Considerations for Health Care Providers in Responding to Subpoenas and Similar Legal Demands

When a health care provider receives a subpoena or similar demand for patient information, the response can be fraught with legal risk. Providers often feel confused and pressured to comply—sometimes leading to inadvertent violations of federal and state privacy laws. This Client Alert addresses key considerations for such providers.

Legal Framework

Health care, more so than other industries, is subject to significant and multi-layered privacy restrictions, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), state privacy laws, and, under some circumstances, the special federal confidentiality protections for substance use disorder services. These laws operate in tandem, creating a complicated compliance framework that may apply differently based on the type of provider, the information requested, and nature of the demand.  

HIPAA

HIPAA sets federal standards for the privacy of “protected health information” (PHI) and applies to covered entities (e.g., most health plans and health care providers) and their business associates. Generally, PHI cannot be disclosed without patient consent, except as specifically permitted by HIPAA.

One such exception permits disclosure as “required by law,”¹ which can include disclosures for judicial and administrative proceedings in response to a court order (or order of an administrative tribunal), and disclosures in response to a subpoena, discovery request, or other lawful process that is not accompanied by an order, if the regulated entity receives “satisfactory assurance” from the party seeking the information that reasonable efforts have been made to notify the patient of the request or that a HIPAA-compliance protective order is in place.² This exception also permits certain disclosures “for a law enforcement purpose to a law enforcement official,” and about victims of abuse, neglect, or domestic violence, each under certain conditions.³

Critically, even if an exception applies, regulated entities still must disclose only the “minimum necessary” information.⁴ An overly broad disclosure could result in regulatory enforcement and civil litigation, as discussed below.

Part 2 Rules

In addition to HIPAA, most providers of substance use disorder diagnosis and treatment (“SUD”) services are subject to the federal confidentiality protections for SUD treatment in 42 USC § 290dd-2 and 42 CFR Part 2. These laws are commonly referred to as the “Part 2 rules” and providers who provide SUD treatment are commonly referred to as “Part 2 programs.” 

Part 2 program information is subject to extremely strict and complex confidentiality requirements that cover not only documents but also oral testimony about information within such documents.⁵

For example, the Part 2 rules generally prohibit a Part 2 program from even acknowledging the presence of a patient, except with the patient’s consent or an authorizing court order that is compliant with the Part 2 rules. Thus Part 2 programs should be careful not to confirm or deny the presence of any particular patient, even in correspondence objecting to an improper subpoena.⁶

The rules expressly require “unconditional compliance” even if the person seeking the information is a “government official, has a subpoena, or asserts any other justification for a disclosure.”⁷ Providers should proceed with utmost caution, because the rules have separate and specific requirements for court orders, depending on the type of order involved, and failure to comply exposes the violator to criminal penalties.⁸

To give an example of how particular the Part 2 rules can be, an order authorizing the disclosure of Part 2 patient records (or testimony relaying the information contained in those records) for purposes of a criminal investigation or prosecution of a patient can only be obtained as follows:

• the party seeking disclosure must file an application with the court requesting the order, using a fictitious name for the patient and without any patient-identifying information;
• the party seeking disclosure must provide the Part 2 program with adequate notice and an opportunity to respond, which notice must not disclose patient identifying information to other persons;
• any oral argument, review of evidence, or hearing on the application must be held in the judge’s chambers or in some other manner to prevent unauthorized disclosure; and
• the party seeking disclosure must demonstrate to the court’s satisfaction that the crime involved is of an “extremely serious” nature (e.g., homicide), that the records or testimony will disclose information of substantial value to the investigation or prosecution and cannot be obtained by other means, and that the public interest outweighs the potential injury to the patient, to the physician-patient relationship, and to the ability of the Part 2 program to provide services to other patients.⁹

State Laws

The compliance environment is further complicated by the many States that impose their own privacy restrictions that exist alongside HIPAA and which may establish separate – and more onerous – obligations on regulated entities.

For example, North Carolina law imposes strict limits on the disclosure of records related to mental health, developmental disabilities, and substance abuse treatment.¹⁰ Disclosure is permitted only in the following circumstances:

• written consent by the patient or a legally responsible person;
• a court order compelling disclosure, or for filing a petition for involuntary commitment or adjudication of incompetency;
• coordination of care, when sharing information with other providers for treatment purposes; and
• de-identified disclosures for research or planning purposes.

Tennessee, on the other hand, has the “Patient’s Privacy Protection Act,” which prohibits the disclosure of the name, address, and other identifying information of a patient except for:

• statutorily required reporting to health or government authorities;
• access by an interested third-party payor for administrative functions;
• access by health care providers from whom the patient receives or seeks care;
• use of limited information for directory purposes, as long as the patient does not object; and
• responding to requests for by the Office of Inspector General or Medicaid Fraud Unit with respect to an ongoing investigation.¹¹

This State law could form the basis of patient-initiated litigation for improper disclosure of identifying information – creating an additional layer of legal risk for providers.

Health care providers must therefore analyze applicable State laws in addition to navigating federal considerations when considering how to comply with subpoenas and other legal demands, especially if they operate across multiple States. 

Recent Developments

Recent legal developments underscore why providers must tread carefully when responding to subpoenas and similar demands. These cases illustrate both the complexity of the governing laws and the significant risks of noncompliance.

