Patient Privacy: HIPAA Explained

Introduction

In 2025, the U.S. Department of Justice (DOJ) sent subpoenas to as many as 20 institutions serving trans and gender diverse (TGD) adolescents, demanding access to a wide range of materials, beyond information related to providers to include highly sensitive information about adolescent patients and their families, raising concerns not only about these investigations but also their implications for patient privacy. 

With this explainer, we hope to provide a high-level overview of these protections and the statutes that establish such rights, certain exceptions to these protections, and their purposes, with a focus on the “Privacy Rule” for the Federal Health Insurance Portability and Accountability Act, or “HIPAA.” We believe that trans people, including trans youth and their families, deserve to be equipped with information to help them understand their rights in order to navigate the complex systems that govern their lives.

This guide is for informational purposes only and primarily focuses on the HIPAA Privacy Rule and the exceptions to this protective framework. These exceptions should not overshadow the protective intentions of the Privacy Rule. States may offer additional privacy protections, the analysis of which is beyond the scope of this report. Nothing in this report is intended to, nor should it be interpreted as, asserting which parties have standing in matters of patient privacy, disclosures of protected health information, or challenges to requests for this information. 

This guide does not constitute legal advice, should not be substituted for the advice of legal counsel, and should not be interpreted as encouraging or discouraging any form of legal action. This document is not intended to instruct any party in achieving compliance during an investigation or legal proceeding. The information provided is not intended to induce action or inaction without consultation with a qualified attorney. To evaluate individual or collective liability, you should consult legal counsel.

Jump to a section:

1. HIPAA Overview
2. Exceptions to The Privacy Rule
3. Standards of General and Permitted Disclosures
4. Disclosures Without Notification to the Patient
5. Reproductive Health Information
6. Psychotherapy Notes
7. Preemption Standards
8. Definitions

The Health Information Portability and Accountability Act (HIPAA) Privacy Rule and Patients’ Rights

In passing the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Congress did not craft rich and detailed privacy requirements, and responsibility fell to the Department of Health and Human Services (HHS) to issue substantive rules on patient privacy.1 Accordingly, HHS created the “Privacy Rule” (finalized in 2002), which regulates the use and disclosure of protected health information (PHI) by covered entities, such as hospitals and health systems, and offers patients critical protections over their own PHI. The rule creates a minimum set of requirements for patients’ rights over their own PHI, and while certain exceptions may exist, the purpose of the rule is to protect patients’ sensitive information, not to create a framework for the federal government to access it. The HIPAA Privacy Rule is an admirable legal framework that establishes patients’ rights over the information contained in their records, recognizing their rights to access and amend (when justified) their medical records and limit who may access this information.

Under this rule, covered entities are generally required to notify patients of the entity’s privacy practices and any changes to them, in addition to informing patients of anticipated/potential uses and disclosures of their information (meaning whom PHI is accessed by and shared with) that may occur without authorization.2 Covered entities are required to provide the patient, or the patient’s authorized representative,3 with access to the patient’s own medical records,4 as well as an accounting of disclosures of their PHI made within the last 6 years.5 Generally, such a request may not be ignored. This may exclude disclosures that are also generally not subject to patient authorization requirements, such as for the purposes of treatment, payment, and other health care delivery operations.6

Additional exceptions to this requirement include when this disclosure is related to otherwise permitted or required disclosure;7 to the covered entity’s director; to individuals involved in the delivery of the patient’s care;8 to law enforcement officials having lawful custody of an inmate; to a correctional institution; or for national security and intelligence pursuant to § 164.512(k)(5).9 An individual’s rights to a list of disclosures made to a health oversight agency or law enforcement official may also be suspended temporarily if it would impede certain law enforcement or health oversight agencies’ activities, so long as the agency provides the covered entity with a written statement attesting to that fact.10

In addition to the disclosure to the patient or their representative, covered entities are required to disclose PHI when required by the HHS Secretary for the purpose of investigating the entity’s program compliance with HIPAA. Other disclosures may be required by a health oversight agency, law enforcement, or certain state and federal laws. A familiar example is mandatory reporting of suspected child abuse. Depending on the purposes of disclosure and the structure of the applicable law,11 patient authorization may or may not be required.

