Reproductive Health Privacy Rule Lawsuit May Signal Shift in Balance of Power

By: Andrew Mahler, JD, CIPP/US, AI Governance Professional (AIGP), CHC, CHPC, CHRC
Vice President, Consulting Services, Privacy & Compliance

On September 4, 2024, the State of Texas filed a lawsuit in the U.S. District Court, Northern District of Texas, against the U.S. Department of Health and Human Services (HHS), challenging both the HIPAA Final Rule to Support Reproductive Health Care Privacy (issued April 22, 2024) and the HIPAA Privacy Rule (issued December 28, 2000). While Texas takes primary aim at the HIPAA Final Rule to Support Reproductive Health Care Privacy, it goes further by asking the Court to vacate and set aside both the 2000 Privacy Rule and the 2024 Privacy Rule and permanently enjoin HHS from enforcing the Rules. Notably, the lawsuit was filed in the Northern District of Texas, which recently vacated the HHS/OCR Bulletin on the Use of Online Tracking Technologies.

Texas argues that the Privacy Rule and the 2024 Privacy Rule violate the Administrative Procedure Act as contrary to the HIPAA statute and exceeding the authority granted by Congress. The lawsuit asserts that HHS “promulgated the 2024 Privacy Rule to obstruct states’ ability to enforce their own laws on abortion and other matters that HHS categorizes as ‘reproductive health care;” citing to “at least one instance” involving a covered entity in Texas that has cited the 2024 Privacy Rule as a reason for not complying with a subpoena.

The case could have significant implications for the balance of power between federal health privacy regulations and states’ authority to investigate potential legal violations, particularly in the context of reproductive health care. The outcome is likely to be closely watched by other states, healthcare providers, and privacy advocates nationwide, as it may set a precedent for future challenges to federal regulations that limit state investigative powers.

Reach out to Andrew with your comments and questions at andrew.mahler@clearwatersecurity.com.

Newsletter

Sign up for our monthly newsletter discussing hot topics and access to invaluable resources.


Related Blogs

Perspective on the Proposed Health Infrastructure Security and Accountability Act

Perspective on the Proposed Health Infrastructure Security and Accountability Act

The Health Infrastructure Security and Accountability Act (HISAA) introduced in the U.S. Senate on September 26 is another good step forward in addressing key factors contributing to the healthcare sector’s deficiency in establishing and maintaining adequate cybersecurity controls and risk management programs. While there are many in the sector that are already implementing recognized standards, having mandated standards would help to make sure everyone is playing by the same rules.

Connect
With Us