Businessolver
Businessolver Blog

The HIPAA Reproductive Health Privacy Rule: What Brokers and HR Need to Know Now 

HIPAA Reproductive Health Privacy Rule
Get the Businessolver Blog in your inbox
Brooke Salazar, JD Sr. Director of Compliance profile photo
By Brooke Salazar, JD Sr. Director of Compliance
 on October 10, 2025
Share:

It’s official — the HIPAA Reproductive Health Privacy Rule is gone.

After the Purl v. Department of Health and Human Services decision, HHS did not appeal, meaning the rule’s privacy protections for reproductive health care are gone. The court dismissed the case on September 10, 2025, because of HHS’s lack of appeal.

What does this mean for employers? This has immediate and significant compliance impacts for employers, group health plans, and all HIPAA-covered entities at both federal and state levels. 

This update breaks down the Rule’s background, the court case that struck it down, what employers need to do now for compliance, and other key legal considerations. 

The Court’s Final Say on the Reproductive Health Privacy Rule

The rule faced legal challenges right away. On June 18, 2025, a Texas federal court threw out the relevant provisions nationwide, ruling that HHS overstepped its authority. HHS chose not to appeal, making the court’s decision final. This means the federal Reproductive Health Care Privacy Protections and any related attestation requirements are no longer in effect. 

However, protections under 42 CFR Part 2 for Substance Use Disorder (SUD) records remain in place. SUD records include information about a patient’s identity, diagnosis, or treatment tied to federally supported substance use programs. Disclosure without explicit written consent or a court order remains prohibited, including in legal proceedings. 

HR’s Must Do: Beginning February 16, 2026, group health plans must update their privacy policies and Notices of Privacy Practices to meet these heightened confidentiality requirements. 

What This Means for Federal and State Compliance 

With the reproductive health privacy rule gone, employers need to carefully consider how this impacts their organization’s compliance needs. 

  • Standard HIPAA Rules Apply: All existing HIPAA Privacy Rule protections remain in effect—minus the reproductive health provisions. 
  • No More Federal Reproductive Health Privacy Protections: The federal Reproductive Health Care Privacy Protections and their attestation rules are gone. Depending on the state law, covered entities and business associates may remove any mention of these from their policies and procedures. 
  • Stop Using Attestations Referring to Reproductive Health: Employer sponsored group health plans are no longer required to collect or keep attestations for reproductive health PHI. Any policies built around now-repealed attestation requirements should be reviewed and revised with legal counsel. 
  • Update Notice of Privacy Practices (NPP), if Applicable: If a group health plan handles SUD records, update policies, procedures, and Notices of Privacy Practices by February 16, 2026, to comply with new 42 CFR Part 2 regulations. 
  • Don’t Forget About State Laws: Employers and other covered entities must stay on top of any state laws that provide greater protections for reproductive health care PHI than HIPAA. If a state law is stricter, the employer’s policies and procedures must follow it. Keeping unenforceable federal rules in policies could create unnecessary legal risks, especially when responding to court orders or state inquiries. 

Employers Immediate Compliance To-Do List 

Ensure compliance and reduce legal risk, here’s what employers should do right away: 

  • Review and Revise Policies: Go through compliance documents and remove all references to the vacated reproductive health care provisions and attestation requirements. 
  • Update NPPs for SUD Records: Make sure materials are updated and sent out before the February 16, 2026 deadline to reflect the current SUD record rules. 
  • Check State Law Requirements: Do a thorough review of applicable state laws to see if stricter reproductive health care privacy rules require more policy changes. 
  • Train the Team: Make sure staff is trained on these compliance changes, including the removal of federal reproductive health attestations and the new SUD rules. 
  • Talk to an Experienced Employee Benefits Lawyer: Consult legal experts to navigate any tricky situations where state and federal rules overlap or conflict, and to confirm all compliance materials are up to date both federally and for state laws.

What This Means for the Industry 

The end of the HIPAA Reproductive Health Privacy Rule shows just how complex health care privacy compliance is becoming. While getting rid of the federal attestation requirement simplifies some administrative tasks, it puts more pressure on employer sponsored group health plans to be diligent about state laws and the new mandatory rules for SUD records. Organizations must constantly monitor policy changes, review their risk management strategies, and be ready for what comes next. 

This legal environment requires constant vigilance and a proactive approach from every HIPAA-covered entity. Failing to adapt could lead to significant liability and a loss of trust. 

Businessolver’s ComplianceDashboard can help you stay ahead. With custom compliance calendars and clear task guides, we work to make sure you avoid compliance stress and keep your focus on higher priorities.