Federal subpoenas for transgender care records raise medical privacy concerns and put providers in a legal bind – a health law expert explains what’s at stake

The US Department of Justice has issued over 20 subpoenas to doctors and clinics treating transgender patients under age 19, raising medical privacy concerns and putting providers in a legal bind.
The subpoenas seek virtually any aspect of care provided, including highly confidential documents like psychotherapy notes, which is unusual and pushes against the bounds of legal protections on health information.
Healthcare providers are not required to disclose protected health information in response to a subpoena, but they may face consequences for doing so, such as court contempt if they don’t comply. HIPAA regulations outline requirements for responding to subpoenas, including getting patient authorization and notifying patients of the request.
The subpoenas have sown fear and concern among providers and patients, even in states where providing gender-affirming care to minors is legal, and some have decided not to provide such care as a result. Shield laws in 18 states offer additional privacy protections for those receiving or providing gender-affirming care.
The outcome of the subpoenas will depend on how they are handled in court, with potential claims under federal health care fraud statutes, the Food, Drug, and Cosmetic Act, and other laws. The resolution may take time, and medical privacy laws were passed to help patients feel comfortable seeking medical care – which is likely to be harder due to government intrusion on medical privacy.

Under medical privacy regulations, health care providers can disclose health information in response to a subpoena, but they are not required to. designer491/iStock via Getty Images

On Sept. 10, 2025, a federal judge blocked the Department of Justice’s attempt to subpoena medical records and other private health information on minors receiving hormone therapy and other gender affirming care at Boston Children’s Hospital.

The move is the first public legal decision after the Department of Justice, in July, issued more than 20 subpoenas to doctors and clinics treating transgender patients under age 19.

A subpoena to Children’s Hospital of Philadelphia, made public by The Washington Post on Aug. 20, demanded documents that are related to virtually any aspect of the care provided, including highly confidential documents like psychotherapy notes.

According to news reports, the Justice Department subpoenas have sown fear and concern, both among people whose information is sought and among the doctors and other providers who offer such care. Some health providers have reportedly decided to no longer provide gender-affirming care to minors as a result of the inquiries, even in states where that care is legal.

I’m a law professor at the University of Virginia specializing in health law. I spend a lot of time teaching future lawyers and medical professionals how medical privacy laws work. Normally, subpoenas demand information relating to specific crimes. But these subpoenas are unusual in how much information they seek, while giving no inkling of any alleged crimes that may have been committed.

The subpoenas also push against the bounds of legal protections on health information.

What is HIPAA and why did Congress pass the legislation?

In the 1990s, growing use of the internet made it increasingly easier to violate people’s health care privacy. Some notorious breaches of privacy involving celebrities, such as USA Today’s revelation that tennis champion Arthur Ashe had AIDS, drove the point home. Genetic testing was also becoming prevalent in clinical care, raising concerns about the privacy of peoples’ genetic information.

In response, Congress passed the Health Insurance Portability and Accountability Act, or HIPAA, in 1996. The legislation required the Department of Health and Human Services to develop a set of privacy regulations specific to health care. These regulations went into force in 2003.

HIPAA prohibits health care providers and people working with them, such as administrative staff, laboratories, pharmacies and health insurers, as well as businesses, from disclosing patients’ health information without their permission. The regulations cover everything in a patient’s medical record as well as any documents or information kept by their health provider relating to their health care.

Most if not all of the information sought by Justice Department subpoenas is the type of information typically covered by HIPAA, meaning that it would generally be illegal for health care providers to disclose it.

DoJ subpoenas relating to transgender youth care push against the bounds of legal protections on health information.

Does HIPAA constrain providers’ response to subpoenas?

HIPAA’s privacy rule has a few exceptions, however – and responding to a subpoena is one of them.

The regulations permit but do not require health care providers to disclose protected health information in response to a subpoena. In other words, providers may choose not to comply with a subpoena. Notably, however, they may face consequences for doing so. For example, a court might find a provider in contempt if it does not disclose the requested information. That can leave health care providers in a difficult position, caught between their interests in protecting their patients and obligations demanded by courts or law enforcement.

If health care providers do choose to share HIPAA-protected health information in response to a subpoena, the regulations outline certain requirements that both providers and, in this case, the government, must follow. Providers must get written authorization from patients before disclosing some types of information, such as psychotherapy notes.

The government, meanwhile, must notify patients whose health information it seeks and provide them with enough information about the crimes or other legal violations that it is investigating so that they can decide whether they want to object to the subpoena. It must also give patients enough time to do so.

The government must also wait until after that time period ends before taking any action on providers’ compliance with the subpoenas. And it must certify to providers that it has followed these rules and that the court has resolved any objections patients may have filed.

Finally, HIPAA requires that when health care providers do disclose protected health information, they disclose the “minimum necessary” to accomplish the intended purpose of the subpoena or other legal request. In the context of a subpoena, that means the health care provider must ascertain the purpose, accuracy and legality of the subpoena before disclosing any information.

