Federal subpoenas for transgender care records raise medical privacy concerns and put providers in a legal bind – a health law expert explains what’s at stake

On Sept. 10, 2025, a federal judge blocked the Department of Justice’s attempt to subpoena medical records and other private health information on minors receiving hormone therapy and other gender affirming care at Boston Children’s Hospital.

The move is the first public legal decision after the Department of Justice, in July, issued more than 20 subpoenas to doctors and clinics treating transgender patients under age 19.

A subpoena to Children’s Hospital of Philadelphia, made public by The Washington Post on Aug. 20, demanded documents that are related to virtually any aspect of the care provided, including highly confidential documents like psychotherapy notes.

According to news reports, the Justice Department subpoenas have sown fear and concern, both among people whose information is sought and among the doctors and other providers who offer such care. Some health providers have reportedly decided to no longer provide gender-affirming care to minors as a result of the inquiries, even in states where that care is legal.

I’m a law professor at the University of Virginia specializing in health law. I spend a lot of time teaching future lawyers and medical professionals how medical privacy laws work. Normally, subpoenas demand information relating to specific crimes. But these subpoenas are unusual in how much information they seek, while giving no inkling of any alleged crimes that may have been committed.

The subpoenas also push against the bounds of legal protections on health information.

What is HIPAA and why did Congress pass the legislation?

In the 1990s, growing use of the internet made it increasingly easier to violate people’s health care privacy. Some notorious breaches of privacy involving celebrities, such as USA Today’s revelation that tennis champion Arthur Ashe had AIDS, drove the point home. Genetic testing was also becoming prevalent in clinical care, raising concerns about the privacy of peoples’ genetic information.

In response, Congress passed the Health Insurance Portability and Accountability Act, or HIPAA, in 1996. The legislation required the Department of Health and Human Services to develop a set of privacy regulations specific to health care. These regulations went into force in 2003.

HIPAA prohibits health care providers and people working with them, such as administrative staff, laboratories, pharmacies and health insurers, as well as businesses, from disclosing patients’ health information without their permission. The regulations cover everything in a patient’s medical record as well as any documents or information kept by their health provider relating to their health care.

Most if not all of the information sought by Justice Department subpoenas is the type of information typically covered by HIPAA, meaning that it would generally be illegal for health care providers to disclose it.

Does HIPAA constrain providers’ response to subpoenas?

HIPAA’s privacy rule has a few exceptions, however – and responding to a subpoena is one of them.

The regulations permit but do not require health care providers to disclose protected health information in response to a subpoena. In other words, providers may choose not to comply with a subpoena. Notably, however, they may face consequences for doing so. For example, a court might find a provider in contempt if it does not disclose the requested information. That can leave health care providers in a difficult position, caught between their interests in protecting their patients and obligations demanded by courts or law enforcement.

If health care providers do choose to share HIPAA-protected health information in response to a subpoena, the regulations outline certain requirements that both providers and, in this case, the government, must follow. Providers must get written authorization from patients before disclosing some types of information, such as psychotherapy notes.

The government, meanwhile, must notify patients whose health information it seeks and provide them with enough information about the crimes or other legal violations that it is investigating so that they can decide whether they want to object to the subpoena. It must also give patients enough time to do so.

The government must also wait until after that time period ends before taking any action on providers’ compliance with the subpoenas. And it must certify to providers that it has followed these rules and that the court has resolved any objections patients may have filed.

Finally, HIPAA requires that when health care providers do disclose protected health information, they disclose the “minimum necessary” to accomplish the intended purpose of the subpoena or other legal request. In the context of a subpoena, that means the health care provider must ascertain the purpose, accuracy and legality of the subpoena before disclosing any information.

The subpoena to the Children’s Hospital of Pennsylvania provides very little information about the government’s allegations, so without more information, the health care providers would be unable to determine the minimum necessary here.

How might shield laws affect privacy protections?

HIPAA acts as a floor for privacy protections. In other words, states cannot pass laws that reduce those privacy protections. But they can introduce laws that offer more protection. Eighteen states and the District of Columbia have so-called shield laws that offer protections both for those providing and those receiving gender-affirming care.

Shield laws are state laws that protect individuals from being required to reveal specific types of information. In the context of gender-affirming care, most of these laws are designed to limit the effect another state’s laws might have on care performed in the state with the shield law. For example, if someone travels from a state where gender-affirming care is banned and receives that care in another state where it is legal, a shield law may protect the people who received or provided the care against civil or criminal charges from the state where the care is banned.

Some state shield laws may offer additional privacy protections. For example, Washington law on protected health services does not permit health care providers to respond to any requests for information from out of state that are related to investigations or proceedings relating to services lawfully provided in Washington.

It remains to be seen whether the federal courts will uphold these shield laws, and it is not clear whether they apply at all against a federal subpoena.

How will this play out?

Both the health care providers that have been subpoenaed and the individuals whose health information has been requested may raise objections to the subpoenas.

At this point, the Justice Department has not revealed the underlying claims it intends to pursue. Based on its press release, which mentions “health care fraud,” it seems likely that the government intends to pursue claims under the federal health care fraud statute and the False Claims Act for failing to meet federal requirements or for providing fraudulent billing or claims.

The government may decide to proceed under the Food, Drug, and Cosmetic Act, perhaps alleging that physicians somehow used a drug or device for a prohibited purpose. Given that the press release about the subpoenas refers to “mutilated children,” it is even possible that in some instances, the government might allege violations of a federal law against female genital mutilation. That law was passed to prohibit the removal of female genitals for nonmedical, usually cultural, reasons.

Before any of the subpoenaed health care providers or the people whose health information the government requested can determine how to respond to the subpoenas, they will need more information about the underlying claims. Their lawyers may move to dismiss or modify the subpoenas because they are so broad, arguing that they amount to a fishing expedition rather than a targeted investigation – as Boston Children’s Hospital has done.

These issues will undoubtedly continue to be decided in the courts, and their resolution may take some time. More broadly, however, medical privacy laws were passed to help patients feel comfortable seeking medical care – and the government’s intrusion on medical privacy is likely to make that harder.