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has pursued enforcement actions for noncompliant disclosures of PHI, and state attorneys general and health departments have done the same with respect to violations of state privacy laws. In September 2025, for example, OCR announced a settlement with a rehabilitation, skilled nursing, and long-term care provider for disclosing PHI in the form of “success stories” on its website, without proper authorization.

Additionally, although HIPAA does not provide for a private right of action, patients whose information was unlawfully disclosed could bring privacy-based claims in the form of class action lawsuits, including in cases where disclosures exceeded HIPAA’s “minimum necessary” standard.

With respect to gender affirming care (GAC), for example, several states have enacted “shield laws,” prohibiting disclosure in response to out-of-state subpoenas, warrants, or court orders respecting healthcare that is lawful under the laws of the “shield state.”¹² Some “shield laws” expressly permit civil lawsuits arising out of any violations.

One recent example of a patient-initiated lawsuit involved Vanderbilt University Medical Center’s response to civil investigative demands issued by the Tennessee Attorney General for GAC patient records. VUMC’s disclosure prompted an ongoing investigation by OCR into whether the disclosures were lawful, as well as a state class-action privacy suit against VUMC.

In light of this legal landscape, providers need not respond automatically and in full to any subpoena or similar legal demand received. Rather, a more thoughtful approach is warranted. 

Recent events show how some health care providers have approached this issue. In July of 2025, the U.S. Department of Justice (DOJ) issued more than 20 subpoenas to providers of gender-affirming care (GAC) for minors. Some state attorneys general, including in Missouri and Texas, have issued similar civil investigative demands and subpoenas, seeking extensive records and internal communications. The state-level demands sought, for example, all electronic health records of patients receiving GAC, at most, or certain medical records (diagnoses, prescriptions, and treatment information) of patients receiving GAC, at the very least. The DOJ’s subpoenas were far more encompassing, demanding not only medical records, but personally identifying information including patient names, dates of birth, home addresses, and social security numbers.

Several providers have challenged the subpoenas in court, filing Motions to Quash the subpoenas as overly broad, seeking information protected by HIPAA and/or state privacy laws, lacking a legitimate investigate purpose, and/or made in bad faith. Federal judges in Massachusetts and Washington have granted such motions filed by Boston Children’s Hospital and QueerDoc, respectively, finding that the DOJ failed to demonstrate a proper, legitimate investigative purpose, and was motivated by bad faith. These rulings may serve as precedent for other providers facing similarly expansive legal demands from law enforcement. Legal challenges over subpoenas to other GAC providers in California, Pennsylvania, and other states are still underway.

These challenges and rulings only partly exemplify the strict framework applicable to subpoenas and other legal demands, for which noncompliance exposes healthcare providers to significant legal and financial risk. These legal and financial risks underscore the importance of familiarity and compliance with the strict framework applicable to subpoenas and other legal demands.

Policies and Procedures

Together, these laws necessitate that a provider carefully evaluate subpoenas and other legal demands and have policies in place to ensure that any response is furnished in compliance with applicable law.  These policies should address, at minimum, the types of information the health care provider maintains, and should designate an individual primarily responsible for intake and assessment of subpoenas soliciting PHI. An experienced health care attorney can help draft such a policy and can provide guidance in responding to legal demands.

This Alert provides an update on a legal development. It is not intended as legal advice. If you have questions, contact a member of our Brooks Pierce Health Care Team.

1 45 C.F.R. § 164.512(a).

2 45 C.F.R. § 164.512(e).

3 45 C.F.R. § 164.512(f), (c).

4 45 C.FR. § 164.514(d).

5 Although the Part 2 rules often use the term “records” when referring to the protected information, “records” is defined broadly to include both documents and oral communications, such as testimony about records and treatment. 42 CFR § 2.11; 42 § USC 290dd-2(c) (except as otherwise authorized by an appropriate court order or by the patient’s consent, a record or testimony relaying protected information may not be disclosed or used in any civil, criminal, administrative, or legislative proceedings, including criminal prosecutions in State court).

6 42 C.F.R. § 2.13(c).

7 42 CFR § 2.13.

8 42 CFR § 2.64 (order to disclose in non-criminal matters); 2.65 (order to disclose for criminally investigating or prosecuting patients); 2.66 (order to disclose for prosecuting a Part 2 program or person holding records); and 2.67 (order for use of undercover agents); 42 CFR § 2.3.

9 42 CFR § 2.65.

10 N.C. Gen. Stat. § 122C-52(b).

11 Tenn. Code Ann. § 68-11-1503. The law does not prohibit the information from being “subject to the subpoena of a court of competent jurisdiction,” but for all the reasons described in this Alert, providers should not respond to a subpoena or similar legal demand without a careful assessment of the scope of the subpoena and applicable law.

12 Currently, 22 states and the District of Columbia have in place “shield laws” offering various protections against out-of-state investigations respecting healthcare that is lawful within their respective jurisdictions. Of these, California, Colorado, Connecticut, Delaware, the District of Columbia, Illinois, Maine, Maryland, Massachusetts, Minnesota, New Mexico, New York, Oregon, Rhode Island, Vermont, and Washington offer protections against out-of-state subpoenas, warrants, or court orders respecting GAC and reproductive care. California, for example, prohibits out-of-state warrants respecting lawful abortions in the state, Cal. Penal Code § 1524(h), and out-of-state subpoenas respecting lawful abortions and GAC in the state, Cal. C.C.P. § 2029.300(e).