Exceptions to The Privacy Rule

Understanding the limited exceptions to patient protections helps us better understand how these statutory exceptions may be exploited or abused, and enables us to better understand where policy reforms may be made to further strengthen patient privacy rights. Most exceptions to patient privacy protections are “permissive”, meaning disclosure of information is allowed but is not mandated by HIPAA.

Recent actions demonstrate that granting the federal government the ability to circumvent privacy protections can have severe and dangerous consequences. Although many courts have blocked these attacks, they also make a compelling case for limiting the power and authority of the federal government over our health and well-being.

To prevent predatory and abusive use of these exceptions, the Privacy Rule outlines the criteria that must be met for any disclosure to be lawful. Most of the exceptions to patients’ privacy protections under the Privacy Rule are arguably in the best interest of public health and safety, contributing to critical public health programs intended to prevent the spread of disease and improve community health outcomes. Accordingly, the use of the exceptions must meet certain criteria, intended to protect the public from exploitation.

Even though exceptions may exist under the Privacy Rule, patients and covered entities may still bring legal challenges against attempts to access PHI. This includes challenging a subpoena that did not meet procedural requirements, that creates an undue burden on covered entities, that requests information not relevant to the purpose for which it was requested, or that is unreasonable or not part of a legitimate, good-faith inquiry. To release patient PHI without authorization by the patient, in response to an administrative subpoena or civil investigative demand, HIPAA’s Privacy Rule contains three criteria:12

• The PHI requested is materially relevant to a legitimate law enforcement inquiry. Information should be specific and limited in scope to what is reasonable, given the purpose for which it is sought. 
• The request is reasonable and limited in scope to the purpose for which it is sought.
• De-identified information could not reasonably be used.  Courts have generally applied a “reasonable basis” standard when determining whether de-identified information would be insufficient for the purpose of this issue, though interpretations of this standard vary.

Standards of General and Permitted Disclosures

Disclosed PHI must be limited to that which is reasonably necessary to achieve the purpose of a use or disclosure. This is often called the “minimum necessary” standard of use and disclosure of PHI. This dictates that the scope of the information must be reasonably limited to that which is necessary to fulfill the purpose for which the information is being sought.13 For example, information regarding a person’s gender identity may not be necessary for certain public health monitoring activities. As with many aspects of HIPAA, there are limited exceptions to the applicability of this standard.14 The “minimum necessary” standard is not applicable when disclosures are made to the subject of the PHI; for the purposes of treatment; when the Secretary conducts compliance reviews;15 as required by law;16 or when the patient authorizes the disclosure.17

Generally, covered entities and business associates (a person or entity that creates, receives, stores, or sends PHI on behalf of a covered entity) are not allowed to use or disclose a patient’s PHI outside of a specific set of conditions,18 several of which are fairly commonplace in the day-to-day operations of most providers. This includes disclosing a patient’s own records back to them; for the purposes of treatment; care coordination with another covered entity; payment and billing activities; and for various permitted or required health oversight or health care activities.19

Many exceptions that enable disclosures without patient notice or authorization are permissive, meaning a covered entity may (but is not required to) disclose PHI, such as for payment, for treatment, or healthcare operations,20 or to another covered entity under certain circumstances for the detection of healthcare fraud.21

Such disclosures are also limited by the aforementioned “minimum necessary” standard,22 with some exceptions.23

Disclosures Without Notification to the Patient

The Privacy Rule outlines the limited conditions under which the use and disclosure of PHI may occur without patient authorization. However, there may be other state or federal laws that require disclosure of certain PHI.24 Generally, situations where disclosure without patient authorization is permissible include:

• When disclosure is required by law, and said disclosure is limited to the PHI required by said law;25
• Public health activities and surveillance, such as disease control;26
• Reporting child abuse or neglect;27
• Post-market drug surveillance and evaluation activities, such as the reporting of adverse events or defects;28
• If the covered entity believes an individual is a victim of abuse29 or another crime;30 
• To reduce the spread of communicable disease;31
• To a patient’s employer, under limited conditions;32
• Where such information is needed by health oversight agencies for authorized oversight activities and investigations;33
• In response to a court or administrative order, a subpoena, a discovery request, or “other lawful process”;34
• To law enforcement officials, under certain conditions;35 or
• To aid in identifying or locating a suspect, fugitive, material witness, or missing person.

