Skip to main content

On June 18, 2025, the U.S. District Court for the Northern District of Texas, in Purl vs. United States Department of Health and Human Services, issued a nationwide injunction striking down nearly all parts of the HIPAA Privacy Rule to Support Reproductive Health Care Privacy. This rule, which took effect in June 2024, had required healthcare providers, health plans, and their business associates to obtain a signed attestation before disclosing protected health information (PHI) potentially related to lawful reproductive healthcare—covering areas such as abortion, contraception, IVF, gender-affirming care, STD screenings, and maternity services.

Purl v. HHS: What Happened?

In Purl, the court ruled that the United States Department of Health and Human Services exceeded its statutory authority under HIPAA and the Administrative Procedure Act (APA).

Specifically, the court found:

  • The attestation requirement improperly restricted lawful disclosures permitted under HIPAA.
  • HHS failed to adequately consider the impact on state laws, including mandatory reporting of suspected abuse and criminal investigations.
  • The rule created unworkable burdens on covered entities and law enforcement without sufficient justification.

As a result, the attestation requirement and related restrictions on PHI disclosures for reproductive health purposes have been vacated nationwide.

“The Final Rule impermissibly rewrites the balance Congress struck in HIPAA between patient privacy and public interest.”  ~ Excerpt from the Purl decision.

What the Vacated Rule Means

The attestation is no longer required for protected health information requests tied to reproductive health, including health oversight, judicial/administrative proceedings, law enforcement, or disclosures to coroners and medical examiners.  HIPAA’s core privacy protections remain intact, and covered entities still must safeguard protected health information and honor all existing HIPAA privacy rule provisions.  In the ruling, the court identified statutory overreach, stating the Department of Health and Human Services exceeded its authority and impermissibly limited state reporting obligations.

What Providers Must Do Now

Providers must now retire attestation forms and eliminate related procedures tied to reproductive health protected health information.  Furthermore, they must revert policy manuals, workflows, best practices, training, and business associate agreements that were updated to support the now-defunct rule.  It is also urged that providers continue to monitor developments as this vacatur may be challenged or altered upon appeal.

Your Policy Update (What This Means for Attestation Letters) — Now Live!

In light of these changes, LCS Record Retrieval has updated its HIPAA compliance policy:

  • No longer required: The court struck down parts of an HHS rule that previously required HIPAA-covered organizations to get a signed attestation before releasing PHI potentially connected to reproductive health services.
  • Removed compliance duties: As a result, healthcare entities regulated by HIPAA are no longer obligated to follow the procedures that involved collecting and verifying these attestation forms.
  • Not needed for certain requests: In scenarios where an attestation used to be mandatory—such as oversight investigations, legal proceedings, or law enforcement inquiries—those attestations are now unnecessary.

In short, the Purl decision ends the requirement for attestation letters when accessing certain reproductive health-related information. This policy update ensures your organization stays aligned with current federal guidance while maintaining trust and compliance.

Summary

Though the Reproductive Health Rule and its attestation requirement have been vacated, HIPAA’s foundational privacy standards persist. Providers and business associates should focus on:

  • Undoing attestation/formal protocols tied to reproductive health.
  • Staying vigilant—legal challenges or reinstatements remain a possibility.

At Legal Copy Services, we’re here to guide you through these changes—visit our updated HIPAA solution page to learn how we can help ensure your compliance remains current and robust.