News
Amazon's One Medical Seniors Hit by ShinyHunters Extortion Group: 8.8TB of Legacy Patient Data at Risk · Data BreachOpenLoop Health Telehealth Infrastructure Vendor Breach Exposes Patient Data Across Multiple Digital Health Clients · Data BreachHealthcare AI Vendor Xsolis Breach Exposes 1.4 Million Records Across Seven Hospital Systems Including Mayo Clinic · Data BreachHHS Breach Portal Backlog: OCR Still Adding March 2026 Breaches in Late June — What the Delay Means for Compliance Teams · AnalysisKettering Health Refused to Pay the Ransom. The Data Leaked Anyway: What 1.7 Million Exposed Records Teach About Ransomware and HIPAA · Data BreachOCR Settles Ransomware Investigation with Employer-Sponsored Health Plan for $450,000 · OCR EnforcementWhy a Third of Healthcare Breaches Now Trace Back to a Vendor: A Mid-Year 2026 Analysis · AnalysisFrom 4 Million to 60+ Million: The Conduent Breach Shows How Far Third-Party Risk Reaches · Data BreachNYC Health + Hospitals Breach: 1.8 Million Records Exposed via Third-Party Vendor, Including Biometric Data · Data BreachWhen Your Vendor Is the Breach: Millions of Patient Records Just Hit the HHS Tracker, and the Common Thread Is Third-Party Risk · Data BreachDo I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesAmazon's One Medical Seniors Hit by ShinyHunters Extortion Group: 8.8TB of Legacy Patient Data at Risk · Data BreachOpenLoop Health Telehealth Infrastructure Vendor Breach Exposes Patient Data Across Multiple Digital Health Clients · Data BreachHealthcare AI Vendor Xsolis Breach Exposes 1.4 Million Records Across Seven Hospital Systems Including Mayo Clinic · Data BreachHHS Breach Portal Backlog: OCR Still Adding March 2026 Breaches in Late June — What the Delay Means for Compliance Teams · AnalysisKettering Health Refused to Pay the Ransom. The Data Leaked Anyway: What 1.7 Million Exposed Records Teach About Ransomware and HIPAA · Data BreachOCR Settles Ransomware Investigation with Employer-Sponsored Health Plan for $450,000 · OCR EnforcementWhy a Third of Healthcare Breaches Now Trace Back to a Vendor: A Mid-Year 2026 Analysis · AnalysisFrom 4 Million to 60+ Million: The Conduent Breach Shows How Far Third-Party Risk Reaches · Data BreachNYC Health + Hospitals Breach: 1.8 Million Records Exposed via Third-Party Vendor, Including Biometric Data · Data BreachWhen Your Vendor Is the Breach: Millions of Patient Records Just Hit the HHS Tracker, and the Common Thread Is Third-Party Risk · Data BreachDo I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business Associates

Rule Update

Reproductive Health Privacy Rule Partially Vacated: What Your Notice of Privacy Practices Must Say Now

TL;DR

On June 18, 2025, a federal district court vacated most of OCR's April 2024 final rule strengthening reproductive health privacy. However, certain Notice of Privacy Practices modifications required by the rule survived the court's decision and were still required to be implemented by February 16, 2026. Covered entities must review their current NPP against the surviving requirements and update it if they have not already done so.

On June 18, 2025, a federal district court vacated most of OCR's April 2024 final rule strengthening reproductive health privacy. However, certain Notice of Privacy Practices modifications required by the rule survived the court's decision and were still required to be implemented by February 16, 2026. Covered entities must review their current NPP against the surviving requirements and update it if they have not already done so.

What the reproductive health privacy rule requires, who it affects, and where it stands now after the latest legal developments. Plain-English breakdown with citations.

medcomply.ai editorial teamPublished May 12, 2026Updated May 12, 20266 min read

The HIPAA Privacy Rule landscape in 2025 and 2026 has been unusually unsettled — a final rule published, challenged in court, partially vacated, with surviving provisions still requiring compliance by a fixed deadline. For covered entities trying to understand what their Notice of Privacy Practices must currently say, the answer requires working through several layers.

The timeline of events

April 26, 2024: OCR published a final rule amending the HIPAA Privacy Rule to strengthen privacy protections for reproductive health information. The rule prohibited covered entities from using or disclosing PHI to investigate or prosecute patients or providers for seeking or providing lawful reproductive health care. It also required updated Notices of Privacy Practices.

June 18, 2025: A federal district court vacated most of OCR's April 26, 2024 final rule aimed at reproductive health care privacy. The court left intact certain Notice of Privacy Practices modifications; compliance with the remaining NPP changes is required by February 16, 2026.

February 16, 2026: The compliance deadline for surviving NPP modifications passed. Covered entities were required to have updated their Notices of Privacy Practices by this date to reflect the surviving provisions.

What the court vacated and what survived

The Texas federal court's decision was sweeping — it vacated most of the substantive privacy protections the rule created. The primary provisions prohibiting use and disclosure of PHI for reproductive health investigations were vacated nationally.

What survived: specific modifications to the Notice of Privacy Practices disclosure requirements. These NPP changes require covered entities to include statements informing patients about their rights regarding reproductive health information under the surviving provisions of the rule and applicable law.

45 CFR §164.520

The practical result is a two-tier outcome:

Vacated: The substantive prohibition on disclosing PHI for reproductive health investigations — covered entities are not legally required to refuse such disclosures under the vacated provisions, though they may choose to do so based on their own policies and applicable state law.

