top of page
Search

Texas Drops Challenge to HIPAA Privacy Rule

  • Writer: Jessica Zeff
    Jessica Zeff
  • Jan 2
  • 2 min read

Late last year, Texas formally abandoned its federal lawsuit seeking to vacate the HIPAA Privacy Rule — including the full 2000 rule and recent 2024 amendments that attempted to strengthen protections around reproductive‑health data.


What Happened


  • The lawsuit was filed by the Texas Attorney General in 2024, arguing the rule (and the 2024 amendments) exceeded federal authority, especially in light of state-level investigations and enforcement interests.


  • On November 24, 2025, the court dismissed Texas’s case via a “joint stipulation of dismissal”—essentially ending the challenge without prejudice.


  • While a related 2025 court decision vacated the 2024 reproductive‑health privacy amendments, that decision did not strike down the original 2000 HIPAA Privacy Rule.


Why This Matters


  1. HIPAA Is Legally Resilient

    The challenge failed because courts — and even legal commentators — affirmed that the HIPAA framework is grounded in statutory authority.


  2. Regulatory Consistency Helps Providers Plan

    For covered entities, this outcome removes a major source of uncertainty. Organizations that built compliance, privacy, and security programs around HIPAA can continue operations without fear of a sudden legal void.


  3. State‑Federal Tension Remains a Compliance Stress Test

    Notwithstanding the dismissal, the litigation cycle demonstrates how state authorities may attempt to challenge federal privacy rules — especially when public policy issues (e.g., reproductive care) are involved. This underscores the need for providers to maintain robust compliance programs and legal vigilance.


  4. Don’t Rely on Rule Changes That Might Be Reversed

    Some covered entities rushed to update policies and practices to reflect the 2024 amendments to HIPAA. The fallback — now confirmed — illustrates the danger of overreacting to regulatory modifications before they become entrenched.


What Compliance Leaders Should Do Now


  • Maintain your HIPAA-based privacy and security programs — treat this as a reaffirmation of the baseline standard.


  • Update policies and procedures thoughtfully, avoiding overcorrection based on the 2024 amendments that were vacated.


  • Monitor state law changes. While HIPAA remains intact, state-level laws may introduce additional obligations — and states may try new challenges.


  • Document compliance efforts thoroughly. A strong audit trail, clear training, and consistent implementation signal good-faith adherence to HIPAA, even if legal uncertainties resurface.

 

Comments

bottom of page