Who feels like they’ve been on a regulatory roller coaster lately?

On June 18, 2025, in Purl v. U.S. Department of Health & Human Services, Judge Kacsmaryk of the U.S. District Court for the Northern District of Texas vacated key provisions of HHS’s HIPAA Privacy Rule that had imposed new federal protections for reproductive health care information, including the controversial Attestation requirement. You can download a copy of the Memorandum Opinion and Order here. This means that HIPAA-covered entities must immediately stop requiring a HIPAA-compliant Attestation from requestors seeking PHI that includes (or is likely to include) reproductive health information for any of the following purposes: healthcare oversight, judicial and administrative proceedings, law enforcement, or to a coroner or medical examiner.

Sadly, this ruling effectively sidelines our carefully crafted HIPAA Decision Tree to Release Reproductive Health Information 😢 — at least for now.

What’s Next?

It’s worth noting that a Notice of Appeal was filed on June 13, 2025, by Intervenor-Defendants (City of Columbus, Ohio, City of Madison, Wisconsin, and Doctors for America), challenging the District Court’s earlier denial of their Motion to Intervene.  We will have to wait and see if that goes anywhere. Meanwhile, HHS has 60 days to decide whether to appeal Judge Kacsmaryk’s latest order vacating its rule. However, given the U.S. Supreme Court’s recent post-Chevron shift towards stricter limits on agency authority, the rumor mill suggests HHS may be hesitant to appeal. Time will tell.

As of Friday, June 20, 2025, HHS’ website dedicated to publishing guidance on compliance with the Reproductive Rule remains unchanged.

Immediate Impact

The District Court’s Order is immediately effective. This means that the HIPAA Privacy Rule to Support Reproductive Health Care Privacy is no longer enforceable. As such, covered entities must re-evaluate their current process for handling requests for PHI tied to reproductive health information. However, if you operate in a state that has its own state-level reproductive privacy or provider shield law, those state protections still apply and may even require similar or stronger privacy safeguards.

The Legal Battle: Key Arguments & Findings

The Plaintiffs, led by Dr. Carmen Purl and the State of Texas, argued that HHS exceeded its statutory authority under HIPAA by imposing new privacy restrictions that would obstruct the enforcement of state laws governing child abuse reporting and abortion-related investigations. They maintained that the Rule conflicted with HIPAA’s explicit preemption provision, 42 U.S.C. § 1320d–7(b), which preserves states’ rights to regulate public health and criminal matters. They further contended that protecting abortion-related information raised a significant policy question that Congress never delegated to HHS, rendering the Rule an overreach. In addition, they argued that the Rule was arbitrary and capricious because it ignored its impact on state law enforcement and public health oversight, and they warned that Texas and Dr. Purl would suffer irreparable harm if forced to comply.

In response, HHS defended the 2024 Rule as a lawful exercise of its broad authority to safeguard the confidentiality of patients’ health information, arguing that HIPAA has always permitted the federal government to establish nationwide baseline privacy protections that may override conflicting state laws. The agency maintained that the Rule did not present a central policy question, but was instead a routine update necessary to prevent a chilling effect on patients seeking reproductive care following Dobbs. HHS maintained that the rulemaking process was procedurally proper, supported by evidence, and responsive to the wide range of stakeholder comments received.

Ultimately, Judge Kacsmaryk agreed with the plaintiffs and concluded that HHS made three critical legal “errors” in adopting the 2024 Rule. As stated in his Opinion:

“First, the HIPPA [sic] Privacy Rule to Support Reproductive Health Care Privacy (the “2024 Rule”) is “contrary to law” because it unlawfully “limits” state public health laws. 89 Fed. Reg. 32978. Second, the 2024 Rule impermissibly redefines “person” and “public health,” in contravention of Federal law and “in excess of statutory authority.” Third, under the “major-questions doctrine,” the 2024 Rule arrogates to HHS authority not expressly delegated by Congress.”

(And yes — the Court kicked off its Opinion by misspelling “HIPAA” as “HIPPA” 😬)

Wait … Didn’t HHS Specifically Carve Public Health Out from the Attestation?

Yes — under the now-vacated Final Rule, disclosures for genuine public health purposes were deliberately excluded from the Attestation requirement. HHS made clear throughout the rulemaking that mandatory public health reporting and other bona fide public health activities would not be burdened by this extra condition.  The Attestation was also not required from a public health official under certain circumstances. For example, when covered entities — particularly health care providers (HCPs) — received requests from public health officials for protected health information (PHI), there were specific scenarios under the HIPAA Reproductive Health Privacy Rule where the Attestation requirement did not apply. For example, if a public health official requested PHI but did not need any reproductive health care information, then an Attestation was not required. Similarly, if the request was for information that the provider was required by law to submit, then an Attestation was unnecessary. This was directly addressed by HHS during the rulemaking process:

Comment: A few commenters expressed concerns about their ability to implement the attestation requirement in circumstances where the use or disclosure is triggered by a mandatory reporting law or verbal request. According to the commenters, an attestation requirement could require a significant change to operational workflows for permitted disclosures and significantly impede operations for state and local agencies that conduct death investigations and perform public health studies and initiatives.

Response: The HIPAA Privacy Rule at 45 CFR 164.512(a) permits certain uses and disclosures of PHI that are required by law, including notification of certain deaths by a covered health care provider to a medical examiner, when those uses and disclosures are limited to the requirements of such law. The attestation conditions do not apply to the mandatory disclosures required by law. Nor do mandatory reporting for public health activities pursuant to 45 CFR 164.512(b)– Uses and Disclosures for Public Health Activities – do not require an attestation.

