Reproductive Health Privacy Rule Lawsuit May Signal Shift in Balance of Power

By: Andrew Mahler, JD, CIPP/US, AI Governance Professional (AIGP), CHC, CHPC, CHRC
Vice President, Consulting Services, Privacy & Compliance

On September 4, 2024, the State of Texas filed a lawsuit in the U.S. District Court, Northern District of Texas, against the U.S. Department of Health and Human Services (HHS), challenging both the HIPAA Final Rule to Support Reproductive Health Care Privacy (issued April 22, 2024) and the HIPAA Privacy Rule (issued December 28, 2000). While Texas takes primary aim at the HIPAA Final Rule to Support Reproductive Health Care Privacy, it goes further by asking the Court to vacate and set aside both the 2000 Privacy Rule and the 2024 Privacy Rule and permanently enjoin HHS from enforcing the Rules. Notably, the lawsuit was filed in the Northern District of Texas, which recently vacated the HHS/OCR Bulletin on the Use of Online Tracking Technologies.

Texas argues that the Privacy Rule and the 2024 Privacy Rule violate the Administrative Procedure Act as contrary to the HIPAA statute and exceeding the authority granted by Congress. The lawsuit asserts that HHS “promulgated the 2024 Privacy Rule to obstruct states’ ability to enforce their own laws on abortion and other matters that HHS categorizes as ‘reproductive health care;” citing to “at least one instance” involving a covered entity in Texas that has cited the 2024 Privacy Rule as a reason for not complying with a subpoena.

The case could have significant implications for the balance of power between federal health privacy regulations and states’ authority to investigate potential legal violations, particularly in the context of reproductive health care. The outcome is likely to be closely watched by other states, healthcare providers, and privacy advocates nationwide, as it may set a precedent for future challenges to federal regulations that limit state investigative powers.

Reach out to Andrew with your comments and questions at andrew.mahler@clearwatersecurity.com.

Newsletter

Sign up for our monthly newsletter discussing hot topics and access to invaluable resources.


Related Blogs

Navigating the HIPAA Privacy Rule for Reproductive Healthcare: Compliance Essentials Before the December 2024 Deadline

Navigating the HIPAA Privacy Rule for Reproductive Healthcare: Compliance Essentials Before the December 2024 Deadline

In an era where the privacy of reproductive healthcare has become a topic for debate, healthcare organizations face growing fears and challenges over the potential misuse of sensitive patient data. Recent legal developments, coupled with the shifts following the Dobbs v. Jackson decision, have shown the urgent need for robust safeguards. Notably, the December 23, 2024 compliance deadline for the HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy offers a pivotal moment to address these concerns.
The Health Care Cybersecurity and Resiliency Act of 2024: Key Takeaways and Implications

The Health Care Cybersecurity and Resiliency Act of 2024: Key Takeaways and Implications

The Cybersecurity and Resiliency Act (HCCRA) of 2024 is yet another proposed bill aimed at strengthening the healthcare sector’s cybersecurity posture and resilience. It focuses on improving coordination between government organizations, updating cybersecurity standards, increasing breach reporting requirements, and providing grants to rural healthcare organizations that lack both financial and human resources needed to address growing cybersecurity vulnerabilities and increasing threats.

Connect
With Us