In April 2024, the Biden administration finalized a rule under HIPAA to protect the privacy of reproductive healthcare information. This came nearly two years after the Supreme Court overturned Roe v. Wade, a decision that triggered new abortion laws in many states. This rule took effect in June 2024.
This rule stops covered entities from sharing protected health information (PHI) if it could be used to impose criminal, civil, or administrative penalties on anyone seeking or providing legal reproductive healthcare. Officials from the Department of Health and Human Services (HHS) hoped it would help ease fears and legal confusion around data privacy in reproductive care.
What Does the Rule Change?
Before this rule, HIPAA-covered entities couldn’t share PHI without the patient’s permission, except in limited cases—like court orders, law enforcement, or health oversight.
Roger Cohen, a healthcare law partner at Goodwin, explained:
“And after the Dobbs decision overturning Roe v. Wade, there were laws passed outlawing abortion or limiting abortion in a number of states. There was concern about the ability of law enforcement authorities to access reproductive health information and use it to prosecute women who had abortions, healthcare providers who provided abortions.”
Now, the rule strictly prohibits sharing PHI for investigating or prosecuting someone who legally accessed or provided reproductive care. It also requires a signed attestation for requests involving reproductive health information, confirming that the request isn’t for a prohibited purpose. Covered entities must also update their Notice of Privacy Practices to reflect the new protections for reproductive health data.
Legal Challenges Create Uncertainty
Not everyone agrees with the rule. In September 2024, Texas Attorney General Ken Paxton sued the HHS, claiming the rule interferes with states’ rights to investigate crimes. Paxton said,
“This new rule actively undermines Congress’s clear statutory meaning when HIPAA was passed, and it reflects the Biden Administration’s disrespect for the law. The federal government is attempting to undermine Texas’s law enforcement capabilities, and I will not allow this to happen.”
His lawsuit argues that the rule conflicts with existing HIPAA provisions and the Administrative Procedure Act, which governs how federal agencies make rules.
In January 2025, 15 more states joined in, just before President Trump took office. These states said the rule could interfere with investigations into Medicaid fraud, abuse, or insurance crimes.
Their filing claimed:
“That result flouts HIPAA, which specifically preserves States’ longstanding authority to investigate healthcare-related issues.”
Roger Cohen added context around the rule’s future:
“One other interesting factor here is that agencies, prior to the overturning of Chevron — or, changing of the law around the deference that agencies get in rulemaking — an agency would get deference in how it interpreted what public health means. But that’s no longer the law. So really, a court gets to decide what Congress intended when it said the law shouldn’t interfere with public oversight of public health.”
It’s now up to the courts to decide if the rule aligns with HIPAA’s intent—or if the rule will be changed or revoked by the new administration.
What Covered Entities Can Do Now
Despite legal uncertainty, covered entities must comply with the rule while it’s in effect. Experts suggest that now is a good time for organizations to revisit and improve their privacy practices. Healthcare lawyer Roger Cohen shared,
“One low-hanging fruit or box to check is to update your notice of privacy practices and distribute the updated notice to patients. The regulations are still in effect, and so regulated entities should comply with them.”
He also advised:
“If you get a request for reproductive health information, consult with your counsel on the request to ensure you’re complying with the regulations.”
Covered entities should know that PHI disclosures for reproductive care are restricted in some cases but allowed in others. For example:
- If someone travels to another state for legal reproductive care, their provider doesn’t need to disclose that.
- But a provider can disclose PHI to defend themselves in a legal case about misconduct or negligence.
Keep Watching the Rule’s Status
With lawsuits ongoing and a new administration in office, the future of this rule remains unclear. Still, HIPAA compliance is an ongoing responsibility, and organizations should continue to:
- Consult legal counsel when handling reproductive health PHI
- Update privacy notices to reflect the current law
- Monitor legal developments around the rule
The privacy landscape is changing fast—but protecting patient data should always remain a top priority.
Also Read: DataKrypto Launches FHEnom for AI to Secure Models and Data with Fast Homomorphic Encryption
