Does HIPAA apply to undocumented immigrants?

Yes, HIPAA regulations apply to all patients, regardless of their immigration status. Under federal law, healthcare providers must protect the privacy and confidentiality of all patients, including undocumented immigrants.

According to The Network for Public Health Law Issue Brief, “whether or not medical providers have actually reported undocumented immigrants to Immigration and Customs Enforcement (‘ICE’), the fear of this scenario in the immigrant community is real.” This fear can have serious public health consequences when families avoid clinics or preventive care because they worry their information could be shared with immigration authorities.

Therefore, providers and patients must understand how HIPAA applies to undocumented immigrants. HIPAA protections are based on the protection of health information and not citizenship or immigration status.

What is HIPAA?

According to the issue brief, “HIPAA is federal legislation that requires the U.S. Department of Health and Human Services (HHS) to develop regulations to protect the privacy and security of patients’ health information.”

The law created the HIPAA Privacy Rule, which restricts healthcare providers and other covered entities from improperly sharing individuals’ protected health information (PHI). Covered entities include hospitals, clinics, physicians, health plans, and healthcare clearinghouses that handle electronic health information.

HIPAA protects “information that pertains to a patient’s ‘past, present, or future physical or mental health condition; a provision of health care; or the past, present, or future payment for the provision of healthcare to the individual.’”

Examples of PHI include names, addresses, Social Security numbers, passport numbers, account numbers, medical diagnoses, billing information, and treatment records.

The issue brief further clarifies that “any information included on any identification documents (including a passport or driver’s license) would be considered PHI if that information identifies —or can reasonably be used to identify—an individual.”

Does HIPAA protect undocumented immigrants?

Yes, “HIPAA protects the information and not the person, so PHI gathered and maintained about an undocumented immigrant would be protected under HIPAA.” HIPAA protections are not limited to U.S. citizens or lawful permanent residents. If a healthcare provider collects medical information about an undocumented immigrant, that information is generally protected under federal privacy law.

The issue brief elaborates that “a health care provider may not disclose any patient information without the patient’s authorization unless the disclosure falls under an exception.”

The brief explains that “immigration status or country of origin alone typically would not constitute PHI, because this information alone would not be sufficient to identify an individual person.” However, if immigration status is linked to identifying information, like a patient’s name or address, it may become protected information.

When can medical information be shared?

Court orders and judicial subpoenas

The issue brief states that healthcare providers may disclose PHI when there is “a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer, or a grand jury subpoena.”

A judge can order the release of medical records, including information connected to immigration status. According to the report, “a HIPAA-covered healthcare provider or health plan may share the PHI of a patient if it has a court order.” However, not every immigration-related document automatically requires compliance.

“A warrant from ICE does not require the showing of probable cause to a neutral arbiter and thus is not the same as a subpoena, summons, warrant, or order from a court,” as evidenced by the issue brief.

An ICE administrative warrant may not give healthcare providers the legal authority to release medical records. The report recommends that providers verify whether documents are valid by checking if they were signed by a judge or magistrate judge, including the date, specifying the premises to be searched, and describing the exact information being requested.

If any of these elements are missing, “the medical provider has the right to refuse to comply.” The brief also recommends that providers seek legal counsel before releasing records whenever possible.

Administrative requests

HIPAA also allows disclosure in response to certain administrative requests from law enforcement agencies. However, these requests must show that the requested information is “relevant, material, specific, and limited in scope, and that de-identified information would be insufficient.” Additionally, the request must prove that de-identified information would not be sufficient on its own.

Crimes on healthcare premises

The issue brief states that providers may disclose information if they “believe in good faith that the information constitutes evidence of criminal conduct that occurred on the premises of the covered entity.”

However, the report carefully distinguishes undocumented presence in the United States from ongoing criminal activity. It explains that “while it is illegal for a person to enter the country without inspection (EWI), once that person has entered the country unlawfully, that person’s continued presence in the U.S. is not an ongoing crime.”

