Texas Attorney General Dismisses Complaint Against HHS Seeking Vacatur of HHS Final Rules

Posted by Steve Alder

Texas Attorney General Ken Paxton has filed a joint stipulation of dismissal without prejudice, seeking to dismiss all claims in a September 2024 complaint against the U.S. Department of Health and Human Services (HHS), former HHS Secretary Xavier Becerra, and former Office for Civil Rights (OCR) Director Melanie Fontes Rainer. On November 24, 2025, the court granted Paxton’s request and dismissed the lawsuit.

The complaint was filed in response to the HIPAA Privacy Rule to Support Reproductive Healthcare Privacy Final Rule issued by the Biden Administration and added to the Federal Register in April 2024. The complaint sought declaratory and injunctive relief against the enforcement of the rule by the HHS, and to vacate another final rule, the HIPAA Privacy Rule of 2000. AG Paxton alleged that the HHS had overstepped its authority when issuing both final rules.

The decision to dismiss the lawsuit was likely influenced by a ruling in a separate lawsuit, filed in Texas last year by Dr. Carmen Purl, who runs Dr. Purl’s Fast Care Walk-in Clinic in Dumas, Texas. The lawsuit, Carmen Purl, et al., v. United States Department of Health and Human Services et al, was filed in the U.S. District Court for the Northern District of Texas, Amarillo Division, also in response to the HIPAA Privacy Rule to Support Reproductive Healthcare Privacy Final Rule.

The reproductive healthcare final rule was issued by the Biden administration as part of its response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization in 2022 that overturned Roe v. Wade, which for 50 years had protected the right to abortion prior to the point of fetal viability. With Roe v. Wade overturned, the legality of abortion became a state rather than federal matter, and almost half of U.S. states subsequently passed laws banning or restricting abortions.

The final rule created a new subclass of protected health information, reproductive health information, restricting disclosures of that information to government authorities and law enforcement. The final rule effectively prevented states from obtaining reproductive health information to hold individuals and healthcare providers liable under state law for abortions obtained legally out of state.

Purl alleged that the final rule was arbitrary and capricious and exceeded the HHS’s statutory authority, claiming the final rule impaired the clinic’s ability to participate in public health investigations and comply with state law that requires suspected child abuse to be reported. The lawsuit was successful, with the court dismissing the defendants’ motion to dismiss and vacating most of the modifications to the HIPAA Privacy Rule, which were deemed unlawful for distinguishing between different types of health information to accomplish political ends. The Notice of Privacy Practices requirements for healthcare providers covered by the Part 2 regulations relating to substance use disorder were not vacated. While the lawsuit originated in the state of Texas, the ruling had nationwide effect. The HHS chose not to appeal the decision.

The court’s decision to vacate the Reproductive Healthcare Privacy Final Rule achieved some of the main goals of AG Paxton’s complaint, which likely played a key role in the decision to seek dismissal of the complaint. Since the complaint was dismissed without prejudice, AG Paxton retains the right to refile the same complaint in the future, should he so wish.

The decision to dismiss the complaint is good news for Americans, as the HIPAA Privacy Rule ensures that their personally identifiable health information is protected and can only be used for reasons related to treatment, payment for healthcare, and healthcare operations without their express consent. The HIPAA Privacy Rule also gave patients rights over their health information, allowing them to obtain a copy of their health data, request errors be corrected, ask for restrictions on disclosures, and be provided with an accounting of disclosures of their PHI to learn who has been provided with their health information.

The post Texas Attorney General Dismisses Complaint Against HHS Seeking Vacatur of HHS Final Rules appeared first on The HIPAA Journal.

10 Step Guide to Choosing HIPAA Training for Employees

Posted by PJ Murray

Choosing HIPAA training for employees should be about compliance outcomes, not simply optics of checking the box for mandatory training. This 10-step guide helps you select HIPAA training courses that build real HIPAA compliance knowledge, reduce common errors, and prepare employees to apply HIPAA correctly from day one. This guide helps you avoid checkbox training and invest in learning that improves employee compliance performance, ultimately reducing HIPAA violations and HIPAA breaches.

Step 1: Review the course curriculum and verify that it is specifically designed for employees.

Verify that the training was designed for the staff receiving the training. There is little point in providing HIPAA training designed for compliance officers or training designed for managers that is focused on the compliance programs for HIPAA-covered entities.

Step 2: If the training provider does not state who produced the training, then ask for this information.

When selecting HIPAA training, evaluate substance and outcomes, not slide count. Effective courses go beyond reciting regulations and show how the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule translate into concrete tasks and decisions for employees. Begin with the source of the training content. Prefer curricula developed and maintained by recognized HIPAA subject-matter experts that have been designed with input from and then reviewed by HIPAA Privacy Officers and HIPAA Compliance Officers. The officers understand how violations occur and can teach recurring patterns, such as misdirected messages, wrong-patient access, and casual disclosures, and the precise steps that prevent them.

Step 3: If the training does not have a release date, then ask when it was produced.

Verify that the content is up-to-date because HHS and OCR guidance evolves, enforcement priorities shift, and new technologies introduce fresh risks. High-quality training is actively updated to reflect new laws, guidance, and enforcement trends, rather than remaining static.

