Court Vacates Key Portions of 2024 HIPAA Privacy Rule on Reproductive Health Information

On June 19, 2025, the U.S. District Court for the Northern District of Texas vacated most provisions of the Biden Administration's 2024 Rule under HIPAA related to reproductive health information privacy. The 2024 Rule limited the circumstances under which protected health information (PHI) regarding reproductive health could be disclosed for non-health care purposes. The court ruled the rule was contrary to law, impermissibly redefined key terms, and exceeded delegated authority, thereby infringing on state public health laws and violating the major-questions doctrine.

Despite vacating the bulk of the 2024 Rule, the court preserved provisions requiring covered entities to update their Notice of Privacy Practices (NPPs). These provisions mandate information disclosures related to records regulated by 42 CFR part 2, which governs substance use disorder patient records. Covered entities must comply with the NPP update requirement by February 16, 2026.

The legal analysis highlights ongoing complexities in managing health information privacy, especially where federal regulations intersect with state public health laws. The case underscores the critical need for healthcare and insurance entities to monitor evolving regulatory standards governing the use and disclosure of sensitive PHI.

Professionals such as Libbie Canter are advising multinational companies on managing privacy, cybersecurity, and artificial intelligence risks, navigating both U.S. and global laws including state-specific regulations like the California Consumer Privacy Act and the Colorado AI Act. Canter's expertise includes governance frameworks and compliance strategies for health tech and financial services sectors.

Anna Durand Kraus, with her background as Deputy General Counsel at HHS, provides counsel on complex health care laws including Medicare, Medicaid, fraud and abuse statutes, HIPAA privacy and security, and breach notification protocols. She is experienced in helping pharmaceutical, device manufacturers, and providers navigate compliance challenges and federal investigations.

Elizabeth Brim advises on broad privacy and healthcare regulatory compliance, including HIPAA and the FTC's Health Breach Notification Rule, with expertise in genetic data privacy, digital health products, and transactional compliance involving vendor agreements and consumer consent formats.

Olivia Vega offers guidance on privacy and technology law compliance in transactions and regulatory matters, focusing on federal and state laws such as HIPAA and the California Confidentiality of Medical Information Act. Her practice supports client needs in global privacy and health care data security.

Aubrey Stoddard specializes in policy and regulatory advice for pharmaceutical, biotechnology, and medical device companies, with a commitment to pro bono work in reproductive health. Her expertise contributes to addressing industry-specific regulatory challenges.

Industry legal teams must stay vigilant regarding the interaction of federal health privacy rules with state laws and judicial rulings. This ruling demonstrates the judiciary's role in defining regulatory boundaries and the ongoing evolution of compliance obligations for covered entities.

The decision impacts data privacy frameworks within health insurance and healthcare providers, highlighting the importance of updated disclosures in NPPs and compliance deadlines.

This development also signals increased judicial scrutiny concerning agency rulemaking authority in health privacy law, stressing the need for insurers and healthcare entities to align internal policies with judicial guidance and evolving legislative frameworks.

Insurance professionals and legal counsel should review their data privacy policies and PHI use protocols in light of these changes to maintain regulatory compliance and mitigate legal risk.