HIPAA Reproductive Health Rule Vacated: What It Means for Self-Funded Employers

Federal HIPAA compliance has always been a top priority for self-funded employers. A recent ruling triggers important compliance implications.

Self-funded health plans now face fewer compliance requirements after a federal court rolled back the 2024 HIPAA Privacy Rule changes on reproductive health and protected health information (PHI).

A federal court in Texas has vacated the bulk of the HIPAA Reproductive Health Rule, removing newly added federal requirements for handling certain PHI while preserving all other HIPAA protections.

For self-funded employers, who act as HIPAA-covered entities, the June 2025 ruling simplifies your administrative processes and reduces your compliance workload, while leaving state-level obligations and other HIPAA protections intact. It’s important to fully understand what the HIPAA Reproductive Health Rule did, how the ruling impacts it, and what your next steps as a self-funded employer should be.

What Did the HIPAA Reproductive Health Rule Do?

The 2024 Reproductive Health Rule amended the HIPAA Privacy Rule to strengthen privacy protections for PHI related to reproductive healthcare, such as contraception or abortion.

Specifically, it:

  • Prohibited sharing health information about lawful reproductive care for use in legal cases or investigations.
  • Stated that reproductive care should be treated as legal by default, unless there is clear proof otherwise.
  • Required signed statements before reproductive health information could be shared in response to requests from lawyers, law enforcement, or government officials.
  • Required health plans to update their Notices of Privacy Practices (NPPs), explaining these new protections.

Because of these changes, many self-funded employers updated their policies, added new requirements for signed confirmations before sharing reproductive health information, and trained staff to ensure compliance with the expanded Privacy Rule.

What Does the Federal Court Ruling Mean?

On June 18, 2025, a federal court in Texas vacated the 2024 HIPAA Reproductive Health Rule amendments—except for provisions related to substance-use-disorder disclosures.

This means any policy updates or changes self-funded employers have made to their attestation procedures are no longer federally mandated. For many, this likely means a simpler PHI disclosure workflow.

However, there are a few important caveats.

NPPs May Need Another Review

Employers who revised their NPPs to include reproductive-healthcare protections should revisit and potentially retract those revisions. However, you should not remove updates regarding substance-use-disorder disclosures, as these requirements are still in place and must be implemented in NPPs by February 16, 2026.

State Laws Still Matter

As a self-funded employer, you are still subject to state laws. In states with stronger reproductive-health privacy laws, such as California, Colorado, Connecticut, Hawaii, and Illinois, employers will still need to comply with those laws, even though federal protections have changed.

More Legal Developments May Come

As the 2025 ruling demonstrates, laws are subject to change, and the Department of Health and Human Services (HHS) may appeal, revise, or issue new guidance in response to the federal court decision. Be sure to keep an eye on announcements from the Office for Civil Rights (OCR) or any relevant court updates.

Of course, all original HIPAA privacy protections remain in full force.

What Should Self-Funded Employers Do Next?

There are steps you, as a self-funded employer, can take to ensure you’re properly responding to the new legal and regulatory landscape. To navigate this, here is a recommended action plan:

  1. Update your policies. Remove the extra sign-off requirements for reproductive health information, but keep the substance-use-disorder updates in your privacy notices. This should be done as soon as possible.
  2. Share the new privacy notice with employees. Make sure staff receive the revised notice within 60 days of making those changes.
  3. Do a training refresh. Bring your HR, compliance teams, and TPAs up to speed on the new rules for handling this information as soon as you can.
  4. Check state legal requirements. Review employee locations and adjust policies to reflect the laws in each state.
  5. Monitor legal developments. Stay on top of any new guidance or updates that may come from the HHS.

What’s the Bottom Line for Self-Funded Employers?

Self-funded employers and other HIPAA-covered entities have a little more breathing room thanks to this court decision. Vacating the HIPAA Reproductive Health Rule reduces complexity, lightens federal HIPAA obligations, and lessens compliance concerns.

But core HIPAA protections still apply—as do state privacy laws and substance-use-disorder NPP updates.

At the end of the day, this is a chance for you to be proactive, clean up outdated reproductive-health procedures, confirm compliance across jurisdictions, and stay vigilant on evolving legal developments. This will ensure smooth navigation even as the regulatory landscape changes, keeping your health plans compliant and reliable for all members.

Healthgram can help you stay ahead of regulatory changes, ensuring your company stays confident and compliant in its self-funded approach. To learn more, reach out to a member of our team.

More Insights

Pack of pink pills in foil
September 23, 2024

Compliance Update: How Medicare Part D Changes Impact Employer Health Plans

Plan sponsors must re-evaluate whether their prescription drug coverage meets the “creditable coverage” criteria.
Read More
Compliance Image_horizontal flip
May 22, 2023

Compliance Update:
18-Month Review

Read More
Courthouse facade
June 27, 2022

Compliance Update

Transparency in Coverage & Machine-Readable Files, Forms 5500 and 5500-SF, Roe vs. Wade, and FAQs for Mental Health/FMLA.
Read More