The page below was updated in 2023, but this is a rapidly shifting legal space, so please be aware that this information may not be current. When exploring medical privacy issues, it's very useful to have an overview of the laws that affect control and privacy of medical information. We encourage you to read our legal overview.
Medical information can reveal a lot about us: what medications we take, what conditions we have, and much more. Many of us assume that information is protected from disclosure by “doctor-patient confidentiality.” In fact, many entities, including law enforcement, can get access to medical data. Knowing how law enforcement agencies and officials can obtain medical information is especially critical in the wake of the U.S. Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization, which held that the U.S. Constitution does not protect the right to an abortion. Law enforcement officials in states that have passed laws banning or severely restricting abortion access may seek reproductive healthcare records as they investigate and penalize individuals suspected of violating these laws.
Both federal and state laws govern law enforcement access to medical information. The federal Health Insurance Portability and Accountability Act (HIPAA) creates the baseline medical privacy standards, and some states have adopted additional protections. For example, California’s Confidentiality of Medical Information Act (CMIA) has stricter requirements for law enforcement access to medical data,. We’ll discuss both laws below.
Note: in Fall 2022, the Department of Health and Human Services (HHS), which enforces HIPAA, issued guidance on HIPAA in response to the Dobbs decision.
You can check out other states’ laws here.
HIPAA’s Privacy Rule establishes requirements for the use, disclosure, and storage of protected health information (PHI). PHI is individually identifiable physical and mental health information that is created, maintained, used, or obtained by a HIPAA-covered entity or a business associate of a HIPAA covered entity.
The Privacy Rule applies to covered entities, including providers (like doctors, psychologists, and pharmacies), health insurance plans, and other entities like billing services. It also applies to business associates that perform special functions involving PHI on behalf of a covered entity, such as a third party administrator that helps a health plan with claims processing. It does not apply to many other third parties that may have some access to health information, such as a health app not provided by an insurer or hospital, or a search engine used to find health-related information.
An important aspect of HIPAA is the “minimum necessary” standard, which provides in many cases that covered entities and business associates “must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”
HIPAA permits–but does not require–a covered entity or business associate to disclose a patient’s PHI to law enforcement under some circumstances. HIPAA normally requires patient authorization, and the opportunity for the individual to agree or object. Some HIPAA disclosures, however, require less or different processes, such as those “required by law,” defined as mandates “contained in law” to use or disclose PHI “that is enforceable in a court of law.” For instance, the “minimum necessary” standard does not apply to “required by law” disclosures.
First, HIPAA permits disclosure to law enforcement when disclosure is ordered by a court or a grand jury. In these situations, the disclosure must adhere to the requirements of the external process.
Second, HIPAA permits disclosure to respond to an administrative request. Such disclosures are technically permissible, however, only if the “information sought is relevant and material to a legitimate law enforcement inquiry,” the “request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought,” and “[d]e-identified information could not reasonably be used.”
Third, HIPAA permits disclosure to law enforcement without any judicial or administrative oversight when:
- disclosure is required by another law (for example, many states have laws requiring reporting of certain types of physical injuries or wounds);
- the PHI sought is about the victim or suspected victim of a crime (either the person’s consent is needed or, if the covered entity with the PHI cannot get consent due to incapacity or emergency circumstances, then law enforcement must represent that the person is not a suspect and that they cannot wait for the person to agree, and the covered entity must determine that the disclosure, in its professional judgment, is in the patient’s best interests, with special rules for victims of child abuse or neglect, elder abuse or neglect, or domestic violence);
- a patient’s death may have resulted from criminal conduct;
- a crime has occurred on the covered entity’s or business associate’s premises (but the disclosing entity must believe in good faith that the PHI is evidence of criminal conduct that occurred on its premises);
- a medical emergency occurs off the entity’s premises, and PHI disclosure is needed to alert law enforcement of a possible crime, with special rules if the entity believes the medical emergency was the result of abuse, neglect, or domestic violence; or,
- disclosure would prevent or mitigate a serious and immediate threat to health and safety; this exception is ringed with safeguards.
Lastly, HIPAA permits disclosure to law enforcement at law enforcement’s request—without judicial or administrative oversight—when the PHI is needed to apprehend the perpetrator of a violent crime or a fugitive from lawful custody, or to identify or locate a suspect, fugitive, material witness, or missing person. In these instances, HIPAA only permits disclosure of select (but revealing) information: name and address; date and place of birth; social security number; ABO blood type and rh factor; type of injury; date and time of treatment; date and time of death, if applicable; and, a description of distinguishing physical characteristics, such as eye color, height, and weight. HIPAA does not permit disclosure of a patient’s DNA, DNA analysis, dental records, or typing, samples, or analysis of body fluids or tissue without the patient’s consent, a court order, or administrative request.
