPAA’s overall requirements, including policies requiring attestations for disclosing reproductive health PHI should be re-evaluated. Consider whether to make these attestations voluntary or discontinue them entirely.

2. Reassess Your HIPAA Notice of Privacy Practices

If you revised your organization’s Notice of Privacy Practices to reflect the protections under the vacated rule, assess whether updates are necessary considering the court’s decision.

3. Train Your Workforce

Educate your team on compliant PHI uses and disclosures, paying special attention to reproductive health information scenarios. Knowledgeable staff are better equipped to avoid unintentional violations.

4. Consult Legal Counsel

Seek legal advice to address specific questions or uncertainties caused by this decision. Legal experts can help you understand potential state-level protections and ensure you’re not overlooking compliance risks.

5. Stay Vigilant of Further Developments

This decision may face appeals or further legal challenges. Monitor updates from the HHS and legal experts for changes that may impact your obligations.

How Does This Impact Reproductive Health Care Information?

Employer sponsored group health plans remain in a balancing act between compliance with HIPAA and accommodating state-level regulations. Without the additional protections afforded by the final rule, organizations must be especially cautious when responding to requests for PHI related to reproductive health services.

For example:

• Suppose law enforcement issues a subpoena requesting reproductive health care information. The covered entity must ensure a lawful basis for disclosure that aligns with HIPAA, while also considering any applicable state requirements.
• Organizations dealing with multi-state operations should note that state-specific reproductive health care laws may still apply, even if federal protections are no longer in place.

Why This Decision Matters

• The removing of the Reproductive Health Privacy Rule underscores the complexity of balancing federal regulations, state laws, and group health member privacy. It also highlights the crucial need for organizations to stay fully informed and adaptable in the face of ongoing legal shifts.
• This decision serves as a reminder that compliance is not static. It evolves as laws and court rulings emerge to become even more powerful in the regulatory space, especially given the Chevron ruling. The best approach to managing compliance is ensuring your organization is proactive, well-trained, and equipped with the right tools.

What about an appeal by HHS?

Businessolver has been watching this case closely and will continue to do so. While no one has a crystal ball, there has been no indication from the current administration that it will appeal this ruling. HHS has 60 days to appeal the court’s dismissal. Businessolver will be on the lookout for that appeal should it be filed.

Final Thoughts

With the removal of the 2024 Reproductive Health Privacy Rule, it’s easy to feel overwhelmed by the shifting HIPAA compliance landscape. However, staying informed and revisiting your organization’s policies will help safeguard both your group health plan members and your business.

If you’re finding compliance too complicated to tackle alone, consider leveraging solutions like ComplianceDashboard^® to simplify the process. Stay ahead of the changes and make compliance work for you—not against you.

Stay compliant. Stay informed.

This regulatory update is for informational purposes only and is not intended to be exhaustive, nor should any discussion or opinions be construed as legal advice. Readers should contact experienced legal counsel for legal advice.