HIPAA ruled not a barrier to Missouri AG’s gender care probe

On May 7, 2025, the Missouri Eastern District Court of Appeals ruled that Planned Parenthood Great Rivers must comply with a civil investigative demand from Missouri Attorney General Andrew Bailey by providing documents related to gender-affirming care.

What happened 

Bailey has been investigating the use of cross-sex hormones, puberty blockers, and gender-transition surgeries for minors in the state since March 2023, following allegations from a former caseworker at the Washington University Transgender Center that children were rushed into treatment. As part of this probe, Bailey’s office requested records from several providers, including Washington University, Children’s Mercy Hospital in Kansas City, and Missouri’s two Planned Parenthood affiliates. 

Planned Parenthood Great Rivers challenged the request, arguing it violated patient privacy rights under HIPAA. A previous ruling by Circuit Court Judge Michael F. Stelzer in April 2024 sided with Planned Parenthood, stating HIPAA prevented the release of identifiable health information without patient consent. However, Appeals Court Judge Rebeca Navarro-McKelvey concluded that HIPAA does not prohibit the release of de-identified records and criticized Planned Parenthood for failing to provide a privilege log outlining any specific objections. 

This decision follows a similar April 2025 ruling from the Western District Court of Appeals against Missouri’s other Planned Parenthood affiliate, reinforcing that a general HIPAA objection does not invalidate the entire investigative demand.

What was said 

According to Margot Riphagen, president and CEO Planned Parenthood Great Rivers, “While we are disappointed with the court’s decision, we are evaluating our next steps as this is just another political attack against the bodily autonomy and rights of transgender and gender-nonconforming Missourians. As a trusted health care provider, Planned Parenthood Great Rivers will continue to support our gender affirming care patients across the St. Louis region and Missouri Ozarks while ensuring our patients’ health information remains secure and protected.”

Why it matters 

The legal implications of the May 7, 2025 ruling by the Missouri Eastern District Court of Appeals center on the balance between a state attorney general’s investigative authority and federally protected patient privacy rights under HIPAA. The court affirmed that while HIPAA protects personally identifiable health information, it does not prohibit the release of de-identified data, information stripped of all personal identifiers. 

This clarification enables state officials, like Attorney General Andrew Bailey, to obtain certain records during investigations without violating federal privacy laws, provided the information does not identify individual patients. The ruling also emphasizes procedural obligations for covered entities such as Planned Parenthood, which must produce a privilege log, a detailed list identifying specific objections to each part of an investigative request, rather than issuing broad refusals based solely on HIPAA. 

Privacy considerations remain necessary, as any disclosure, even of de-identified data, must be handled cautiously to avoid unintended re-identification, particularly when dealing with small patient populations or sensitive treatments like gender-affirming care.

Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

What is de-identified health information under HIPAA?

De-identified information is data that has had all 18 HIPAA-defined identifiers removed (e.g., name, address, birthdate, medical record number), and where there is no reasonable basis to believe the data can identify an individual. De-identified information is not considered PHI and is not restricted under HIPAA.

Who determines whether HIPAA allows a disclosure in a specific case?

The covered entity (e.g., healthcare provider or health plan) is responsible for determining HIPAA compliance. This means they must assess the validity of subpoenas or investigative demands and decide whether the requested disclosure falls within HIPAA’s legal framework or requires patient authorization.

What is a privilege log and why is it important?

A privilege log is a document that lists each requested item withheld and the specific legal reason for withholding it (e.g., HIPAA protections, irrelevance, or attorney-client privilege). Courts often require this to evaluate if an objection to a request is valid.