HIPAA Attestation Requirement: Do You Need One and What It Should Include

Overview of HIPAA Attestation Requirement

The HIPAA attestation requirement originated in HHS’s 2024 HIPAA Privacy Rule amendments supporting reproductive health care privacy. It required a signed, stand‑alone statement from a requester affirming that any use or disclosure of Protected Health Information (PHI) was not for a prohibited purpose tied to reproductive health investigations. The rule targeted specific disclosure pathways to reduce misuse of PHI. ([nixonpeabody.com](https://www.nixonpeabody.com/insights/alerts/2024/04/24/hipaa-privacy-rule-to-support-reproductive-health-care-privacy?utm_source=openai))

When the attestation applied (under the now‑vacated rule)

• Health Oversight Activities.
• Judicial and Administrative Proceedings.
• Law Enforcement Purposes.
• Disclosures to Coroners and Medical Examiners.

These were the four situations in which a covered entity or business associate would have needed a signed attestation if a request could involve reproductive health information. ([wtwco.com](https://www.wtwco.com/en-us/insights/2024/05/hipaa-rule-strengthens-privacy-protections-for-reproductive-care?utm_source=openai))

What a compliant attestation was expected to include

• A clear representation that the PHI would not be used or disclosed for a prohibited purpose related to reproductive health care.
• Identification of the requester and purpose, a description of the requested PHI, and an acknowledgment of potential criminal penalties for falsification.
• Signature and date, presented as a stand‑alone document (not bundled with subpoenas or other forms). ([nixonpeabody.com](https://www.nixonpeabody.com/insights/alerts/2024/04/24/hipaa-privacy-rule-to-support-reproductive-health-care-privacy?utm_source=openai))

Important: As explained below, the federal attestation requirement was later vacated and is not currently enforceable. ([dwt.com](https://www.dwt.com/blogs/privacy--security-law-blog/2025/06/hipaa-reproductive-care-privacy-rule-texas-court?utm_source=openai))

Impact of Legal Decisions on Attestation

The 2024 HIPAA Privacy Rule amendments were published on April 26, 2024, became effective June 25, 2024, and had a general compliance date of December 23, 2024. ([dlapiper.com](https://www.dlapiper.com/en/insights/publications/2024/05/ocr-finalizes-hipaa-privacy-rule-to-support-reproductive-healthcare-privacy?utm_source=openai))

On June 18, 2025, in Purl v. U.S. Department of Health and Human Services, the U.S. District Court for the Northern District of Texas vacated most of the 2024 amendments, eliminating the federal attestation requirement. The court left certain Notice of Privacy Practices (NPP) modifications intact. ([dwt.com](https://www.dwt.com/blogs/privacy--security-law-blog/2025/06/hipaa-reproductive-care-privacy-rule-texas-court?utm_source=openai))

On September 10, 2025, the Fifth Circuit dismissed appeals related to the case, so the vacatur remains in effect nationwide. As of February 19, 2026, covered entities and business associates do not need to obtain HIPAA attestations for PHI disclosures. ([americanhealthlaw.org](https://www.americanhealthlaw.org/content-library/publications/bulletins/3a332983-d12f-4f92-80f2-8d4e1f76ba7a/Appeals-Closed-HIPAA-Reproductive-Health-Care-Priv?utm_source=openai))

In practice, organizations should revert to the pre‑2024 HIPAA framework for disclosures, ensuring that any use or disclosure fits within an existing HIPAA permission and other applicable law. ([bassberry.com](https://www.bassberry.com/news/court-vacates-hipaa-2024-final-rule-reproductive-health-care-privacy/?utm_source=openai))

Compliance Obligations for Covered Entities

With the attestation requirement vacated, Covered Entities Compliance centers on the longstanding HIPAA Privacy Rule permissions and conditions. You should verify that each use or disclosure is permitted (for example, required by law, for law enforcement with appropriate process, for judicial or administrative proceedings with valid legal authority) and apply the minimum necessary standard where applicable. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html?utm_source=openai))

Update internal policies and training to remove attestation‑specific steps introduced in 2024, re‑align workflows to pre‑2024 HIPAA permissions, and ensure documentation supports each disclosure decision. Where state law is more protective, you must meet that higher bar in addition to HIPAA’s baseline.

