Federal Register Notices on the HIPAA Privacy Rule: Summary, Impacts, Next Steps

HIPAA Privacy Rule Final Rule Overview

The 2024 HIPAA Privacy Rule to Support Reproductive Health Care Privacy (89 FR 32976, Apr. 26, 2024) created new limits on using or disclosing protected health information for investigations or liability tied to lawful reproductive care. It added a presumption that such care was lawful and required signed attestations before certain disclosures. It also included targeted updates to the notice of privacy practices (NPP). ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html?utm_source=openai))

These changes were framed as within HHS’s statutory authority under HIPAA and designed to clarify when disclosures to oversight bodies, courts, law enforcement, and coroners require extra safeguards. The rule emphasized patient-provider confidentiality while preserving disclosures otherwise permitted by the Privacy Rule. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html?utm_source=openai))

Court Decision Effects on HIPAA

On June 18, 2025, the U.S. District Court for the Northern District of Texas vacated most of the 2024 Privacy Rule nationwide, holding HHS exceeded its statutory authority. The decision halted the reproductive-health-specific prohibitions and the attestation requirement, returning those issues to pre-2024 HIPAA baselines pending further agency action. ([reuters.com](https://www.reuters.com/business/healthcare-pharmaceuticals/us-judge-invalidates-biden-rule-protecting-privacy-abortions-2025-06-18/?utm_source=openai))

The court also addressed NPP provisions: it vacated 45 CFR 164.520(b)(1)(ii)(F), (G), and (H), but left other NPP modifications intact. As a result, only the vacated NPP items are inoperative; remaining NPP changes still carry forward to compliance. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html?utm_source=openai))

Impact on Covered Entities

Covered entities and business associates should not implement the vacated prohibitions or the attestation workflow for reproductive health information. Standard HIPAA pathways for disclosures continue to govern, subject to state law and existing federal permissions. Maintain documentation to demonstrate regulatory compliance decisions post-vacatur. ([reuters.com](https://www.reuters.com/business/healthcare-pharmaceuticals/us-judge-invalidates-biden-rule-protecting-privacy-abortions-2025-06-18/?utm_source=openai))

Entities must still prepare for the surviving NPP updates. HHS states the remaining NPP modifications are due by February 16, 2026, so organizations should plan content, translation, posting, and distribution strategies now. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html?utm_source=openai))

HHS Response to Court Ruling

Following the ruling, HHS indicated it would review the decision and determine next steps. The agency’s statement confirms only the specified NPP items were vacated, while other NPP changes remain. Until new agency action issues, OCR continues enforcing the rest of HIPAA’s Privacy Rule. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html?utm_source=openai))

By September 10, 2025, appeals related to the vacatur had been dismissed in the Fifth Circuit, leaving the nationwide vacatur in place. That posture effectively ends the 2024 reproductive-health-specific provisions absent new rulemaking. ([jdsupra.com](https://www.jdsupra.com/legalnews/appeals-dropped-of-decision-vacating-1372358/?utm_source=openai))

HIPAA Security Rule Proposed Updates

On January 6, 2025, HHS proposed the first major Security Rule overhaul since 2013. The NPRM would make all implementation specifications required (with narrow exceptions) and harden cybersecurity safeguards for electronic protected health information, including encryption at rest and in transit, mandatory multi-factor authentication, vulnerability scanning and annual penetration testing, network segmentation, and anti-malware baselines. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))

Operational proposals include technology asset inventories and ePHI data-flow mapping, more prescriptive risk analysis, a 72-hour restoration objective for critical systems, documented incident response testing, and annual compliance audits. Business associate oversight would tighten via annual verification and faster contingency notifications; group health plans would impose specified safeguards on plan sponsors. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))

Stakeholder Engagement and Comment Period

The NPRM opened a 60-day public comment window following Federal Register publication on January 6, 2025, with a dedicated Tribal consultation on February 6, 2025. HHS reported robust engagement, with thousands of comments informing potential revisions before any final rule. ([hklaw.com](https://www.hklaw.com/en/insights/publications/2025/01/proposed-hipaa-security-rule-shifts-warrant-study-and-comment?utm_source=openai))

While rulemaking proceeds, the current Security Rule remains in effect. Covered entities should continue risk-based programs and document cybersecurity safeguards consistent with HIPAA and industry practices. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))

Future Regulatory Developments

Expect further Federal Register notices addressing both the Privacy Rule fallout and the Security Rule modernization. In the near term, HHS may prioritize guidance clarifying post-vacatur obligations and, longer term, finalize Security Rule amendments after reviewing comments. Keep leadership briefed and align budgets for MFA, network segmentation, and other upgrades likely to be required. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))

Conclusion

In summary, the court vacated most of the 2024 reproductive-health Privacy Rule, but left certain NPP changes intact, while HHS pursues stronger cybersecurity safeguards through the Security Rule NPRM. To stay ahead, you should finalize NPP updates by the stated deadline, sustain HIPAA-compliant disclosure practices, and ready your cybersecurity program for prescriptive controls that reinforce regulatory compliance. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html?utm_source=openai))

FAQs

What provisions of the 2024 HIPAA Privacy Rule were vacated by the court?

The court vacated most reproductive-health-specific changes, including the prohibition on using or disclosing PHI to investigate or impose liability for lawful reproductive care and the signed attestation requirement. It also vacated NPP items at 45 CFR 164.520(b)(1)(ii)(F)–(H); other NPP modifications remain. ([reuters.com](https://www.reuters.com/business/healthcare-pharmaceuticals/us-judge-invalidates-biden-rule-protecting-privacy-abortions-2025-06-18/?utm_source=openai))

How does the court decision affect covered entities’ compliance obligations?

You do not need to implement the vacated prohibitions or attestation process. Continue applying the pre-2024 HIPAA framework for disclosures, and complete the remaining NPP modifications by the compliance date noted by HHS. State laws and other federal rules still apply. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html?utm_source=openai))

What are the key changes proposed in the HIPAA Security Rule update?

The NPRM would require encryption of ePHI at rest and in transit, multi-factor authentication, network segmentation, vulnerability scanning and annual pen tests, technology asset inventories and ePHI mapping, a 72-hour restoration objective, annual compliance audits, and tighter business associate verification and notifications. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))

When must covered entities implement remaining NPP modifications?

HHS states that compliance with the remaining NPP modifications is required by February 16, 2026. Plan content updates, patient communications, and operational rollouts to meet that date. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html?utm_source=openai))