A different federal statute governs disclosure of substance abuse records, but HIPAA does govern the disclosure of psychotherapy notes. HIPAA prohibits disclosure of psychotherapy notes to law enforcement without a patient’s authorization unless disclosure would avert a serious threat to health or safety; this category, however, is extremely narrow.
Patients, providers, and law enforcement should be aware that there are exceptions to the exceptions. For example, the exception permitting disclosure to avert a serious threat to health or safety, applies only where such disclosure is “consistent with applicable  standards of ethical conduct.” According to the American Medical Association and American College of Obstetricians and Gynecologists, disclosure of confidential reproductive healthcare information is contrary to professional and ethical standards. HIPAA would therefore not permit disclosures of reproductive health information to law enforcement under this exception.
But in a state that has outlawed or restricted abortion, what happens when law enforcement is investigating a suspected abortion? Law enforcement could obtain a court order for reproductive health care records. If so, HIPAA would permit a covered entity or its business associate to share that PHI to law enforcement. Further, state officials are increasingly using fetal homicide and child abuse laws to prosecute pregnancy loss. In such a state, a court could issue an order for reproductive health records, and HIPAA would allow the disclosure.
Law enforcement can obtain this information in a variety of ways, which is why it can be important to protect your digital privacy where possible. Because digital service providers of all kinds play a role in facilitating access to health information, education, and care, we recommend these services take steps to protect their users’ privacy.
Very soon after Dobbs came down, HHS issued guidance on the HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care and Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet. In December 2022, HHS also released a Bulletin on Requirements under HIPAA for Online Tracking Technologies to Protect the Privacy and Security of Health Information.
In April 2023, HHS issued a Notice of Proposed Rulemaking expressly designed to address the consequences of Dobbs, noting that “information related to reproductive health care, which has long been considered highly sensitive, [is] more likely to be of interest for punitive non-health care purposes …. even where the reproductive health care has been provided under circumstances in which it was lawful.” 88 FR 23506, 23516 (2023). As of this writing, the proceeding is pending, and no rules have been finalized.
CMIA is more privacy-protective than HIPAA, in part because it applies more broadly. CMIA applies to healthcare providers, service plans, and contractors, and California defines a healthcare provider to include mobile applications or similar technologies that allow patients or providers to manage and access the patient’s medical information for the purposes of diagnoses, treatment, or management of a medical condition. So CMIA, unlike HIPAA, protects medical information stored on a fertility tracking app, for example.
But neither law protects all health-related data on a digital device. For example, CMIA wouldn’t protect notes someone took on a note-taking app describing their treatment plan for a condition because such an app would fall outside of CMIA’s “healthcare provider” definition. Further, like HIPAA, CMIA does not protect data held by third parties, such as the content of your internet searches; whether data is “medical information” depends on its provenance.
CMIA generally requires a provider of healthcare, a health care service plan, or a contractor to disclose medical information to law enforcement when ordered by a court pursuant to the California Penal Code. The Penal Code requires disclosure to law enforcement if the patient consents, when authorized by a court-issued warrant based on probable cause, or when authorized by a court order with a showing of “good cause.” In looking at “good cause,” a court weighs the need for disclosure against the potential privacy violation to the patient and injury to the patient’s treatment, as well as the likelihood that disclosure will yield valuable information or evidence.
CMIA permits, but does not require, disclosure to law enforcement when disclosure is authorized by some other law, like a law requiring mandatory reporting of child abuse or neglect. Also, a provider of psychotherapy may disclose medical 1 information if the therapist believes it is necessary to prevent or lessen a serious and immediate threat to someone’s health or safety.
This is in contrast to HIPAA, which permits disclosure in compliance with an administrative (non-court) order, and without any judicial or administrative oversight in many circumstances.
In 2022, the California legislature passed new laws to increase Californians’ reproductive health care privacy. A.B. 2091 amended CMIA and other California statutes to prohibit disclosure of abortion-related medical information in response to a court order based on either an out-of-state law that conflicts with California’s abortion rights, or an out-of-state penal civil action.
Relatedly, A.B. 1242 amended the Penal Code to forbid state and local government agencies and their employees in California (including law enforcement) from providing information about an abortion that is lawful in the state of California to any individual or out-of-state agency.
While federal and state laws control when law enforcement can gain access to reproductive health information from providers, health insurance companies, and other entities, you can still take steps to protect your sensitive health information. While they aren’t foolproof, using tools like a virtual private network (VPN), encrypted messaging, or an anonymous email address when browsing or communicating about reproductive health care may help keep that activity more private.
- 1. The Tarasoff provision, Civ.C. §56.10(c)(19) — permissive disclosure not mandatory