After the Purl v. Department of Health and Human Services decision, HHS did not appeal, meaning the rule’s privacy protections for reproductive health care are gone. The court dismissed the case on September 10, 2025, because of HHS’s lack of appeal.
What does this mean for employers? This has immediate and significant compliance impacts for employers, group health plans, and all HIPAA-covered entities at both federal and state levels.
This update breaks down the Rule’s background, the court case that struck it down, what employers need to do now for compliance, and other key legal considerations.
The rule faced legal challenges right away. On June 18, 2025, a Texas federal court threw out the relevant provisions nationwide, ruling that HHS overstepped its authority. HHS chose not to appeal, making the court’s decision final. This means the federal Reproductive Health Care Privacy Protections and any related attestation requirements are no longer in effect.
However, protections under 42 CFR Part 2 for Substance Use Disorder (SUD) records remain in place. SUD records include information about a patient’s identity, diagnosis, or treatment tied to federally supported substance use programs. Disclosure without explicit written consent or a court order remains prohibited, including in legal proceedings.
HR’s Must Do: Beginning February 16, 2026, group health plans must update their privacy policies and Notices of Privacy Practices to meet these heightened confidentiality requirements.
With the reproductive health privacy rule gone, employers need to carefully consider how this impacts their organization’s compliance needs.
Ensure compliance and reduce legal risk, here’s what employers should do right away:
The end of the HIPAA Reproductive Health Privacy Rule shows just how complex health care privacy compliance is becoming. While getting rid of the federal attestation requirement simplifies some administrative tasks, it puts more pressure on employer sponsored group health plans to be diligent about state laws and the new mandatory rules for SUD records. Organizations must constantly monitor policy changes, review their risk management strategies, and be ready for what comes next.
This legal environment requires constant vigilance and a proactive approach from every HIPAA-covered entity. Failing to adapt could lead to significant liability and a loss of trust.
Businessolver’s ComplianceDashboard can help you stay ahead. With custom compliance calendars and clear task guides, we work to make sure you avoid compliance stress and keep your focus on higher priorities.