As a result, “a medical provider should not contact ICE and disclose a patient’s immigration status based solely on an undocumented immigrant’s presence at a hospital or medical clinic.”

Penalties for HIPAA violations

“HIPAA provides civil and criminal penalties for those who disclose PHI in violation of the law.” Therefore, providers found guilty of violating HIPAA laws might face fines, criminal liability, and professional disciplinary consequences.

The report explains that patients face limitations when seeking compensation for violations. “Several federal courts have held that HIPAA does not provide a private cause of action,” so patients usually cannot directly sue under HIPAA itself. The HHS Office for Civil Rights (OCR) and the state attorneys general handle HIPAA enforcement.

Patients can rely on state privacy and negligence laws, as “most state laws allow patients to sue medical providers for wrongful disclosure of PHI under state tort claims.”

Undocumented immigrants often cannot pursue legal action due to a lack of trust in the legal system and difficulty accessing affordable legal representation. “The lack of legal recourse, and use of unlawfully obtained PHI in deportation proceedings, has an unfortunate chilling effect on undocumented immigrants and their families seeking health care services, [impacting] their health [and] that of the broader community.”

Go deeper: The complete guide to HIPAA violations

Sensitive locations and immigration enforcement

The issue brief explains that ICE and Customs and Border Protection (CBP) issued memoranda identifying hospitals and clinics as “sensitive locations” where immigration enforcement actions are generally restricted. These sensitive locations include healthcare facilities, like hospitals, doctors’ offices, accredited health clinics, and urgent care facilities.

Under agency policy, officers generally may not “arrest, interview, search, or surveil individuals for immigration purposes at sensitive locations without prior approval.”

While these policies are intended to reduce fear, so more people can access healthcare services, their protections are not absolute. Exceptions may apply in cases involving national security, terrorism, dangerous felons, or urgent criminal investigations.

Fourth Amendment protections

“The Fourth Amendment is a constitutional right for all individuals to be free from illegal searches or seizures.” Undocumented immigrants also have constitutional protections under the Fourth Amendment, which guards against unreasonable searches and seizures.

For example, patients in private medical areas such as examination rooms may have a reasonable expectation of privacy, and “law enforcement would likely need a warrant signed by a judge to search those areas.”

However, public waiting rooms or lobbies may receive less legal protection because they are open to the public.

According to the National Immigration Law Center, “it may be helpful for health centers and clinics to establish a written internal policy identifying areas as private and not open to the general public.” Additionally, “health centers and clinics [must] place signage explaining that certain areas are only available for patients and those accompanying them.”

Why trust in healthcare matters

When immigrant families avoid healthcare systems, conditions like asthma, diabetes, infectious diseases, and mental health disorders may go untreated. Delayed treatment can increase suffering and create larger healthcare burdens later.

As evidenced in the brief, “the lack of legal recourse, and use of unlawfully obtained PHI in deportation proceedings, has an unfortunate chilling effect on undocumented immigrants and their families seeking health care services.”

Healthcare providers must, therefore, rebuild patient trust. The issue brief states that “medical providers can help to alleviate this problem by communicating to the immigrant community that providers have stringent privacy policies in place and that these safeguards apply to everyone, including undocumented immigrants.”

A great way to rebuild this trust is through using HIPAA compliant emails to assure patients that their PHI is secure and will not be shared with immigration authorities.

Learn more: Bridging barriers for immigrant patients with HIPAA compliant emails

FAQs

Do undocumented immigrants have to share their immigration status with doctors?

No. Patients are not required to disclose their immigration status to receive medical care, and healthcare providers do not need this information for treatment.

Can ICE access medical records?

Only in certain situations, such as with a valid court order, subpoena, or other legal request that meets HIPAA requirements.

Can providers email immigrant patients who are minors?

Healthcare providers must obtain consent from parents or legal guardians before emailing any patients who are minors or have guardianship issues. Emails should only be sent to authorized recipients to protect minors' privacy and confidentiality.

Related: Does HIPAA apply to minors?