Alert

Prepare for Nationwide Change to HIPAA Regulations

Marisol Cooke, Director, Health Care Consulting Practice

September 8, 2025
LinkedIn Share Button Twitter Share Button Other Share Button Other Share Button

The US District Court for the Northern District of Texas issued a nationwide order vacating the Health Insurance Portability And Accountability (HIPAA) Privacy Rule to Support Reproductive Health Care Privacy on June 18, 2025. Only the enhanced Notice of Privacy Practices (NPP) requirement for substance use disorder (SUD) patient records remains in place.

This decision significantly changes the HIPAA landscape by eliminating compliance obligations related to reproductive health, such as policies, procedures, attestation forms, and training. However, health care providers and organizations must continue to comply with HIPAA's Privacy Rule regarding the privacy of protected health information (PHI) and heed state laws that may provide enhanced privacy for this specific category of health information.

Explore the ruling’s key highlights, its compliance implications, and what to expect next with the following insights.

Why the Court Struck It Down

Although made at the district level, the ruling has an immediate nationwide effect based on the following reasons:

Exceeding Statutory Authority

The court found Health and Human Services (HHS) lacked explicit Congressional authorization to create special reproductive health data protections—this fell under the politically sensitive major questions doctrine reserved for Congress.

Conflict with State Public Health Reporting

By requiring entities to assess the legality of reproductive care before disclosure, the rule conflicted with state obligations—especially child-abuse reporting—and thus violated HIPAA's express protection for state public health law.

Unlawful Redefinition of Terms

The court held that HHS’s new definitions of person and public health exceeded its regulatory authority.

Compliance Implications for Covered Entities

Health care providers and organizations can expect the following compliance changes to their HIPAA regulations:

  • Attestation Requirement Eliminated. The mandate for written attestation from requestors of reproductive health-related PHI is no longer federally required.
  • Reproductive PHI Disclosures. Organizations can rely on pre-2024 HIPAA standards – or applicable state laws-when responding to subpoenas, law enforcement, or civil requests.
  • NPP Updates. Changes made to NPPs in February 2024 regarding substance use disorder remain mandatory, with the compliance deadline set for February 16, 2026.
  • Policy & Procedure Revisions. Policies, workforce training, business associate agreements (BAA), and operational processes adjusted for the 2024 rule should be reversed-except for SUD-related provisions.

Compliance Recommendations

Respond to this new mandate effectively by implementing the following action items:

  • Policy Review. Reverse changes made to comply with the reproductive health rule. Remove attestation workflow and decision trees tied to it.
  • Training Programs. Update materials and conduct staff training to reflect pre-2024 HIPAA standards. Remove any references to the attestation requirement.
  • NPP Management. Retain or implement SUD-related NPP revisions. Monitor HHS for a revised model NPP ahead of 2026.
  • State Law Monitoring. Closely track state-level privacy reforms—some states may adopt independent reproductive health data protections.
  • HHS Monitoring. Expect a possible 60-day appeal window. HHS is evaluating next steps.

Next Steps

Although the most controversial provisions were vacated, the baseline HIPAA Privacy Rule remains intact. Compliance leaders must:

  • Handle PHI—including reproductive and gender-affirming care data—under longstanding HIPAA guidelines.
  • Incorporate New NPP Requirements by updating regulations, including any new disclosures or restrictions on the use and sharing of SUD treatment information.
  • Be alert to new Office for Civil Rights (OCR) priorities, including security risk analysis, patient access enforcement, and future cybersecurity updates.
  • Align policies with both federal and relevant state-level legal requirements.

The June 18 ruling clarifies federal boundaries, removing heightened reproductive health protections from HIPAA but introduces a renewed emphasis on state compliance and reinforced baseline HIPAA rigor.

For compliance teams, the task ahead involves:

  • Reversal of 2024 reproductive protections
  • Retention of substance use disorder transparency measures
  • Proactive monitoring of appeals and state legislation
  • Continuous strengthening of privacy programs in line with evolving OCR focus areas
  • Schedule a risk assessment to determine potential exposure

We’re Here to Help

To learn more about the new ruling, how it impacts your HIPAA compliance, and how to best respond to the new requirements, contact your firm professional.

Additional Resources

Ask a Question

The material appearing in this communication is for informational purposes only and should not be construed as advice of any kind, including legal, accounting, tax, or investment advice. This information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials have been prepared by professionals, the user should not substitute these materials for professional services, and should seek advice from an independent advisor before acting on any information presented. Changes in tax laws or other factors could affect the information provided in this communication.

Related Topics

Alert
Medicare Tightens Coverage for Skin Substitutes
Prepare for Medicare’s changes to skin substitutes with insights into key changes and actionable steps.
Alert
Alert
Health Care Ethical Boundaries in AI
As AI reshapes health care, see key considerations for implementing it ethically and maintaining regulatory compliance.
Alert
Article
Enhance Efficiency to Protect Data
Health care organizations can leverage System and Organization Controls (SOC), HIPAA, and HITRUST frameworks to maintain security and compliance.
Article
Alert
Proposed Rule to Enhance ePHI Cybersecurity
Learn how a proposed HIPAA rule strengthens protections for electronic protected health information (ePHI).
Alert
View More

Contact Us with Questions

Baker Tilly US, LLP, Baker Tilly Advisory Group, LP and Moss Adams LLP and their affiliated entities operate under an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable laws, regulations and professional standards. Baker Tilly Advisory Group, LP and its subsidiaries, and Baker Tilly US, LLP and its affiliated entities, trading as Baker Tilly, are members of the global network of Baker Tilly International Ltd., the members of which are separate and independent legal entities. Baker Tilly US, LLP and Moss Adams LLP are licensed CPA firms that provide assurance services to their clients. Baker Tilly Advisory Group, LP and its subsidiary entities provide tax and consulting services to their clients and are not licensed CPA firms. ISO certification services offered through Moss Adams Certifications LLC. Investment advisory offered through either Moss Adams Wealth Advisors LLC or Baker Tilly Wealth Management, LLC.