On September 4, Texas Attorney General (AG) Ken Paxton filed a lawsuit against the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), challenging two key Health Insurance Portability and Accountability Act (HIPAA) rules — the 2000 Privacy Rule and the newly implemented 2024 Privacy Rule. These rules were enacted to protect the privacy of individuals’ protected health information (PHI) under HIPAA. Texas argues that these rules unlawfully limit state investigators’ ability to access PHI, impeding the enforcement of state laws.
Overview of the HHS Privacy Rules
The 2000 Privacy Rule, which has been in effect since 2001, established national standards for the protection of PHI under HIPAA. It includes a three-part test that must be met for a medical provider to share information in response to a state’s administrative subpoena, including that (1) the information sought is relevant and material to a legitimate law enforcement inquiry; (2) the request is as specific and narrowly drawn as reasonably practicable; and (3) de-identified information, such as coded records with no apparent PHI, cannot be reasonably used to meet the purpose of the request.
The 2024 Privacy Rule, effective June 2024, enhances privacy protections for reproductive health care. It prohibits the use or disclosure of PHI for investigating lawful reproductive health care and introduces new requirements for HIPAA-covered entities to obtain signed attestations before sharing PHI in the context of oversight, judicial, or law enforcement activities.
Texas’ Arguments
Texas claims that both rules exceed HHS’ statutory authority under HIPAA, particularly arguing that the 2000 Privacy Rule’s limitations on state subpoenas go beyond what HIPAA mandates. Texas further argues that the 2024 Privacy Rule’s restrictions on reproductive health-related PHI disclosures are intended to obstruct state law enforcement efforts, asserting that the rule was designed to frustrate state enforcement efforts in the wake of the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, 597 U.S. 215 (2022). The state believes the 2024 Privacy Rule to be overly broad, complicating compliance with state investigations by requiring burdensome attestations from HIPAA-covered entities.
Although the complaint does not cite specific state laws affected by the rules, the 2021 Texas Trigger Law, which criminalizes abortion, provides context for the AG’s concerns regarding limitations on access to PHI for law enforcement purposes. In 2021, Texas enacted legislation making it a criminal felony to knowingly perform, induce, or attempt an abortion at any time after fertilization. See Tex. Health & Safety Code Ann. § 170A.001 et seq. This law was “triggered” when the Supreme Court, in Dobbs, held that the Constitution does not confer a right to abortion, effectively overturning Roe v. Wade and Planned Parenthood v. Casey. Since 2022, the state has faced multiple challenges from organizations and individual plaintiffs claiming the Texas law is overly broad and that its exceptions are unclear. According to the complaint, HHS’ 2024 Final Rule was promulgated to obstruct states’ ability to enforce abortion laws.
Relief Sought by Texas
Texas seeks a declaration that the 2000 and 2024 Privacy Rules violate the Administrative Procedure Act (APA) as actions in excess of statutory authority. Texas also requests that the court vacate and enjoin enforcement of the rules and award attorneys’ fees and litigation costs.
Implications for HIPAA-Covered Entities
The Texas AG has shifted focus toward privacy this year, creating a specialized privacy enforcement unit following the enactment of the Texas Data Privacy and Security Act on July 1, to handle all privacy-related matters and focus on “aggressive enforcement of Texas privacy laws.” In addition to the new privacy act, the unit is responsible for enforcing the Identify Theft Enforcement and Protection Act, the Data Broker Law, the Biometric Identifier Act, the Deceptive Trade Practices Act (DPTA), and federal laws, including the Children’s Online Privacy Protection Act (COPPA) and HIPAA. Indeed, the AG has filed actions this year under these various laws, including under its “traditional” consumer protection act, the DPTA, as part of this privacy initiative.
If Texas prevails in its suit challenging HHS privacy rules, HIPAA-covered entities may face increased obligations to comply with state subpoenas and investigative demands, particularly for reproductive health-related information. The lifting of restrictions could lead to more frequent disclosures of PHI to state authorities. Entities should review and possibly revise their compliance protocols, ensuring that their legal and privacy teams are equipped to handle more extensive requests for sensitive information under state law. Robust compliance programs will be essential for navigating this evolving landscape, balancing state enforcement needs with federal privacy protections.
The Troutman Pepper team, which maintains a close relationship with the Texas AG’s office and its privacy attorneys, will continue to monitor developments in Texas to further its service to clients and provide advisories as necessary.
State of Texas v. U.S. Dept. of Health and Human Services, et al, Case. No. 5:24-cv-00204-H (N.D. Tex. Sept. 4, 2024).