Revisions to Notices of Privacy Practices

The Purl decision vacated only certain NPP subsections, specifically 45 C.F.R. 164.520(b)(1)(ii)(F)–(H). Other NPP amendments survived and remain in effect, with a compliance deadline of February 16, 2026—principally to align HIPAA NPPs with the confidentiality requirements for substance use disorder records under 42 C.F.R. Part 2. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html?utm_source=openai))

Practically, you should ensure your NPP reflects the surviving HIPAA Privacy Rule Amendments, including the Part 2 integration, by the February 16, 2026 deadline. If you previously added reproductive‑health‑specific language tied to the 2024 rule, that content is no longer required at the federal level. ([dlapiper.com](https://www.dlapiper.com/en/insights/publications/2024/05/ocr-finalizes-hipaa-privacy-rule-to-support-reproductive-healthcare-privacy?utm_source=openai))

Protections for Reproductive Health Information

Reproductive Health Data Privacy remains protected by HIPAA’s baseline rules: PHI can be used or disclosed only as permitted by the Privacy Rule (for example, treatment, payment, health care operations, or where another specific permission applies). The special restrictions and attestation steps created by the 2024 rule were vacated and are not in force. ([bassberry.com](https://www.bassberry.com/news/court-vacates-hipaa-2024-final-rule-reproductive-health-care-privacy/?utm_source=openai))

State laws may impose additional limits or create enhanced protections for reproductive health information. Build processes that screen for stricter state requirements before responding to requests.

Role of Business Associates

Business associates must continue to safeguard PHI under HIPAA and their Business Associate Agreements (BAAs). They are no longer required to collect or rely on HIPAA attestations related to reproductive health care, but they must ensure each use or disclosure is authorized by their BAA and HIPAA and meets minimum necessary where applicable. ([dwt.com](https://www.dwt.com/blogs/privacy--security-law-blog/2025/06/hipaa-reproductive-care-privacy-rule-texas-court?utm_source=openai))

Covered entities should confirm BAAs reflect current obligations, remove references to the vacated attestation process, and reinforce escalation paths for atypical or multi‑jurisdictional requests.

Managing Disclosures of PHI

Law enforcement purposes

Confirm a valid HIPAA permission (for example, a court order, subpoena with required assurances, or a disclosure expressly required by law), limit the PHI to what is legally authorized, and document your response. No HIPAA attestation is currently required. ([dwt.com](https://www.dwt.com/blogs/privacy--security-law-blog/2025/06/hipaa-reproductive-care-privacy-rule-texas-court?utm_source=openai))

Judicial and administrative proceedings

Validate the legal authority (such as a court order or proper administrative demand), disclose only what the order requires, and maintain records of the disclosure decision. The prior attestation step no longer applies. ([wtwco.com](https://www.wtwco.com/en-us/insights/2024/05/hipaa-rule-strengthens-privacy-protections-for-reproductive-care?utm_source=openai))

Health oversight activities

Ensure the request fits an oversight purpose permitted by HIPAA and any other applicable law, and release only the minimum necessary PHI. Attestations tied to reproductive health care are not required under current federal HIPAA rules. ([wtwco.com](https://www.wtwco.com/en-us/insights/2024/05/hipaa-rule-strengthens-privacy-protections-for-reproductive-care?utm_source=openai))

Coroners and medical examiners

Disclosures to coroners or medical examiners remain permitted for identifying a deceased person or determining cause of death, consistent with HIPAA and other law. No federal HIPAA attestation is required following the 2025 vacatur. ([wtwco.com](https://www.wtwco.com/en-us/insights/2024/05/hipaa-rule-strengthens-privacy-protections-for-reproductive-care?utm_source=openai))

FAQs

What is the HIPAA attestation requirement?

It was a 2024 HIPAA Privacy Rule amendment that required requesters of PHI potentially related to reproductive health care to sign a stand‑alone statement affirming the request was not for a prohibited purpose. It applied to health oversight activities, judicial/administrative proceedings, law enforcement purposes, and disclosures to coroners/medical examiners. ([nixonpeabody.com](https://www.nixonpeabody.com/insights/alerts/2024/04/24/hipaa-privacy-rule-to-support-reproductive-health-care-privacy?utm_source=openai))

How did the Purl v. HHS decision affect HIPAA attestation rules?

On June 18, 2025, the Northern District of Texas vacated most of the 2024 HIPAA Privacy Rule amendments, eliminating the federal attestation requirement. Appeals were dismissed on September 10, 2025, so the vacatur remains in effect nationwide as of February 19, 2026. ([dwt.com](https://www.dwt.com/blogs/privacy--security-law-blog/2025/06/hipaa-reproductive-care-privacy-rule-texas-court?utm_source=openai))

Are covered entities still required to update their Notices of Privacy Practices?

Yes. Although reproductive‑health‑specific NPP provisions were vacated, other NPP amendments survived. Covered entities must comply with the remaining NPP modifications—principally aligning with 42 C.F.R. Part 2—by February 16, 2026. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html?utm_source=openai))

What disclosures of PHI are affected by the removal of the attestation requirement?

The attestation no longer applies to requests in four areas previously covered by the 2024 rule: health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures to coroners and medical examiners. Disclosures in these categories must still independently satisfy HIPAA’s longstanding permissions and conditions. ([wtwco.com](https://www.wtwco.com/en-us/insights/2024/05/hipaa-rule-strengthens-privacy-protections-for-reproductive-care?utm_source=openai))