Last year, the U.S. Department of Health and Human Services (HHS) issued final regulations modifying the Health Insurance Portability and Accountability Act Privacy Rule (2024 Privacy Rule) by implementing specific requirements for protected health information (PHI) related to reproductive health care. See our previous summary here: 2024 Privacy Rule Summary.
The 2024 Privacy Rule required covered entities, including group health plans, to update privacy procedures, obtain attestations for certain data requests, and update Notices of Privacy Practices (Privacy Notices) consistent with the new protections applicable to reproductive health care information, by December 23, 2024.
But Wait!
On June 18, 2025, in Purl v. HHS (N.D. Tex. 2025), a federal district court vacated with immediate and nationwide effect the 2024 Privacy Rule’s provisions related to reproductive health care information. Importantly, the court preserved provisions of the 2024 Privacy Rule regarding certain records related to substance use disorders (SUD Records).
As a result of the Purl ruling, group health plans need not update policies, procedures, or Privacy Notices implementing reproductive health care information protections. Group health plans also are not required to obtain specific attestations regarding requests for such information. Plans that previously took steps to make such updates should consider removing the changes from their policies, procedures, and Privacy Notices.
Don’t Forget Part 2!
Despite vacating provisions in the regulations relating to reproductive health care information, the Purl ruling kept intact regulations at 42 CFR part 2, relating to the protection of SUD Records. This means that, effective February 16, 2026, group health plans must update their policies and Privacy Notices to reflect the stringent protections applicable to certain SUD records, which are defined as:
records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.
Absent specific written consent or a court order, group health plans may not disclose – including through testimony regarding content – SUD Records in legal proceedings such as investigations and prosecutions against an individual.
Privacy Notice Updates
Sponsors of self-funded and insured group health plans with access to PHI are familiar with the required Privacy Notice, which must be provided to newly eligible participants upon enrollment and to all participants upon request. The Privacy Notice must also be updated and redistributed when there is a material change to its terms.
Sponsors of group health plans should update their Privacy Notices by February 16, 2026, to include the SUD Records protections and distribute the updated Privacy Notices to all participants.
This blog was drafted by Laura Fischer, an attorney in the Spencer Fane Denver, Colorado, office. For more information, visit www.spencerfane.com.
Click here to subscribe to Spencer Fane communications to ensure you receive timely updates like this directly in your inbox.
