VertiSource HR | HRIS and HR Outsourcing

New HIPAA Compliance Alert: Reproductive Privacy Rule Vacated Nationwide

doctor

TL;DR

  • A Texas federal judge vacated key portions of the Biden administration’s HIPAA Privacy Rule update intended to protect reproductive health information—blocking it nationwide.
  • The vacated rule would have required written attestations before disclosing PHI related to reproductive care, including abortion and fertility treatments, during investigations.
  • Employers and benefits administrators must now revert to pre-2024 HIPAA policies, removing attestation and disclosure limits tied to reproductive healthcare.
  • State-level enforcement is once again in play, making compliance more complex for multistate employers.
  • HR teams should immediately review privacy notices, retrain staff, and update internal PHI protocols to avoid exposure and confusion.

HIPAA Reproductive Health Rule Struck Down: What It Means for Employers

In a major development affecting healthcare compliance and employee privacy, a federal judge in Texas has vacated the Biden administration’s 2024 HIPAA Privacy Rule update that aimed to restrict the sharing of reproductive health information during law enforcement investigations. The ruling applies nationwide, disrupting planned protections for data related to abortion, fertility, contraception, and gender-affirming care.

For employers and HR professionals, this creates renewed uncertainty—and increased risk—around how to handle employee health data in states with conflicting laws. VertiSource HR helps business leaders stay compliant in moments like this by offering real-time guidance and expert HR policy support.

What Was the Reproductive Health Privacy Rule?

The U.S. Department of Health & Human Services finalized a new HIPAA rule in April 2024 (effective June 25, 2024) that:

  • Prohibited the use or disclosure of reproductive health-related PHI (Protected Health Information) in certain investigations or legal actions
  • Required covered entities—including group health plans and some employers—to obtain written attestations before sharing PHI in those cases
  • Mandated updates to Notices of Privacy Practices by February 2026
  • Applied to data related to reproductive health care “lawfully obtained,” even in states where that care is restricted

The rule was designed to prevent states from investigating or prosecuting individuals who sought reproductive care in states where it was legal.

What Did the Court Decide?

On June 18, 2025, Judge Matthew Kacsmaryk of the Northern District of Texas vacated the reproductive health-related portions of the rule nationwide, ruling that:

  • HHS overstepped its authority under HIPAA by attempting to limit how state agencies and law enforcement access certain PHI
  • The rule improperly created new categories of PHI with enhanced protections not authorized by statute
  • Only a small portion of the rule—relating to notices involving substance use disorder treatment—was allowed to stand

As a result, the specialized protections for reproductive health PHI no longer apply. Covered entities must revert to standard HIPAA rules for PHI use and disclosure.

Why It Matters to Employers and HR Leaders

While this may seem like an issue for healthcare providers, it directly affects employers that sponsor group health plans or act as HIPAA-covered entities. If you’re involved in processing or handling employee health data—whether through benefits administration, HRIS platforms, or compliance teams—this ruling likely impacts you.

Key Risks:

  • Compliance confusion: Internal policies may still reference attestation requirements that are no longer valid
  • Legal liability: Inconsistent or improper disclosures could lead to civil suits or HIPAA enforcement actions
  • Employee mistrust: Miscommunication around data privacy erodes confidence, especially in politically sensitive areas like reproductive care
  • State-level subpoena conflicts: Employers operating in multiple states could face opposing demands about what they must disclose

What Employers Should Do Now

To stay compliant and avoid risk, here are the key steps HR teams and business owners should take immediately:

 1. Audit Your PHI Disclosure Policies

  • Remove attestation language or other references to the vacated rule
  • Ensure your policies reflect current HIPAA standards, not outdated or overturned provisions

2. Update Your Notice of Privacy Practices

  • If you already made updates based on the 2024 rule, revise them to remove reproductive health protections that no longer apply
  • Leave in place the updates related to substance use disorder care, which were not vacated

3. Retrain HR, Benefits, and Compliance Staff

  • Clarify that the specialized reproductive health protections are no longer required under federal law
  • Reinforce general HIPAA privacy and security rules that still govern PHI handling

4. Consult Legal or HR Compliance Experts

  • State laws may still impose obligations—especially in reproductive health “shield” or “restriction” states
  • Align with your counsel to determine how to respond to subpoenas or law enforcement requests

How VertiSource HR Helps Clients Stay Compliant

This HIPAA ruling is one of many recent examples of fast-moving regulatory shifts affecting employers. At VertiSource HR, our compliance and benefits experts help you:

  • Review and update HR and privacy policies to reflect legal changes
  • Ensure secure handling of sensitive PHI across systems and vendors
  • Coordinate compliance across states for multi-jurisdictional employers
  • Train internal teams to stay consistent, informed, and risk-aware

Don’t Get Caught Off Guard by HIPAA Changes

Regulations change fast. We’ll help you stay ahead.

👉 Schedule a Free HR Compliance Audit and ensure your policies are up-to-date and litigation-ready.