By: Andrew Mahler, JD, CIPP/US, AI Governance Professional (AIGP), CHC, CHPC, CHRC
Vice President, Consulting Services, Privacy & Compliance
On September 4, 2024, the State of Texas filed a lawsuit in the U.S. District Court, Northern District of Texas, against the U.S. Department of Health and Human Services (HHS), challenging both the HIPAA Final Rule to Support Reproductive Health Care Privacy (issued April 22, 2024) and the HIPAA Privacy Rule (issued December 28, 2000). While Texas takes primary aim at the HIPAA Final Rule to Support Reproductive Health Care Privacy, it goes further by asking the Court to vacate and set aside both the 2000 Privacy Rule and the 2024 Privacy Rule and permanently enjoin HHS from enforcing the Rules. Notably, the lawsuit was filed in the Northern District of Texas, which recently vacated the HHS/OCR Bulletin on the Use of Online Tracking Technologies.
Texas argues that the Privacy Rule and the 2024 Privacy Rule violate the Administrative Procedure Act as contrary to the HIPAA statute and exceeding the authority granted by Congress. The lawsuit asserts that HHS “promulgated the 2024 Privacy Rule to obstruct states’ ability to enforce their own laws on abortion and other matters that HHS categorizes as ‘reproductive health care;” citing to “at least one instance” involving a covered entity in Texas that has cited the 2024 Privacy Rule as a reason for not complying with a subpoena.
The case could have significant implications for the balance of power between federal health privacy regulations and states’ authority to investigate potential legal violations, particularly in the context of reproductive health care. The outcome is likely to be closely watched by other states, healthcare providers, and privacy advocates nationwide, as it may set a precedent for future challenges to federal regulations that limit state investigative powers.
Reach out to Andrew with your comments and questions at andrew.mahler@clearwatersecurity.com.