Step 4: Prioritize practical advice over theory

Ensure the HIPAA training prioritizes practical scenarios over abstraction or simply repeating regulations. The training must use realistic examples such as unattended workstations, unapproved applications, and over-sharing on phone calls.

Step 5: Verify that training has modules covering evolving threats like social media and AI tools.

The training must also address modern risk areas, including generative AI tools, social media, messaging platforms, remote work, and personal devices.

Step 6: Choose training focused on risk reduction

Training cannot eliminate HIPAA violations and HIPAA breaches, but well-designed modules reduce both likelihood and impact by targeting behaviors behind common incidents. Make sure that the content is focused on prevention and response. The training must identify typical errors, such as lost devices, unencrypted email, and improper disclosures, and specify who to notify, what to document, and when to escalate.

Step 7: Review the trainee learning experience

An effective learning experience is practical, accessible, and respectful of time. Online, self-paced modules with pause and resume controls suit shift work and clinical interruptions. Mobile-friendly delivery across desktop, tablet, and phone improves the completion rate of training. When staff can access training easily, learn at a sensible pace, verify understanding, and obtain help as needed, they make better decisions, and the compliance program becomes measurably stronger. Make sure that the training is available for the full year until the next annual session so that employees can review as many times as they require to refresh their knowledge. The learning experience is also improved if there are quizzes after each topic covered. The fact that trainees know that they will be tested at the end of each topic in the training course immediately improves their attention levels.

Step 8: Training management features

Online HIPAA training provides managers with the opportunity to monitor the progress of employees during their HIPAA training and confirm that the training has been completed. It is also necessary to retain training records for a minimum of six years.

Step 9: Include state privacy laws where necessary

HIPAA training also means training in the related medical record privacy and security laws. Certain states such as Texas and California have state medical privacy laws that are mandatory and stricter than HIPAA. There are also additional state data privacy laws that apply to medical records.

Step 10: Don’t forget cybersecurity training

Integrate HIPAA with cybersecurity awareness for any staff who have access to medical records on computers. Many large scale HIPAA beaches begin with general cyber risks, including phishing, weak credentials, unsafe USB use, and credential sharing. Pair HIPAA content with focused cybersecurity modules on human error, phishing recognition, secure messaging, credential management, and removable media.

Choose HIPAA Training That Changes Behavior

This guide recommends selecting HIPAA training that is designed for employees, identifies who produced the content, and includes a clear release date. It emphasizes practical scenarios over theory, with up-to-date modules that address social media, AI tools, messaging, remote work, and personal devices. It calls for risk-focused instruction that identifies common errors such as lost devices, unencrypted email, and improper disclosures, and that specifies who to notify, what to document, and when to escalate. It also highlights a learning experience that is self-paced, mobile-friendly, and available for the full year so employees can review as needed. The guide advises pairing HIPAA training with cybersecurity modules for staff who access medical records on computers.

The post 10 Step Guide to Choosing HIPAA Training for Employees appeared first on The HIPAA Journal.

OCR Requests HIPAA Risk Management Questions for Upcoming Video Presentation

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is working on a video presentation to explain the requirements of the risk management process of the HIPAA Security Rule and has requested risk management questions from HIPAA-regulated entities.

The risk analysis is a foundational element of the HIPAA Security Rule that requires risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) to be identified. OCR frequently identifies risk analysis failures in its investigations of data breaches, complaints, and through its HIPAA compliance audit program, including incomplete and nonexistent risk analyses. It is the most commonly identified HIPAA Security Rule violation, and a frequent reason for imposing a financial penalty.

OCR has released guidance to help HIPAA-regulated entities conduct a risk analysis, and a downloadable risk assessment tool for small- and medium-sized regulated entities to guide them through the process. After conducting a risk analysis, all identified risks and vulnerabilities to ePHI must be subjected to a risk management process, detailed in § 164.308(a)(1)(ii)(B) of the administrative safeguards of the HIPAA Security Rule. Risk management is defined as “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a) [Security Standards: General Rules].”

Two of OCR’s enforcement actions this year included penalties for risk management failures – the $3,000,000 penalty for Solara Medical Supplies and the $1,500,000 Warby Parker, Inc. HIPAA violation penalty. To clear up any potential confusion about the risk management process, OCR is producing a video presentation – HHS’ OCR Presents: The HIPAA Security Rule: Risk Management.

Nick Heesters, OCR’s Senior Advisor for Cybersecurity, will be covering various aspects of the risk management provision of the HIPAA Security Rule in the presentation. Heesters will flesh out what is required in terms of risk management, the use of cybersecurity resources, and he will provide insights into OCR’s investigations into potential risk management HIPAA violations.

Since this will be a pre-recorded video presentation rather than a live webinar, OCR has requested questions from HIPAA-regulated entities about the risk management requirement of the HIPAA Security Rule, a selection of which will be answered during the presentation. If you have any questions related to risk management, this is an ideal opportunity to get the answers you seek. Questions should be submitted to OCR no later than  December 8, 2025, via email at OCRPresents@hhs.gov

The post OCR Requests HIPAA Risk Management Questions for Upcoming Video Presentation appeared first on The HIPAA Journal.