Texas Attorney General Ken Paxton has initiated a lawsuit against the Department of Health and Human Services (HHS), its Secretary Xavier Becerra, and Director Melanie Fontes Rainer of the Office for Civil Rights (OCR). The lawsuit challenges the long-standing HIPAA Privacy Rule and the 2024 HHS final rule concerning reproductive healthcare privacy. Paxton contends that both rules are unlawful and must be withdrawn.
In April 2024, HHS introduced the HIPAA Privacy Rule to Support Reproductive Health Care Privacy, designed to reinforce protections under the Health Insurance Portability and Accountability Act (HIPAA) for individuals seeking legally provided reproductive healthcare. This move came in response to the Supreme Court’s decision to overturn Roe v. Wade, a ruling that had, for nearly 50 years, established a federal right to abortion. Following the 2022 ruling, the legality of abortion was left to individual states, with 22 US states, including Texas, enacting strict abortion bans or restrictions. In Texas, abortion is banned in most cases, and private citizens are allowed to sue those who help people get an abortion after six weeks of pregnancy.
Because of these legal prohibitions, some women and children were compelled to travel to another state for abortion services. While obtaining these procedures legally in other states is possible, it poses legal risks for residents of states with strict abortion laws, such as Texas. State authorities may opt to prosecute people who seek out-of-state abortions or those who help them.
The 2024 HHS final rule was implemented to safeguard the privacy of individuals seeking reproductive healthcare in states where the procedure is legal. It prevents the use or disclosure of protected health information (PHI) when such information is to be used for imposing legal liability on individuals, healthcare organizations, or others involved in facilitating lawful reproductive healthcare. HIPAA-covered entities are now required to acquire a signed attestation ensuring that any requests for PHI related to reproductive healthcare are not intended for restricted reasons before giving the information.
Paxton’s lawsuit challenges the particular HIPAA Privacy Rule that limits disclosures to state investigators and its 2024 update. The complaint centers on a specific section of the 2000 HIPAA Privacy Rule, 45 C.F.R. § 164.512(f)(1)(ii)(C), which restricts the disclosure of PHI in response to state subpoenas unless three conditions are met: the information must be relevant and material to an inquiry of legitimate law enforcement, the request must be specific and restricted in scope, and de-identified data cannot reasonably be used. The lawsuit argues that the HIPAA statute did not explicitly authorize these limitations and that the HHS overstepped its regulatory authority by imposing them.
The lawsuit also takes issue with the 2024 Final rule, which Paxton claims was specifically designed to prohibit states from obtaining reproductive healthcare-related information in cases where state laws on abortion and other medical procedures are in effect. The suit contends that the final rule violates the Administrative Procedure Act (APA) rule, which regulates how government agencies create and enforce regulations.
Paxton argues that these rules hinder Texas’ ability to investigate medical procedures, including abortions, and seeks to have both the 2000 and 2024 rules vacated and unenforceable. According to Paxton, the final rules undermine Texas’ law enforcement powers and contradict the original intent of Congress when HIPAA compliance was enacted.
The potential impact of this lawsuit could extend beyond reproductive healthcare. If successful, it may weaken broader patient privacy protections under HIPAA. This has raised concerns among privacy advocates and states that have chosen to preserve reproductive healthcare rights. States like Illinois, which have passed shield laws to protect patients and providers from out-of-state investigations, are particularly alarmed by the implications of Paxton’s legal challenge.
Illinois Attorney General Kwame Raoul condemned the lawsuit, calling it a direct attack on medical privacy and a threat to patients seeking reproductive or gender-affirming healthcare. Raoul vowed to protect the privacy of healthcare records, ensuring that they cannot be used to punish those seeking lawful medical care. Raoul emphasized that every person, regardless of location, deserves the right to keep their medical information confidential.