DOJ Scrutiny of Gender-Affirming Care for Minors Raises Privacy Concerns for Providers

The US Department of Justice, along with several state attorneys general, has issued subpoenas and civil investigative demands to hospitals, physicians, telehealth companies, and pharmaceutical manufacturers engaged in providing or facilitating access to gender-affirming treatments for minors. Providing gender-affirming care for minors is an increasingly complex undertaking, with legal and political pressures creating a challenging environment for healthcare providers, institutions, and life science companies.

While public discourse has focused on substantive access to care and potential liability theories, the privacy implications of these investigations deserve equal attention. This recent trend of investigative and enforcement activity targeting sensitive health information associated with the provision of gender affirming care raises complex questions at the intersection of the federal Health Insurance Portability and Accountability Act (HIPAA), state-level healthcare privacy statutes, and evolving state shield laws.

HIPAA: GUARDRAILS AND EXCEPTIONS

HIPAA established a national baseline for the protection of patient health information. It governs how covered entities (health plans, healthcare clearinghouses, and qualifying healthcare providers) and their business associates handle protected health information (PHI). Most healthcare providers and entities qualify as Covered Entities under HIPAA’s Privacy Rule, which restricts the use and disclosure of PHI absent patient authorization. However, the Privacy Rule also includes certain exceptions to the authorization requirement, such as for law enforcement purposes, which can be a focal point of US Department of Justice (DOJ) investigations.

• Law enforcement purposes: Disclosures to law enforcement are permitted under narrow conditions, which may include, but are not limited to, compliance with (1) grand jury subpoenas, (2) court orders, and (3) administrative requests—including civil investigative demands (CIDs)—that are relevant and material to a “legitimate law enforcement inquiry,” specific and limited in scope, and for which deidentified information could not reasonably be used.
• Required by law: HIPAA permits disclosures “required by law,” a phrase that encompasses a valid court order or an applicable state or federal law mandating disclosure of certain information, and the use or disclosure complies with and is limited to the relevant requirements of such law.

Even when disclosure is permitted under an exception, however, covered entities must release only the “minimum necessary” information, which limits the scope and breadth of permissible disclosures. Providers that respond too broadly to investigative demands risk both HIPAA enforcement and civil litigation exposure.

In the past decade, the US Department of Health and Human Services’ Office for Civil Rights (OCR), which investigates potential HIPAA violations and enforces the same, has investigated disclosures by healthcare entities and providers to law enforcement that were overbroad in production or did not meet the three-part analytical requirement in 45 CFR 164.512 for production to law enforcement. OCR’s investigative priorities have shifted in 2025, but this risk remains on the horizon in future administrations.

STATE SHIELD LAWS

In response to state-level restrictions on gender-affirming care, 22 states and Washington, DC have enacted “shield laws” aimed at protecting providers of reproductive or gender-affirming healthcare and their patients. These statutes typically prohibit cooperation with out-of-state subpoenas, warrants, or court orders seeking to penalize care that is lawful within the shield state. Some of these laws allow lawsuits for violations of legal rights, and certain of them also prohibit cooperation by state law enforcement agencies with federal agencies.

For example, California prohibits disclosure of medical records related to gender-affirming care in response to an out-of-state legal process unless the request arises from an action maintainable in California. And New York state bars courts from compelling disclosure or testimony that would aid another state’s investigation into gender-affirming care. These protections place shield-state providers in a defensive posture against investigative efforts originating in jurisdictions with restrictions or bans on such care.

CONFLICTING STATE LAWS CREATE A CATCH-22

As states continue to diverge in their approaches to gender-affirming care, providers operating across state lines or who work within a regional or national telehealth setting are increasingly caught in a legal crossfire. Shield laws enacted in states that protect access to gender-affirming care often directly conflict with laws in states that seek to restrict or investigate such care, raising significant interstate legal questions and creating increased uncertainty for multi-state providers. This growing patchwork of conflicting legal obligations has created a compliance minefield for health systems and telehealth companies, particularly those with a national footprint.

