Texas sues HHS over rule that limits access to reproductive health information by law enforcement

The state of Texas is suing the Department of Health and Human Services (HHS) in a Texas federal district court for a rule it finalized in April that gives healthcare organizations more discretion over sharing reproductive health information with law enforcement.

The final rule, the HIPAA Privacy Rule to Support Reproductive Health Care Privacy, prohibits healthcare providers and health data holders covered by the Health Insurance Portability and Accountability Act (HIPAA) from using or disclosing a patient’s reproductive-health-related information to law enforcement when the information is obtained for the purpose of investigating or imposing liability on individuals or healthcare providers. Patients will be able to file a complaint with HHS’ Office for Civil Rights (OCR) if their reproductive health care information has been obtained unlawfully or used.

The rule protects the privacy of information on abortion, contraception and fertility treatments provided to Americans in states where the services are legal. It will also protect healthcare providers in abortion-restrictive states whose patients seek healthcare services out of state.

The Texas lawsuit, filed Sept. 4, says that in at least one instance, the rule has been used to block law enforcement’s access to reproductive health care information.

The state is seeking declaratory and injunctive relief against enforcement of two final rules: the HIPAA Privacy Rule to Support Reproductive Health Care Privacy rule and Standards for Privacy of Individually Identifiable Health Information. The rules are referred to as the 2024 HIPAA privacy and the 2000 HIPAA privacy rule, respectively.

The attorney general’s office argues that the Northern District of Texas court should vacate the 2024 HIPAA Privacy rule as well as the 2000 HIPAA privacy rule—both of which they say exceed statutory authority and are arbitrary and capricious.

Though the 2024 HIPAA privacy rule does not mention abortion, the complaint says the rule was expressly written to mitigate the effects of the Dobbs decision.

“HHS has promulgated the 2024 Privacy Rule in order to obstruct States’ ability to enforce their own laws on abortion and other laws that HHS deems to fall under the rubric of ‘reproductive health care,” the complaint alleges.

The council for the state of Texas claims in its lawsuit filed that the 2024 HIPAA privacy rule exceeds HHS’ statutory authority.

Chief among the state’s issues is the authority the rule gives healthcare organizations to decide whether reproductive health care services were administered legally, rather than law enforcement.

Moreover, the complaint says that the rule “presumes” that reproductive health care services were provided legally.

“In sum, the 2024 Privacy Rule restricts state officials and law enforcement from obtaining evidence of a crime or other potential violation of state law,” the complaint says.

Melanie Fontes-Rainer, the director of HHS' OCR, which promulgated the rule, said in an April press conference that the rule does presume legality for abortion care received across state lines. 

Fontes-Rainer said many commenters on the proposed rule urged for more protections for doctors when their patients travel out of state to receive reproductive health care services. Fontes-Rainer said the final rule “has a presumption of legality in those instances to help take some of the burden off providers and to make it more workable.”

“When a woman goes home, her medical records will be protected … for home providers who literally had nothing to do with the care she received in the first instance. They will be protected and they’ll be able to say, 'No, you cannot have this information,' and the provider in the state where she traveled will also be protected from folks reaching in to go after that type of medical care,” Fontes-Rainer said.

Rainer is being sued in her official capacity, along with HHS Secretary Xavier Becerra.

Texas is also suing HHS over “the portion of the 2000 Privacy Rule that purports to limit disclosures to State investigators.” It claims in the complaint that the provision has allowed HIPAA covered entities to evade valid subpoenas from law enforcement. In the 2000 rule, HHS created a three-part test to determine whether the government’s interest in health information was valid.

The lawsuit says HIPAA did not mention the creation of a three-part rule and that the 2000 HIPAA privacy final rule explicitly says that the three-part test was its own creation and not included in HIPAA.

“HHS has not and cannot point to any authority that allows it to promulgate the 2000 Privacy Rule or the 2024 Privacy Rule,” the complaint says.

The state of Texas argues that HIPAA preserves the right for law enforcement to use personal health information in criminal cases. Moreover, HIPAA does not grant HHS authority to change how states collect information, the complaint says.

“Despite Congress going out of its way to preserve State investigative authority in the HIPAA statute, HHS has sharply limited State investigative authority,” the state’s attorneys wrote.

The 2024 HIPAA privacy rule outlines the attestation requirements law enforcement needs to provide to healthcare organizations to access reproductive health care information. Texas argues that the attestation requirements in the rule are too restrictive and could be too easily dismissed by data-holding organizations.