On April 26, 2024, HHS published a HIPAA Privacy Rule update designed to add heightened protections for protected health information related to lawful reproductive health care (89 Fed. Reg. 32976). The rule became effective June 25, 2024, with a primary compliance date of December 23, 2024 and a February 16, 2026 compliance date for the 45 CFR 164.520 Notice of Privacy Practices update.
On June 18, 2025, the U.S. District Court for the Northern District of Texas vacated most of the rule in Carmen Purl, et al. v. U.S. Department of Health and Human Services, No. 2:24-cv-00228-Z. The court held that the rule unlawfully limited state public health laws and conflicted with 42 U.S.C. § 1320d-7(b). HHS’s own statement on the agency’s reproductive-health page confirms the scope of the vacatur and the surviving provisions.
A surprising number of compliance programs still treat the 2024 rule as fully in force. Training decks reference its disclosure-limit and attestation provisions. Privacy notices include language that no longer applies. Policies require attestations the rule no longer requires.
This post explains what was vacated, what survived, and how to retire compliance work tied to a vacated rule without overcorrecting and creating gaps in still-effective HIPAA Privacy Rule obligations.
What the 2024 Rule Did
In response to the 2022 Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, HHS amended the HIPAA Privacy Rule to add specific protections for PHI related to lawful reproductive health care. The most consequential additions:
- A prohibition on certain disclosures of reproductive-health PHI for investigations or proceedings against individuals seeking, providing, or facilitating lawful reproductive health care.
- An attestation requirement for certain requests for PHI potentially related to reproductive health.
- Notice of Privacy Practices changes requiring covered entities to update patient-facing notices to reflect the new disclosure limits and attestation requirement.
The substantive disclosure-limit and attestation provisions were the operationally consequential pieces. Many covered entities and business associates rolled out training, attestation procedures, and NPP changes through 2024 and into 2025.
What Was Vacated
On June 18, 2025, the Purl court vacated nationwide most of the 2024 rule’s substantive provisions. The court held the rule exceeded HHS’s authority by limiting state public health laws and creating conflicts with the underlying statute.
HHS’s own authoritative statement on the rule’s status confirms two specific scope points:
- The court vacated only the Notice of Privacy Practices modifications at 45 C.F.R. 164.520(b)(1)(ii)(F), (G), and (H) that the court found unlawful.
- The remaining NPP modifications, including the still-required updates related to substance use disorder records, are undisturbed and remain in effect with a compliance date of February 16, 2026.
The substantive disclosure-limit and attestation provisions of the 2024 rule are no longer in force. The procedural NPP updates outside the vacated subsections still apply.
What This Means Operationally
A covered entity or business associate that built compliance work to the 2024 rule needs to do three things now.
Retire the disclosure-limit and attestation procedures. Internal training that taught staff to refuse disclosure requests under the vacated provisions, or to require an attestation that the rule no longer requires, should be retired or rewritten. Continuing to enforce internally a rule that has been vacated externally creates legal exposure if the practice produces an adverse outcome (e.g., refusing a lawful state public-health disclosure request).
Update NPP language. Many covered entities updated their Notice of Privacy Practices in 2024 to comply with the rule’s NPP requirements. The portions tied to vacated provisions need to come out. The portions tied to the surviving NPP modifications, including substance-use-disorder-record updates, need to stay in by February 16, 2026.
Document the retirement step. A vacated rule is not the same as a rule that was never published. Compliance programs should keep a written record of which obligations were retired, when, why, and on what authority. This is also exactly the discipline a Risk Analysis Initiative inquiry will expect to see if the question ever arises.
Why HIPAA Privacy Rule Obligations Are Still Strong
The vacatur applies to the 2024 amendments, not to the underlying HIPAA Privacy Rule. The Privacy Rule itself remains fully in force. Reproductive-health PHI is still PHI. Standard Privacy Rule disclosure limits still apply. The minimum-necessary standard still applies. The Notice of Privacy Practices is still required. State law breach and privacy obligations still apply, and in many states reproductive-health-related state laws are now more consequential than the federal PHI overlay would have been.
The framing for staff training and patient-facing materials should make this distinction explicit. The 2024 rule’s specific protections are no longer in force. The general HIPAA Privacy Rule protections are. Saying “we no longer apply the 2024 reproductive-health privacy rule” should never be heard by staff as “reproductive-health PHI is now less protected.” It is just protected by the same rules that protect every other category of PHI.
Why This Is a Useful Teaching Case
Three lessons from this episode generalize beyond reproductive-health privacy.
Compliance change is bidirectional. A federal final rule was promulgated, partially complied with, and judicially vacated within 14 months of its effective date. Compliance programs designed around an assumption of unidirectional regulatory accumulation will produce stranded investments.
Status tracking needs at least three categories, not two. “Final and effective” and “proposed” do not capture this scenario. A rule that was once effective and is now vacated needs its own treatment. See Reading the Compliance Status Legend for the broader category model.
Vacatur language is precise and easy to misread. Purl vacated specific subsections, not the entire rule. A casual reading produced overcorrections in some compliance programs (treating the entire rule as gone, including procedural NPP provisions that survived) and undercorrections in others (continuing to enforce the substantive disclosure limits internally). Always read the court’s order and the agency’s authoritative statement, not press summaries.
What to Track
For organizations affected by the 2024 rule, three signals matter for the next 12 to 24 months:
- HHS’s posture on whether to issue a revised reproductive-health privacy rule consistent with the Purl decision. As of May 2026, HHS has not announced a successor rulemaking, but the agency could.
- State legislative action on reproductive-health privacy. State law has continued to develop independently of the vacated federal rule.
- Federal-court treatment of related provisions. Purl is the controlling vacatur, but related litigation in other circuits could produce additional changes.
The right operational posture: retire the vacated obligations cleanly, document the retirement, hold the surviving NPP work, and watch for either a successor rule or material state-law changes.
Sources
- HHS. (2024). HIPAA Privacy Rule to Support Reproductive Health Care Privacy. 89 Fed. Reg. 32976.
- Carmen Purl, et al. v. U.S. Department of Health and Human Services, No. 2:24-cv-00228-Z (N.D. Tex. June 18, 2025).
- HHS. (2025). Reproductive Health page acknowledging Purl v. HHS vacatur. hhs.gov reproductive health
- HHS. (2021). Summary of the HIPAA Security Rule.
Soft CTA
Need help putting this into practice?
We can help you turn the idea into an action plan, implementation checklist, or review of the controls that matter most.