In the last of these circumstances, the information disclosed is “restricted” to name, address, date and place of birth, social security number, blood type and rh factor, type of injury, date and time of treatment, date and time of death, and distinguishing physical characteristics.36

Regarding disclosures to law enforcement, such activities could include disclosing PHI in compliance with a court-ordered warrant or subpoena,37 a grand jury subpoena,38 or administrative requests “for which response is required by law.”39 When information is disclosed in compliance with a subpoena or when required by law, it is subject to certain requirements:

1. The request must be material to a legitimate law enforcement inquiry;40
2. The request is specific, and the scope of the PHI requested is limited to what is reasonable for the purpose for which the PHI is sought;41 and
3. De-identified information would not be sufficient to fulfill the request.42

Covered entities may also disclose PHI without authorization for activities when required for the oversight of the healthcare system or the oversight of government benefit programs, such as Medicare and Medicaid. The regulation also includes an exception for oversight of entities for whom PHI is necessary for determining compliance with program standards and when necessary to determine compliance with civil rights laws, which may include the Department of Justice, for example. 

Additionally, a covered entity may disclose PHI if it believes in good faith that the disclosure is necessary to prevent or reduce a serious and imminent threat to health or safety, or to help law enforcement identify or apprehend a person who has committed a violent crime or escaped from custody.43

Reproductive Health Information

Under 45 CFR 164.512(c), which outlines the conditions for permitted disclosures about victims of abuse,44  disclosures for the purpose of reporting abuses are not justifiable if the abuse being alleged is the provision or receipt of reproductive healthcare services.45 This protection flows from a 2024 Biden Administration rule intended to protect patients' reproductive health PHI from being used to conduct criminal, civil, or administrative investigations or impose liability or identify any individual for such purposes.46

This meant that covered entities could not disclose PHI related to the provision of reproductive healthcare to conduct criminal, civil, or administrative investigations where the cause for such an investigation is simply the provision/access of reproductive healthcare, where it is lawful. In June of 2025, these protections were “vacated” as a result of the court’s decision in Purl, et al. v. United States Department of Health and Human Services, et al., by the U.S. District Court for the Northern District of Texas. Despite the Supreme Court’s ruling in Trump v. CASA, which limits the scope of universal injunctions, the Northern District’s vacating of the rule in Purl has a nationwide effect, primarily because in CASA, the Court specifically contemplated Executive Orders.

Psychotherapy Notes

Psychotherapy notes receive additional protection under HIPAA. In most circumstances, patient authorization is required before a covered entity may use or disclose them.47 There are, of course, exceptions which include, for the purpose of treatment, payment, and health care operations;48 training programs where trainees’ counseling is supervised;49 in the course of defense against legal action brought by the individual;50 if it is required by law,51 or to law enforcement.52 Pursuant to 45 CFR §164.524(a)(1)(i), patients do not have the right to obtain copies of psychotherapy notes. Disclosures of psychotherapy notes without authorization may also be made if a covered entity believes, in good faith, that this disclosure is necessary to prevent serious or imminent threats to the public or an individual, including the individual who may be the target of the threat.53

Preemption Standards

Federal laws generally “preempt” state laws that conflict with a federal law, meaning that where a state and federal law conflict or contradict one another, federal laws dominate and “preempt” a state’s contradictory law. This standard comes from the “Supremacy Clause” of Article VI of the U.S. Constitution. Preemption can be either explicit or implicit, meaning that Congress could explicitly outline in legislation how a federal law preempts state laws pertaining to the same issues, or it can be implied in the relevant laws’ structure and purposes. By creating a minimum of federal requirements for privacy rights, it includes certain exceptions to the preemption standard. When it comes to patient privacy protections, though, the preemption standard applies somewhat differently. 

