Categories: ERISA, Roe to Dobbs
,

In a June 2025 decision in Purl v. United States Department of Health and Human Services, the United States District Court for the Northern District of Texas vacated the 2024 HIPAA reproductive health rule (the “Rule”), which the US Department of Health and Human Services (HHS) issued to limit how reproductive health care information could be disclosed by HIPAA regulated entities (e.g., Covered Entities and business associates), as we wrote about here and here.

Now, HHS has let the August 18, 2025 appeal deadline pass without challenging the Purl decision.

HHS’s decision not to appeal Purl, however, does not relieve HIPAA regulated entities from their obligations to protect reproductive health care information. HIPAA regulated entities must still ensure that their existing HIPAA policies and procedures adequately protect PHI, including reproductive health care information, even though the protections that were in the Rule are now defunct. 

Privacy Obligations for Reproductive Health Information Live On, Even after Purl.

In the wake of the U.S. Supreme Court's decision in Dobbs v. Jackson Women's Health Organization, many employers enhanced the health benefits they were offering and expanded the benefits related to reproductive health care, even offering other benefits (e.g., travel benefits). The more robust the benefits became, the more employees used those benefits. This led to increased generation and gathering of information about reproductive health care for which employer group health plans were responsible, prompting many employers to realize that there could be a “treasure trove” of sensitive information that needed protection.

Many employers took steps to update their HIPAA policies and procedures by revising plan documents, adopting attestation forms, modifying business associate agreements, adding a “protecting reproductive health care information” slide to training materials, updating privacy notices and/or working with insurers and third-party administrators to develop procedures for determining when disclosures could or should be made and how to obtain attestations for disclosures.  The Rule prohibited entities from using or disclosing “reproductive health care” information if that information would be used for investigating the provision of lawful reproductive health care.  As such, the Rule required that HIPAA regulated entities obtain pre-disclosure attestations in certain cases to confirm that the information would not be used or disclosed for a prohibited purpose.

Takeaways & Next Steps

Employers who have taken some or all of these steps should not consider them to have been made in vain. Individually identifiable reproductive health information is PHI within the meaning of HIPAA, and protecting it continues to be required, notwithstanding the Purl decision. It is true that some of the work will likely need to be revised, such as privacy notice updates that refer to the Rule, changes to business associate agreements referring to the Rule’s requirements, and processes developed specifically for implementing the Rule’s attestation requirements. 

Nonetheless, the Purl case can be credited with shining a bright light on the flexibility of HIPAA. Even without the Rule, HIPAA allows regulated entities to adapt its policies and procedures based on its unique circumstances, and to define the level of protection that is necessary depending on the various types of health information within its environment and under its control. In particular, regulated entities can and should conduct and keep a careful inventory of PHI, define categories of sensitive health information, work with third party administrators to ensure they are developing processes and procedures for maintaining confidentiality of PHI, and only permit disclosures, in a matter compliant with HIPAA and the Plan’s notice of privacy practices and in accordance with the Plan’s policies and procedures.

You can contact the authors or your EBG attorney to explore this subject or to ask any questions.


Read Our Full Series:
ERISA – You’ll Need a Lawyer for That.

Tags: Dobbs v. Jackson Women's Health Organization, ERISA – You’ll Need a Lawyer for That, Health Insurance Portability and Accountability Act (HIPAA), Reproductive Health
Back to Workforce Bulletin Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Workforce Bulletin posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.