The subpoena to the Children’s Hospital of Pennsylvania provides very little information about the government’s allegations, so without more information, the health care providers would be unable to determine the minimum necessary here.

How might shield laws affect privacy protections?

HIPAA acts as a floor for privacy protections. In other words, states cannot pass laws that reduce those privacy protections. But they can introduce laws that offer more protection. Eighteen states and the District of Columbia have so-called shield laws that offer protections both for those providing and those receiving gender-affirming care.

Shield laws are state laws that protect individuals from being required to reveal specific types of information. In the context of gender-affirming care, most of these laws are designed to limit the effect another state’s laws might have on care performed in the state with the shield law. For example, if someone travels from a state where gender-affirming care is banned and receives that care in another state where it is legal, a shield law may protect the people who received or provided the care against civil or criminal charges from the state where the care is banned.

A protest sign saying, We don't want your cis kids to be trans, we want your trans kids to survive — The DOJ subpoenas have sown fear and concern among providers and patients, even in states where providing gender-affirming care to minors is legal.
Nadav Spiegelman, CC BY-NC-SA

Some state shield laws may offer additional privacy protections. For example, Washington law on protected health services does not permit health care providers to respond to any requests for information from out of state that are related to investigations or proceedings relating to services lawfully provided in Washington.

It remains to be seen whether the federal courts will uphold these shield laws, and it is not clear whether they apply at all against a federal subpoena.

How will this play out?

Both the health care providers that have been subpoenaed and the individuals whose health information has been requested may raise objections to the subpoenas.

At this point, the Justice Department has not revealed the underlying claims it intends to pursue. Based on its press release, which mentions “health care fraud,” it seems likely that the government intends to pursue claims under the federal health care fraud statute and the False Claims Act for failing to meet federal requirements or for providing fraudulent billing or claims.

The government may decide to proceed under the Food, Drug, and Cosmetic Act, perhaps alleging that physicians somehow used a drug or device for a prohibited purpose. Given that the press release about the subpoenas refers to “mutilated children,” it is even possible that in some instances, the government might allege violations of a federal law against female genital mutilation. That law was passed to prohibit the removal of female genitals for nonmedical, usually cultural, reasons.

Before any of the subpoenaed health care providers or the people whose health information the government requested can determine how to respond to the subpoenas, they will need more information about the underlying claims. Their lawyers may move to dismiss or modify the subpoenas because they are so broad, arguing that they amount to a fishing expedition rather than a targeted investigation – as Boston Children’s Hospital has done.

These issues will undoubtedly continue to be decided in the courts, and their resolution may take some time. More broadly, however, medical privacy laws were passed to help patients feel comfortable seeking medical care – and the government’s intrusion on medical privacy is likely to make that harder.

Margaret Riley does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.

link

Q. What is the main concern raised by federal subpoenas for transgender care records?

A. The main concern is that these subpoenas raise medical privacy concerns and put providers in a legal bind, as they may be required to disclose confidential information without their patients’ consent.

Q. Why did Congress pass the Health Insurance Portability and Accountability Act (HIPAA) in 1996?

A. Congress passed HIPAA in response to growing concerns about health care privacy due to the increasing use of the internet and genetic testing, as well as notorious breaches of privacy involving celebrities.

Q. What are the exceptions to HIPAA’s privacy rule when it comes to responding to subpoenas?

A. HIPAA permits but does not require health care providers to disclose protected health information in response to a subpoena, although they may face consequences for doing so if they choose not to comply.

Q. How do shield laws affect privacy protections related to gender-affirming care?

A. Shield laws offer additional privacy protections by limiting the effect of another state’s laws on care performed in a state with a shield law, and some states have introduced laws that offer more protection than HIPAA.

Q. What is the purpose of the “minimum necessary” requirement under HIPAA when it comes to responding to subpoenas?

A. The minimum necessary requirement means that health care providers must ascertain the purpose, accuracy, and legality of the subpoena before disclosing any information, and only disclose the minimum amount of information necessary to accomplish the intended purpose.

Q. How might shield laws affect the government’s ability to obtain health care records?

A. Shield laws may limit the government’s ability to obtain health care records from out-of-state providers, as some states have introduced laws that prohibit responding to requests for information related to investigations or proceedings in other states.

Q. What are some of the potential claims that the Justice Department might pursue under federal law if it obtains the subpoenas?

A. The Justice Department may pursue claims under the federal health care fraud statute and the False Claims Act, as well as allegations under the Food, Drug, and Cosmetic Act or a federal law against female genital mutilation.

Q. How might medical privacy laws impact patients’ willingness to seek medical care?

A. Medical privacy laws were passed to help patients feel comfortable seeking medical care, and the government’s intrusion on medical privacy is likely to make that harder.

Q. What is the current status of the Justice Department’s subpoenas for transgender care records?

A. The federal judge blocked the Department of Justice’s attempt to subpoena medical records from Boston Children’s Hospital, but the issue remains unresolved, and it is unclear whether the government will appeal the decision or modify its approach.