On June 18, 2025, the United States District Court for the Northern District of Texas vacated most of the rules designed to enhance reproductive healthcare privacy promulgated by the U.S. Department of Health and Human Services (HHS) in 2024. More specifically, the court ruled in Purl v. United States Department of Health and Human Services et al, No. 2:2024cv00228 (N.D. Tex. 2025) (the Decision) that the “Health Insurance Portability and Accountability Act Privacy Rule to Support Reproductive Health Care Privacy” (the “2024 HIPAA Rule”) is contrary to law because it unlawfully limits state public health laws; impermissibly redefines certain terms in contravention of federal law and in excess of statutory authority; and exceeds HHS’s authority. Regulations promulgated under HIPAA prior to the 2024 HIPAA Rule remain unchanged.Continue Reading Texas District Court Vacates 2024 HIPAA Rule Designed to Enhance Reproductive Healthcare Privacy, Effective Nationwide
HHS-OCR Announces Proposed Modifications to the HIPAA Security Rule



Overview
The U.S. Department of Health and Human Services Office for Civil Rights (HHS-OCR) has announced proposed modifications to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (the Proposed Rule). The Proposed Rule was published in the Federal Register for comment on January 6, 2025. It aims to strengthen the security and privacy of electronic protected health information (ePHI) in response to the evolving threat landscape and emerging technological challenges. If finalized as proposed, the Proposed Rule will have significant implications for healthcare organizations, their business associates, and other entities subject to HIPAA compliance requirements (the “regulated entities”). This alert represents the first in a multipart series outlining the most pertinent of the proposed rules and the potential implications for regulated entities.Continue Reading HHS-OCR Announces Proposed Modifications to the HIPAA Security Rule
Texas District Court Vacates OCR’s HIPAA Bulletin on Online Tracking Technologies, But Issues Mixed Decision




On June 20, 2024, the United States District Court for the Northern District of Texas ordered the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) to vacate its guidance that had restricted HIPAA-covered entities’ use of third party online tracking technologies, such as common website advertising and analytics tools. In vacating the guidance, the court held that the agency exceeded its authority by redefining what is considered protected health information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). While this order is a defeat for OCR’s guidance on online tracking technologies, regulated companies should react cautiously. The order could be appealed and potentially reversed, OCR could still bring enforcement actions in other circuits advancing their interpretation of PHI, and the Federal Trade Commission’s (FTC’s) laws and state privacy laws could still apply.Continue Reading Texas District Court Vacates OCR’s HIPAA Bulletin on Online Tracking Technologies, But Issues Mixed Decision
OCR at HHS Updates Guidance on Use of Online Tracking Technology by HIPAA-Regulated Entities




On March 18, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) updated its guidance on the use of online tracking technology by covered entities regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and their business associates (together, “regulated entities”). While the updated guidance from OCR seems intended to clarify, and even narrow, the circumstances under which regulated entities’ use of websites and mobile app tracking technologies constitutes a disclosure of Protected Health Information (PHI), it fails to provide clarity on the exact scope, rendering compliance challenging. We summarize the updates to the guidance below and analyze briefly how these updates may impact the use of tracking technologies on unauthenticated and authenticated webpages, and what companies may explore in terms of compliance.Continue Reading OCR at HHS Updates Guidance on Use of Online Tracking Technology by HIPAA-Regulated Entities
FTC Announces Proposed Amendments to the Health Breach Notification Rule




On May 18, 2023, the Federal Trade Commission (FTC) announced a number of proposed amendments to the Health Breach Notification Rule (the Rule), the latest in a series of actions taken by the agency to…
Continue Reading FTC Announces Proposed Amendments to the Health Breach Notification RuleHHS Proposes Purpose Limitation on Disclosures of PHI Related to Reproductive Health


On April 12, 2023, the Biden administration announced a notice of proposed rulemaking (NPRM) from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), the agency responsible for enforcing the Health…
Continue Reading HHS Proposes Purpose Limitation on Disclosures of PHI Related to Reproductive HealthHHS Brings Landmark HIPAA Enforcement Action Against a Business Associate for Alleged Data Security Failures


On June 29, 2016, the U.S. Department of Health and Human Services (HHS) announced a Resolution Agreement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), settling charges that CHCS failed to comply…
Continue Reading HHS Brings Landmark HIPAA Enforcement Action Against a Business Associate for Alleged Data Security Failures