The US District Court for the Northern District of Texas issued a nationwide order vacating the Health Insurance Portability And Accountability (HIPAA) Privacy Rule to Support Reproductive Health Care Privacy on June 18, 2025. Only the enhanced Notice of Privacy Practices (NPP) requirement for substance use disorder (SUD) patient records remains in place.
This decision significantly changes the HIPAA landscape by eliminating compliance obligations related to reproductive health, such as policies, procedures, attestation forms, and training. However, health care providers and organizations must continue to comply with HIPAA's Privacy Rule regarding the privacy of protected health information (PHI) and heed state laws that may provide enhanced privacy for this specific category of health information.
Explore the ruling’s key highlights, its compliance implications, and what to expect next with the following insights.
Although made at the district level, the ruling has an immediate nationwide effect based on the following reasons:
The court found Health and Human Services (HHS) lacked explicit Congressional authorization to create special reproductive health data protections—this fell under the politically sensitive major questions doctrine reserved for Congress.
By requiring entities to assess the legality of reproductive care before disclosure, the rule conflicted with state obligations—especially child-abuse reporting—and thus violated HIPAA's express protection for state public health law.
The court held that HHS’s new definitions of person and public health exceeded its regulatory authority.
Health care providers and organizations can expect the following compliance changes to their HIPAA regulations:
Respond to this new mandate effectively by implementing the following action items:
Although the most controversial provisions were vacated, the baseline HIPAA Privacy Rule remains intact. Compliance leaders must:
The June 18 ruling clarifies federal boundaries, removing heightened reproductive health protections from HIPAA but introduces a renewed emphasis on state compliance and reinforced baseline HIPAA rigor.
For compliance teams, the task ahead involves:
To learn more about the new ruling, how it impacts your HIPAA compliance, and how to best respond to the new requirements, contact your firm professional.
Baker Tilly US, LLP, Baker Tilly Advisory Group, LP and Moss Adams LLP and their affiliated entities operate under an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable laws, regulations and professional standards. Baker Tilly Advisory Group, LP and its subsidiaries, and Baker Tilly US, LLP and its affiliated entities, trading as Baker Tilly, are members of the global network of Baker Tilly International Ltd., the members of which are separate and independent legal entities. Baker Tilly US, LLP and Moss Adams LLP are licensed CPA firms that provide assurance services to their clients. Baker Tilly Advisory Group, LP and its subsidiary entities provide tax and consulting services to their clients and are not licensed CPA firms. ISO certification services offered through Moss Adams Certifications LLC. Investment advisory offered through either Moss Adams Wealth Advisors LLC or Baker Tilly Wealth Management, LLC.