On January 22, 2025, Tennessee Attorney General Jonathan Skrmetti, joined by 14 other states filed a lawsuit in the U.S. District Court for the Eastern District of Tennessee in Knoxville.
What happened
The lawsuit challenges the legality of the Department of Health and Human Services (HHS) update to the HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy. The other states include Alabama, Arkansas, Georgia, Idaho, Indiana, Iowa, Louisiana, Montana, Nebraska, North Dakota, Ohio, South Carolina, South Dakota, and West Virginia.
The plaintiffs argue that the rule impedes state investigations into issues like Medicaid fraud, abuse, and health-related misconduct, with Skrmetti calling it “unlawful and impractical”. The lawsuit also names HHS Secretary Xavier Becerra as a defendant and claims violations of the Administrative Procedure Act (APA) asking the court to invalidate the rule. A parallel lawsuit was filed by Texas, challenging the rule independently.
The backstory
The HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy was enacted in response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization which overturned Roe v. Wade and led to abortion bans and restrictions in 21 states.
Effective on June 25, 2024, and with compliance mandatory by December 23, 2024, the Final Rule requires HIPAA-regulated entities to obtain a signed attestation when disclosing protected health information (PHI) related to reproductive health care for specific purposes such as judicial proceedings, law enforcement, and health oversight.
What was said
According to the complaint, “By requiring state agencies to come forward with specific factual information before obtaining the requested records, the Final Rule sharply limits state investigative authority. That defies HIPAA’s explicit protection of States’ interests in investigating “disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention.” 42 U.S.C. § 1320d-7(b). It also contradicts longstanding practice under the Privacy Rule.”
Why it matters
The Final Rule was designed to protect individuals and healthcare providers in states where abortion and related healthcare remain legal. The lawsuit created a fundamental tension with the Final Rule seeking to uphold privacy and the states claiming the rule obstructs legitimate oversight. The legal challenge tests the scope of federal regulatory power under the APA questioning whether HHS overstepped its statutory authority in implementing the rule.
Related: HIPAA Compliant Email: The Definitive Guide
FAQs
Who is considered a covered entity under the HIPAA Privacy Rule?
Covered entities include health plans, healthcare clearinghouses, and healthcare providers that conduct electronic transactions. Business associates of these entities may also fall under the rule depending on their services.
What types of information are protected under the HIPAA Privacy Rule?
The rule protects individually identifiable health information, which includes any data that can identify an individual and is maintained in a designated record set, such as medical records and billing information.
What is meant by the "minimum necessary" standard?
The minimum necessary standard requires covered entities to limit the use and disclosure of PHI to only what is necessary to accomplish the intended purpose of the use or disclosure.
Kirsten Peremore