The HIPAA Privacy Rule establishes how states can create other laws on health information and patient privacy that are not preempted. Because of this standard, state laws are not preempted if state or local laws regarding PHI provide greater access rights to patients over their PHI or create more stringent privacy protections for the patient.54 This means that states may enact laws offering stronger protections for patient privacy without conflicting with federal law. For example, a state may prohibit disclosure of certain diagnoses or treatment-related information beyond what HIPAA itself prohibits. State laws can also create reporting requirements for certain PHI, such as certain forms of disease, injury, cause of death, or reporting of child abuse.55

Definitions

Transition-Related Healthcare (TRH) refers to medical treatment that some transgender and gender-diverse (TGD) people access to both reduce the distress of gender dysphoria and to take positive steps towards achieving certain embodiment goals related to their gender identity. Adolescents only receive pediatric TRH (PTRH) after pubertal onset. PTRH may include puberty-pausing medications and gender-affirming hormone therapy. The U.S. Department of Health and Human Services (HHS) has recently used the terms “sex-trait modification procedures” and “sex-rejecting procedures” to refer to TRH. Currently, there is no statutory definition of this care. This definition is a simplification of what is a diverse field of care, which patients may seek for equally diverse purposes.

Civil and Criminal legal cases/liability are differentiated by the severity of the alleged offense, where and how the case may be tried, and the consequences of being found guilty or liable. A guilty verdict in a criminal case may result in an individual paying a monetary fine and/or serving prison time. The outcome of a finding of liability in a civil case may include the return of property, payment of owed damages, and/or an order to stop carrying out the action that led to the suit. Additionally, civil and criminal cases differ in the standard of “proof” required to arrive at a verdict.

“Covered entities” and entities that must comply with HIPAA, in the context of HIPAA, generally include individual and provider group health plans, health care providers (and their workforce), and healthcare information clearinghouses that retain and transmit health information.56 Additionally, “Business Associates” of covered entities may not be considered covered entities themselves, but they are expected to comply with part of the Privacy Rule as applicable.  However, some entities that are not covered, and therefore do not have to comply with HIPAA, include certain research foundations, non-billing student healthcare services, pharmaceutical companies, and certain prescription drug monitoring programs.

Protected Health Information is individually identifiable health information transmitted or maintained in any form or medium, created and/or received by a healthcare provider, health plan, or healthcare clearinghouse.57 What constitutes identifying information may be context-specific. Often this includes information such as name, address, social security number, demographic information, past, present, or future physical or mental health condition, treatment details, date of birth, health status, etc. Information that has been “de-identified” is information that, in isolation or in reference to other available information, could not reasonably be expected to identify the subject of the PHI. The HIPAA Privacy Rule provides the standard for de-identification of protected health information, either through the removal of specific identifiers or through the formal determination of a qualified expert utilizing standard statistical tools.

Law enforcement means an officer or employee of any agency, authority, or political subdivision of the United States, a State/territory, an Indian58 tribe, who is empowered by law to investigate and prosecute violations of the law and/or conduct criminal, civil, or administrative proceedings arising from an alleged violation of law. Any political subdivision, such as city law enforcement and county law enforcement, is covered under the exception for law enforcement.

Required by law means a mandate contained in law that compels an entity to make disclosures, including court orders and court-ordered warrants; subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or authorized investigative demand. This may also include conditions of participation under federal or state health benefit programs (or other benefit programs) and statutes or regulations that require the production of information.

Health Oversight Agency is an agency of the United States, a State, a territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency (employees or agents of such public agency or its contractors), that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility and compliance, or to enforce civil rights laws for which health information is relevant. A political subdivision of a state, such as special hospital districts or county health departments, may be covered under the related exception for public health agencies.