This framework also covered specific administrative requests when they were “required by law.” HHS responded to public feedback on this point as well:

Comment: Some commenters urged the Department to include additional provisions to monitor and enforce the attestation condition, including requiring that a court order, written attestation, or valid authorization accompany requests for the use or disclosure of PHI for legal or administrative proceedings or law enforcement investigations.

Response: HIPAA permits regulated entities to disclose PHI pursuant to an administrative request, but only if certain conditions are met. As explained in the Final Rule and Notice of Proposed Rulemaking, OCR is aware that some regulated entities are interpreting the provision that permits disclosures pursuant to administrative requests in a manner inconsistent with OCR’s intent by disclosing PHI to law enforcement without a warrant or subpoena. As such, the Final Rule adopts changes to clarify that the administrative processes for which a disclosure is permitted are limited—PHI may only be disclosed pursuant to an administrative request “for which response is required by law,” such as an administrative subpoena or summons, a civil or authorized investigative demand, or similar process authorized under law.

When a request was truly for a public health purpose — such as preventing or controlling disease, reporting injuries or vital events like births or deaths, conducting public health surveillance and investigations, reporting child abuse or neglect, or ensuring the quality and safety of FDA-regulated products — an Attestation was likewise not required. The complications arose in “gray areas” where a public health official might characterize an investigation or intervention as a public health function, but its true nature might instead fall under judicial or law enforcement authority. As HHS noted in the preamble, whether an Attestation was required for requests accompanied by a subpoena depended on the facts. If the subpoena or demand legally required disclosure — such as an administrative subpoena, summons, or civil or authorized investigative under applicable state law — then an Attestation was not needed. However, not all subpoenas carry the force of law, so each request generally needed careful, case-by-case review to determine whether the Attestation condition applied.

Although HHS’s Final Rule specifically exempted certain public health disclosures and mandatory reporting from the Attestation requirement, the Court found these carve-outs did not cure the Rule’s fundamental conflict with federal law. In particular, the Court focused on HIPAA’s statutory mandate in 42 U.S.C. § 1320d-7(b), which flatly prohibits any HIPAA regulation from invalidating or limiting state laws governing public health reporting, disease surveillance, and child abuse investigations. The Court held that the 2024 Rule did exactly what Congress forbade: it imposed additional layers of conditions and burdens — such as screening PHI for reproductive health information, verifying the lawfulness of care, and requiring covered entities to presume care lawful unless proven otherwise — before allowing disclosures that state law already compels. Even though HHS tried to preserve some public health activities by listing them as exceptions to the Attestation, the Court concluded this did not remove the unlawful “limits” on states’ authority. It emphasized that these procedural hoops restrain and “complicate” how states exercise their full power to demand and use health information for legitimate public health and child abuse enforcement.

In short, the Court determined that partial carve-outs did not undo the fact that the Rule, as a whole, created new federal restrictions that directly curtailed the operation of state public health and criminal laws — something Congress clearly said HIPAA could not do. So, despite HHS’s attempts to accommodate some mandatory disclosures, the Rule’s structural conflict with the statute remained, rendering it contrary to law and beyond HHS’s authority.

States’ Reproductive Health Laws Are Still Relevant!

Even though the federal Attestation requirement has been struck down (for now), many states have enacted their own reproductive health privacy laws and provider shield statutes, and these continue to apply. Some states have privacy provisions that function similarly to the federal Attestation, requiring extra certifications or limiting disclosures about abortion or reproductive health services in the face of out-of-state investigations or legal demands. Others have shield laws that bar cooperation with certain subpoenas or warrants altogether. Many states, including California, Colorado, Hawaii, Maryland, New Mexico, New York, Oregon, Rhode Island, Vermont, Washington, and the District of Columbia, have enacted provider shield laws that protect patients and providers involved in lawful reproductive healthcare from out-of-state legal actions. Some states go further by adding privacy-protective requirements, such as consent or attestation obligations similar to the now-vacated federal requirement, that impose specific conditions on disclosing reproductive health information. States with such measures include Connecticut, Delaware, Illinois, Maine, Massachusetts, Minnesota, and New Jersey. Because these state protections vary widely in scope and procedural details, covered entities must know precisely which states impose only shield protections and which still require extra privacy steps similar to an attestation. For a good resource and summaries of these state laws, The Williams Institute (at UCLA School of Law) maintains an excellent resource: State Law Guide: Shield Laws for Reproductive Health and Gender Affirming Care

So, What Now — What Covered Entities Should Do?

In this patchwork environment, HIPAA-covered health care providers must carefully untangle the now-vacated federal Attestation from any similar or stronger obligations under state law. The practical takeaway:

  • Continue to comply fully with your state’s reproductive privacy and shield laws — IF your state requires special certifications, consents, or refusal to comply with certain requests, those obligations remain enforceable.  (For a detailed New Jersey requirements tool, subscribe as a member to our Compliance Library here).
  • Do not impose a “HIPAA Attestation” anymore. Adding extra federal-like requirements when there is no legal basis could delay disclosures, frustrate patients, and even expose you to claims of information blocking under federal rules, which prohibit unnecessary barriers to lawful access and exchange of health information.
  • Update your policies, train staff, and adjust your forms to reflect this new split: federal Attestation out (vacated); state-based reproductive privacy measures in (where applicable).