medcomply.ai
News
OCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateReproductive Health Privacy Rule Partially Vacated: What Your Notice of Privacy Practices Must Say Now · Rule UpdateWarby Parker Fined $1.5 Million by OCR: What Retailers With Health Plans Must Know · OCR EnforcementHow to Respond to a HIPAA Breach — A Step-by-Step Guide · Data BreachHIPAA Breach Notification Rule — Complete Guide to What Triggers Notification and When · Data BreachHIPAA Breach Notification Overview · Data BreachHIPAA Compliance Checklist for Covered Entities — 2026 Edition · AnalysisOCR Passes 50 Enforcement Actions in 2026 — and Adds Parental Access to Its Target List · OCR EnforcementOCR Audit Preparation — Checklist and Evidence Map for HIPAA Investigations · OCR EnforcementPatient Rights Under HIPAA — A Practical Guide for Healthcare Providers · Rule UpdateThe HIPAA Security Rule Final Rule: $9 Billion Price Tag, 100+ Hospital Coalition Opposition, and What Actually Happens Next · Rule UpdateHIPAA Staff Training Requirements — What's Required, Who Needs It, and How to Document It · AnalysisHIPAA Security Rule Overhaul — Final Rule Expected May 2026. Is Your Organization Ready? · Rule Update2026 HIPAA Penalty Amounts — Updated Figures Every Compliance Officer Needs · OCR EnforcementOCR Fines Employer-Sponsored Health Plan $245,000: What Every HR Department Must Know · OCR EnforcementAssured Imaging Fined for Never Conducting a Risk Analysis: 244,813 Patients Affected · OCR EnforcementOCR Begins Enforcing Part 2: What Behavioral Health Providers Must Know · Rule Update15 Million Records Exposed: The MMG Fusion Settlement and What It Means for Business Associates · OCR EnforcementOCR Expands Enforcement to Risk Management: What Changed in 2026 and What to Do Now · Rule UpdateOCR Issues $1.165 Million in Ransomware Penalties: Four Settlements in One Day · OCR EnforcementThe HIPAA Security Rule: A Complete Guide for 2026 · Security RuleOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateReproductive Health Privacy Rule Partially Vacated: What Your Notice of Privacy Practices Must Say Now · Rule UpdateWarby Parker Fined $1.5 Million by OCR: What Retailers With Health Plans Must Know · OCR EnforcementHow to Respond to a HIPAA Breach — A Step-by-Step Guide · Data BreachHIPAA Breach Notification Rule — Complete Guide to What Triggers Notification and When · Data BreachHIPAA Breach Notification Overview · Data BreachHIPAA Compliance Checklist for Covered Entities — 2026 Edition · AnalysisOCR Passes 50 Enforcement Actions in 2026 — and Adds Parental Access to Its Target List · OCR EnforcementOCR Audit Preparation — Checklist and Evidence Map for HIPAA Investigations · OCR EnforcementPatient Rights Under HIPAA — A Practical Guide for Healthcare Providers · Rule UpdateThe HIPAA Security Rule Final Rule: $9 Billion Price Tag, 100+ Hospital Coalition Opposition, and What Actually Happens Next · Rule UpdateHIPAA Staff Training Requirements — What's Required, Who Needs It, and How to Document It · AnalysisHIPAA Security Rule Overhaul — Final Rule Expected May 2026. Is Your Organization Ready? · Rule Update2026 HIPAA Penalty Amounts — Updated Figures Every Compliance Officer Needs · OCR EnforcementOCR Fines Employer-Sponsored Health Plan $245,000: What Every HR Department Must Know · OCR EnforcementAssured Imaging Fined for Never Conducting a Risk Analysis: 244,813 Patients Affected · OCR EnforcementOCR Begins Enforcing Part 2: What Behavioral Health Providers Must Know · Rule Update15 Million Records Exposed: The MMG Fusion Settlement and What It Means for Business Associates · OCR EnforcementOCR Expands Enforcement to Risk Management: What Changed in 2026 and What to Do Now · Rule UpdateOCR Issues $1.165 Million in Ransomware Penalties: Four Settlements in One Day · OCR EnforcementThe HIPAA Security Rule: A Complete Guide for 2026 · Security Rule

Rule Update

Reproductive Health Privacy Rule Partially Vacated: What Your Notice of Privacy Practices Must Say Now

TL;DR

On June 18, 2025, a federal district court vacated most of OCR's April 2024 final rule strengthening reproductive health privacy. However, certain Notice of Privacy Practices modifications required by the rule survived the court's decision and were still required to be implemented by February 16, 2026. Covered entities must review their current NPP against the surviving requirements and update it if they have not already done so.