Surviving: The NPP disclosure requirements — covered entities must still update their NPP to include the required statements about reproductive health information.

What your Notice of Privacy Practices must now say

The surviving NPP modifications require covered entities to include language addressing:

Statement of patient rights regarding reproductive health: The NPP must inform patients that their reproductive health information is subject to privacy protections and describe how the covered entity handles such information in accordance with applicable law.

Updated uses and disclosures section: The NPP must accurately reflect the covered entity's current policies regarding reproductive health information — including any policies the covered entity has adopted voluntarily beyond the vacated legal requirements.

Contact for questions: Patients must be able to contact the covered entity's privacy officer with questions about reproductive health information handling.

Warning

If your organization updated its NPP in 2024 to include all provisions of the original rule, review it now. Your NPP may reference legal protections that were vacated by the court — creating a mismatch between what your NPP says and what the law currently requires. An inaccurate NPP is itself a compliance issue.

The February 16, 2026 deadline — and what it means now

The February 16, 2026 deadline has passed. Covered entities that had not updated their NPP by that date are out of compliance with the surviving NPP requirements.

Covered entities should review which NPP elements still apply following the decision and plan updates accordingly.

If your organization has not yet updated its NPP to reflect the surviving requirements, do so immediately. The surviving NPP modifications are in force and enforceable.

February 16, 2026 was also the compliance deadline for updated 42 CFR Part 2 regulations aligning substance use disorder record confidentiality requirements with HIPAA. Entities subject to HIPAA and handling Part 2 records must meet the Part 2 final rule by February 16, 2026, including updating their NPPs and revising internal policies, consents, and training to reflect these Privacy Rule-related modifications.

Covered entities that treat both reproductive health and substance use disorder patients — including many integrated behavioral health and primary care practices — faced dual NPP update requirements on the same deadline. If your organization falls into this category review your NPP against both sets of requirements.

How to assess your current NPP

Work through this checklist against your current Notice of Privacy Practices:

Step 1 — Identify your NPP version date. When was your NPP last updated? If it predates April 2024 it does not include any of the reproductive health or Part 2 modifications. If it was updated in 2024 it may include vacated provisions that should be corrected.

Step 2 — Compare against the surviving requirements. HHS published updated model NPPs reflecting surviving provisions and Part 2 requirements. Download the current model from HHS.gov and compare it against your current NPP language.

Step 3 — Identify your organization's scope. Does your organization provide reproductive health services? Does it treat substance use disorder patients? The relevance and required specificity of NPP language depends on what services your organization provides.

Step 4 — Update and republish. Update your NPP to reflect surviving requirements, remove any references to vacated provisions, and update the effective date. Post the updated NPP in your facility and on your website. Provide it to new patients at first service.

Step 5 — Document the update. Retain documentation of the NPP update — what changed, why, and when — for six years.

State law remains relevant

The court's vacatur of the federal reproductive health privacy provisions does not eliminate state law protections that may apply in your jurisdiction. Many states have enacted their own reproductive health privacy laws — some broader than what the vacated federal rule required. Covered entities operating in states with such laws must comply with applicable state law regardless of the federal rule's status.

Legal counsel familiar with your operating states should advise on how state law interacts with the current federal framework.

The reproductive health privacy rule was largely vacated, but the NPP update requirements survived and the February 16, 2026 compliance deadline has passed. If your NPP has not been updated to reflect surviving requirements, update it now. If it was updated for the full 2024 rule, review it to ensure it does not reference vacated provisions. An accurate, current Notice of Privacy Practices is a basic compliance requirement OCR checks in every investigation.

Sources & citations

  • HHS OCR Reproductive Health Privacy Final RuleOpen
  • 45 CFR §164.520 — Notice of Privacy PracticesOpen
  • AccountableHQ — HIPAA News February 2026Open

All content verified against official HHS guidance and the Code of Federal Regulations.

Frequently asked questions

What was OCR's April 2024 reproductive health privacy rule?
OCR's April 26, 2024 final rule amended the HIPAA Privacy Rule to strengthen privacy protections for information related to reproductive health care. The rule prohibited covered entities from using or disclosing PHI to investigate or prosecute patients, providers, or others involved in lawful reproductive health care, and required updated Notices of Privacy Practices describing these new protections.
What happened to the rule in court?
On June 18, 2025, a federal district court in Texas vacated most of the rule, finding that OCR exceeded its authority in certain provisions. The court's decision was applied nationally. The Texas court's challenge focused on provisions that could impede states' ability to enforce state laws regarding reproductive health care.
What parts of the rule survived the court decision?
The court left intact certain Notice of Privacy Practices modifications. Specifically, covered entities were still required to update their NPP to include statements about patients' rights regarding their reproductive health information as modified by the rule's surviving provisions. The February 16, 2026 compliance deadline applied to these surviving NPP requirements.
If we updated our NPP in 2024 for the full rule, do we need to update it again?
Possibly. Covered entities that updated their NPP to include all provisions of the 2024 rule — including the vacated provisions — should review their NPP to ensure it accurately reflects only the surviving requirements. An NPP that references legal protections that have been vacated by a court may be inaccurate and should be corrected.
What is the February 16, 2026 deadline?
February 16, 2026 was the compliance deadline for two sets of requirements: the surviving NPP modifications from the reproductive health privacy rule, and compliance with the updated 42 CFR Part 2 regulations aligning substance use disorder record confidentiality requirements with HIPAA. Both deadlines passed on the same date.

Not legal advice. medcomply.ai provides compliance intelligence for educational and operational planning. Consult qualified counsel for legal interpretation.