A Balancing Act: Privacy Issues And Responding to A Federal Subpoena Investigating Transgender Care

Background

On Wednesday, July 9, 2025, the United States Department of Justice (“DOJ”) issued more than 20 subpoenas to physicians and clinics (the “Providers”) who provide gender-affirming care to transgender youth. According to the DOJ, the subpoenas were issued in connection with multiple investigations it is conducting relating to “healthcare fraud, false statements” and more. While the subpoenas appear to be limited to Providers, it is expected that the DOJ will expand its investigation more broadly to include other health care stakeholders. The issuance of the subject subpoenas will likely result in due concern among Providers with respect to balancing the tension between complying with a federal subpoena and the obligation to safeguard health information under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), along with state “Shield Laws,” which are generally intended to protect health information and privacy of patients.

DOJ’s Rationale for Subpoenas

The DOJ subpoenas appear to target Providers who may have provided gender-affirming care to transgender youth (presumably younger than the age of 19). The DOJ’s authority to issue these subpoenas appears to arise from  Executive Order 14187, Protecting Children From Chemical and Surgical Mutilation, the False Claims Act (“FCA”), and guidance issued via open letter from the Center for Medicare and Medicaid Services (“CMS”). In the CMS letter, the CMS advised states of the federal Medicaid requirements that restrict federal financial participation for procedures or treatments for the purpose of rendering an individual permanently incapable of reproducing, including a reminder that such procedures are expressly prohibited from coverage for patients younger than 21 years old. On the basis of alleged fraud and false claims violations, the DOJ apparently believes that it has authority as either a law enforcement or oversight agency to issue the subject subpoenas.

Privacy Implications

Connecticut Providers who are subpoenaed by the DOJ, along with Providers in other states with Shield Laws, will be faced with a compliance dilemma caused by conflicting state and federal rules that must ultimately be resolved by the courts. The HIPAA Privacy Rule does not compel Providers (referred to as “Covered Entities” within HIPAA) to disclose protected health information (“PHI”), even when the PHI in question has been subpoenaed. HIPAA merely permits covered entities to disclose such information, and even then, only after certain conditions have been met including (among others): (i) the provider obtaining satisfactory written assurances that the patient was afforded sufficient information and the opportunity to object to the subpoena, or (ii) agreeing to or filing for a “qualified protective order” limiting the extent of the disclosure.

Connecticut law provides enhanced protections with respect to information about gender affirming care. With limited exceptions, Connecticut General Statutes § 52-146x prohibits any HIPAA Covered Entity from disclosing any communication or information relating to gender-affirming health care services in the context of a civil action, probate, legislative or administrative proceeding, without explicit written consent. Given that HIPAA generally does not preempt a state law that is more protective of individually identifiable health information, Connecticut Providers (and Providers in states with Shield Laws) may have a strong argument that they are prohibited from providing any individually identifiable information about gender affirming care. Conversely, it is unclear whether the scope of § 52-146x applies outside of the context of a state civil action, probate, legislative or administrative proceeding. The DOJ will likely argue that Connecticut’s law or any other state with a Shield Law is an evidentiary statute rather than an individual privacy right and thus, is not stricter than the HIPAA privacy protections. Ultimately, it will be for the courts to decide.

Responding to the DOJ Subpoena

Until these questions are resolved by the courts, upon receipt of a DOJ subpoena, Providers should contact their counsel to discuss whether a motion to quash the subpoena is indicated. While subpoenas should not be ignored, the issue of disclosure of protected health information remains. In the event a Provider is unsuccessful in quashing the subpoena, Providers must adhere to HIPAA’s “minimum necessary” rule when providing information in response to a subpoena and should abide strictly to protect patients from unreasonable and unnecessary government intrusion into their medical records and to remain compliant with HIPAA. The minimum necessary standard requires a covered entity to “limit any request for [PHI] to that which is reasonably necessary to accomplish the purpose” of the request. Additionally, the covered entity must establish that de-identified PHI “could not reasonably be used” to accomplish the subpoena’s end. In the context of an investigation under the FCA, the DOJ would face difficulty in establishing any demonstrable necessity to receive identifiable information. Of course, if the records are substance use disorder records, the DOJ subpoena will inevitably require a court order per the federal regulations set forth in 42 C.F.R. Part 2.

While it remains uncertain whether and what additional actions DOJ might take in furtherance of the Executive Order or other future policy directives, enforcement activity in this area is likely to increase rather than subside over the next few years. The Health Law Group at Shipman remains committed to providing cutting edge and timely information to providers regarding rapidly changing Health Policy and Healthcare Privacy law. Please contact us with any questions about this or any other Health Law concerns you may have.