On June 18, 2025, a federal district court vacated most of OCR's April 2024 final rule strengthening reproductive health privacy. However, certain Notice of Privacy Practices modifications required by the rule survived the court's decision and were still required to be implemented by February 16, 2026. Covered entities must review their current NPP against the surviving requirements and update it if they have not already done so.

A federal court vacated most of OCR's 2024 reproductive health privacy rule in June 2025, but key Notice of Privacy Practices changes survived and were required by February 16, 2026. Here is exactly what covered entities must do.

medcomply.ai editorial teamPublished May 12, 2026Updated May 12, 20266 min read

The HIPAA Privacy Rule landscape in 2025 and 2026 has been unusually unsettled — a final rule published, challenged in court, partially vacated, with surviving provisions still requiring compliance by a fixed deadline. For covered entities trying to understand what their Notice of Privacy Practices must currently say, the answer requires working through several layers.

The timeline of events

April 26, 2024: OCR published a final rule amending the HIPAA Privacy Rule to strengthen privacy protections for reproductive health information. The rule prohibited covered entities from using or disclosing PHI to investigate or prosecute patients or providers for seeking or providing lawful reproductive health care. It also required updated Notices of Privacy Practices.

June 18, 2025: A federal district court vacated most of OCR's April 26, 2024 final rule aimed at reproductive health care privacy. The court left intact certain Notice of Privacy Practices modifications; compliance with the remaining NPP changes is required by February 16, 2026.

February 16, 2026: The compliance deadline for surviving NPP modifications passed. Covered entities were required to have updated their Notices of Privacy Practices by this date to reflect the surviving provisions.

What the court vacated and what survived

The Texas federal court's decision was sweeping — it vacated most of the substantive privacy protections the rule created. The primary provisions prohibiting use and disclosure of PHI for reproductive health investigations were vacated nationally.

What survived: specific modifications to the Notice of Privacy Practices disclosure requirements. These NPP changes require covered entities to include statements informing patients about their rights regarding reproductive health information under the surviving provisions of the rule and applicable law.

45 CFR §164.520

The practical result is a two-tier outcome:

Vacated: The substantive prohibition on disclosing PHI for reproductive health investigations — covered entities are not legally required to refuse such disclosures under the vacated provisions, though they may choose to do so based on their own policies and applicable state law.

Surviving: The NPP disclosure requirements — covered entities must still update their NPP to include the required statements about reproductive health information.

What your Notice of Privacy Practices must now say

The surviving NPP modifications require covered entities to include language addressing:

Statement of patient rights regarding reproductive health: The NPP must inform patients that their reproductive health information is subject to privacy protections and describe how the covered entity handles such information in accordance with applicable law.

Updated uses and disclosures section: The NPP must accurately reflect the covered entity's current policies regarding reproductive health information — including any policies the covered entity has adopted voluntarily beyond the vacated legal requirements.

Contact for questions: Patients must be able to contact the covered entity's privacy officer with questions about reproductive health information handling.

Warning

If your organization updated its NPP in 2024 to include all provisions of the original rule, review it now. Your NPP may reference legal protections that were vacated by the court — creating a mismatch between what your NPP says and what the law currently requires. An inaccurate NPP is itself a compliance issue.

The February 16, 2026 deadline — and what it means now

The February 16, 2026 deadline has passed. Covered entities that had not updated their NPP by that date are out of compliance with the surviving NPP requirements.

Covered entities should review which NPP elements still apply following the decision and plan updates accordingly.

If your organization has not yet updated its NPP to reflect the surviving requirements, do so immediately. The surviving NPP modifications are in force and enforceable.

The intersection with Part 2 — same deadline, related requirements

February 16, 2026 was also the compliance deadline for updated 42 CFR Part 2 regulations aligning substance use disorder record confidentiality requirements with HIPAA. Entities subject to HIPAA and handling Part 2 records must meet the Part 2 final rule by February 16, 2026, including updating their NPPs and revising internal policies, consents, and training to reflect these Privacy Rule-related modifications.