Providers operating across state lines may find themselves caught between obligations to protect patient confidentiality under one state’s laws and demands for disclosure under another’s. Shield laws in states that affirm gender-affirming care often prohibit compliance with out-of-state investigations or subpoenas that target such treatment. However, states with restrictive laws may assert jurisdiction over providers based on tenuous connections, such as remote employees or digital communications, and attempt to compel disclosure of sensitive health information.

This legal landscape creates a compliance dilemma: responding to investigative demands may violate the laws of the provider’s home state, while refusing to comply may expose the provider to enforcement actions or litigation in the demanding state. The result is a Catch-22 that complicates legal strategy, increases litigation risk, and places providers in the precarious position of navigating conflicting mandates without clear federal guidance.

As more states adopt shield laws and others double down on enforcement efforts, the legal risks for providers are likely to intensify. Recent judicial decisions, such as the Massachusetts federal court’s ruling in favor of Boston Children’s Hospital and the Washington state federal court ruling in favor of QueerDoc (both discussed below), highlight how shield laws and state constitutional protections can serve as a legal basis to resist federal investigative demands that conflict with state policy. Health systems should closely monitor developments in this space and consider proactive legal strategies to mitigate exposure.

STATE HEALTHCARE PRIVACY STATUTES

In addition to shield laws, many states impose their own healthcare privacy laws that overlay HIPAA and may either supplement HIPAA protections or create separate obligations. For instance, Illinois’s Medical Patient Rights Act requires written consent for disclosure of patient records except in limited circumstances. Washington state’s Uniform Health Care Information Act similarly sets strict limits on disclosures of healthcare information. Because HIPAA defers to “more stringent” state provisions, healthcare providers often must navigate dual privacy obligations—a situation that complicates compliance with federal investigative demands, especially for entities operating in multiple jurisdictions.

LITIGATION AND ENFORCEMENT RISKS

The DOJ’s scrutiny opens the door to significant legal and financial risks for all entities involved in providing gender-affirming healthcare.

• Class actions: Patients whose records are disclosed in response to investigative demands may bring privacy-based claims (often in the form of class action lawsuits), including where disclosures are alleged to exceed HIPAA’s “minimum necessary” standard. Patient information related to gender-affirming care is particularly sensitive, as those who receive such care frequently wish to avoid the public scrutiny that accompanies treatment. Additionally, sensitivity and privacy concerns are heightened where the data involves minors.
• State regulatory enforcement: State attorneys general and health departments may pursue enforcement for violations of state privacy laws, particularly if disclosures violate restrictions embedded in state shield statutes. This creates the possibility of providers facing exposure from both the requesting jurisdiction and their own home-state regulators.

With these and other privacy-related risks looming, along with other considerations, entities have pushed back on the flurry of subpoenas issued by DOJ. On September 9, 2025, a Massachusetts federal judge quashed a DOJ administrative subpoena seeking extensive records from Boston Children’s Hospital related to its provision of gender-affirming care for minors. [1] The court found that the subpoena was issued for an improper purpose—namely, to intimidate providers and patients and to interfere with Massachusetts’ legal protections for gender-affirming care. The judge emphasized the outer limits of federal investigative powers do not permit the government to conduct a “fishing expedition” with overly broad subpoena requests that lack a clear nexus to suspected healthcare fraud.

A federal court in the Western District of Washington also recently quashed an administrative subpoena issued under HIPAA to a small telehealth provider, QueerDoc. The Washington court similarly found that the subpoena was overly broad and not issued to investigate potential violations of the Food, Drug, and Cosmetic Act or the False Claims Act. Specifically, the court highlighted the broad request for thousands of patient records as evidence of the subpoena’s pretextual nature. These decisions may serve as a critical precedent for other providers facing similar investigative demands. It reinforces the importance of challenging subpoenas that appear to exceed statutory authority or are issued in bad faith, particularly when they implicate sensitive patient information and state-protected healthcare rights.

Providers should be aware that courts may scrutinize the motives behind federal investigations and may refuse enforcement where the government’s stated purpose is undermined by its own public statements or overly expansive document requests. DOJ has, however, moved to alter the judgment in the Massachusetts case, and we anticipate appellate courts will soon have a chance to address these issues.