Covered entities that treat both reproductive health and substance use disorder patients — including many integrated behavioral health and primary care practices — faced dual NPP update requirements on the same deadline. If your organization falls into this category review your NPP against both sets of requirements.

How to assess your current NPP

Work through this checklist against your current Notice of Privacy Practices:

Step 1 — Identify your NPP version date. When was your NPP last updated? If it predates April 2024 it does not include any of the reproductive health or Part 2 modifications. If it was updated in 2024 it may include vacated provisions that should be corrected.

Step 2 — Compare against the surviving requirements. HHS published updated model NPPs reflecting surviving provisions and Part 2 requirements. Download the current model from HHS.gov and compare it against your current NPP language.

Step 3 — Identify your organization's scope. Does your organization provide reproductive health services? Does it treat substance use disorder patients? The relevance and required specificity of NPP language depends on what services your organization provides.

Step 4 — Update and republish. Update your NPP to reflect surviving requirements, remove any references to vacated provisions, and update the effective date. Post the updated NPP in your facility and on your website. Provide it to new patients at first service.

Step 5 — Document the update. Retain documentation of the NPP update — what changed, why, and when — for six years.

State law remains relevant

The court's vacatur of the federal reproductive health privacy provisions does not eliminate state law protections that may apply in your jurisdiction. Many states have enacted their own reproductive health privacy laws — some broader than what the vacated federal rule required. Covered entities operating in states with such laws must comply with applicable state law regardless of the federal rule's status.

Legal counsel familiar with your operating states should advise on how state law interacts with the current federal framework.

The reproductive health privacy rule was largely vacated, but the NPP update requirements survived and the February 16, 2026 compliance deadline has passed. If your NPP has not been updated to reflect surviving requirements, update it now. If it was updated for the full 2024 rule, review it to ensure it does not reference vacated provisions. An accurate, current Notice of Privacy Practices is a basic compliance requirement OCR checks in every investigation.

Sources & citations

  • HHS OCR Reproductive Health Privacy Final RuleOpen
  • 45 CFR §164.520 — Notice of Privacy PracticesOpen
  • AccountableHQ — HIPAA News February 2026Open

All content verified against official HHS guidance and the Code of Federal Regulations.

Frequently asked questions

What was OCR's April 2024 reproductive health privacy rule?
OCR's April 26, 2024 final rule amended the HIPAA Privacy Rule to strengthen privacy protections for information related to reproductive health care. The rule prohibited covered entities from using or disclosing PHI to investigate or prosecute patients, providers, or others involved in lawful reproductive health care, and required updated Notices of Privacy Practices describing these new protections.
What happened to the rule in court?
On June 18, 2025, a federal district court in Texas vacated most of the rule, finding that OCR exceeded its authority in certain provisions. The court's decision was applied nationally. The Texas court's challenge focused on provisions that could impede states' ability to enforce state laws regarding reproductive health care.
What parts of the rule survived the court decision?
The court left intact certain Notice of Privacy Practices modifications. Specifically, covered entities were still required to update their NPP to include statements about patients' rights regarding their reproductive health information as modified by the rule's surviving provisions. The February 16, 2026 compliance deadline applied to these surviving NPP requirements.
If we updated our NPP in 2024 for the full rule, do we need to update it again?
Possibly. Covered entities that updated their NPP to include all provisions of the 2024 rule — including the vacated provisions — should review their NPP to ensure it accurately reflects only the surviving requirements. An NPP that references legal protections that have been vacated by a court may be inaccurate and should be corrected.
What is the February 16, 2026 deadline?
February 16, 2026 was the compliance deadline for two sets of requirements: the surviving NPP modifications from the reproductive health privacy rule, and compliance with the updated 42 CFR Part 2 regulations aligning substance use disorder record confidentiality requirements with HIPAA. Both deadlines passed on the same date.

Related intelligence

Rule Update

OCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement

4 min read

Rule Update

HIPAA Security Rule Final Rule: May Deadline Passes With No Announcement

5 min read

Rule Update

Patient Rights Under HIPAA — A Practical Guide for Healthcare Providers

8 min read

Not legal advice. medcomply.ai provides compliance intelligence for educational and operational planning. Consult qualified counsel for legal interpretation.