PRIVACY RISKS IN DIFFERENT SCENARIOS

Providers accepting Medicaid are facing heightened scrutiny, especially where gender-affirming care is a covered benefit under state Medicaid rules. Conversely, providers operating on a private-pay or commercial-only basis may avoid federal program scrutiny but remain vulnerable to state-level enforcement.

Moreover, while manufacturers are not generally considered HIPAA-covered entities, they may obtain PHI through patient assistance programs or specialty pharmacy partnerships. This can bring them into scope under HIPAA’s “business associate” framework. DOJ subpoenas to manufacturers raise complex questions about the permissible scope of disclosures and data minimization.

NAVIGATING SUBPOENAS AND CIVIL INVESTIGATIVE DEMANDS

As DOJ and state attorneys general expand scrutiny of gender-affirming care, privacy will remain a central legal and operational challenge. A subpoena from the DOJ or a state attorney general is a critical event that demands a careful and strategic response. When confronted with investigative demands, the recipient should:

• Assess the subpoena: Determine the scope and nature of the request (i.e., is it a grand jury subpoena, a CID, or an administrative subpoena?). Each has different legal requirements and implications.
• Evaluate patient consent: Determine if patient consent is required prior to any disclosure and, if so, whether it was obtained.
• Assess HIPAA exceptions: Determine whether the request qualifies under HIPAA’s law enforcement or required-by-law provisions, and ensure compliance with procedural safeguards (e.g., assurances of relevance and specificity).
• Evaluate shield law protections: Consider whether a shield law bars cooperation with the request. In some cases, refusal to comply may be legally defensible based on state law.
• Challenge improper purpose: Consider whether the subpoena is being used for a legitimate investigative purpose or as a tool of political pressure.
• Apply the minimum necessary rule: Carefully balance the legal obligation to comply with the subpoena against the duties to protect patient privacy and comply with state shield laws.
• Ensure future compliance: Review and update subpoena and CID response protocols, as necessary.
• Monitor ongoing litigation: Monitor ongoing litigation, such as challenges in Massachusetts and Washington state, for evolving judicial interpretations.

When faced with a subpoena or civil investigative demand, it is crucial to consult experienced legal counsel to identify appropriate next steps and how to respond, as careful navigation of these issues can mitigate liability exposure and safeguard patient trust at a time when both are under extraordinary pressure.

LESSONS FROM PRIOR ACTIONS

Historical examples and legal precedent offer valuable lessons. For instance, the Texas Attorney General has issued CIDs to multiple hospitals and providers concerning gender-affirming care practices. Some recipients resisted compliance, citing HIPAA, shield laws, and constitutional concerns. These types of actions may serve as a model for how state-level scrutiny can be initiated and what kinds of information may be sought. And the legal challenges may provide insight into the arguments and defenses available to entities.

Additionally, a lawsuit involving Vanderbilt University Medical Center (VUMC) over gender-affirming care highlights the intersection of public scrutiny, political pressure, and legal action. In that case, the Tennessee Attorney General issued CIDs seeking transgender patient records. VUMC complied, citing HIPAA’s legal compulsion exception, prompting an ongoing investigation by the Office for Civil Rights into whether the disclosures of this sensitive patient data were lawful. As well, a state class privacy suit was also filed. While the details of each case are unique, the VUMC suit underscores the importance of having robust internal policies and procedures for handling sensitive patient information and responding to external pressures.

CONCLUSION

This increased focus by the DOJ and state attorneys general on the provision of gender-affirming care for minors creates a multifaceted legal challenge for healthcare providers, hospitals, and pharmaceutical manufacturers. Navigating these complexities requires a thorough understanding of HIPAA, state shield laws, and other privacy regulations. By learning from prior actions and implementing proactive compliance strategies, entities can better protect patient privacy, mitigate legal risks, and ensure they are prepared for a rapidly evolving legal and political environment.

For more insights on gender-affirming care, see our previous LawFlashes:

• US Administration Ups the Ante for Gender-Affirming Care Providers with Legislative Proposal
• 16 States Challenge Gender-Affirming Care EO as DOJ Scrutinizes Hospitals, Doctors, and Pharma Manufacturers

STAY INFORMED

Visit our US Administration Policies and Priorities resource center and subscribe to our mailing list for the latest on programming, guidance, and current legal and business developments.