Sign In
cart
Hello, User
my Media my CLETracker my Profile my Memberships my Dues my History my Staff Log Out
Jellybean
State Bar of Wisconsin
My Media My CLETracker My Profile My Memberships My Dues My History My Staff Log Out
cart
Jellybean
About Us
Back to Main Navigation
Overview Diversity and Inclusion Leadership Reports Government Relations Membership Awards and Recognition
For Members
Back to Main Navigation
Membership & Benefits Sections, Divisions, Committees For State Bar Leaders Legal Resources Ethics Lawyer Referral Programs Practice411 Pro Bono Lawyer Assistance (WisLAP) Client Protection / Fee Disputes Financial Reports
Marketplace
Back to Main Navigation
CLE Seminars Books and Forms Practice Area Resources Practice Management Advertise With Us
News & Publications
Back to Main Navigation
Wisconsin Lawyer InsideTrack Blogs & Podcast Rotunda Report WisLawNOW Official Notices CaseLaw Express Social Media Contribute Archive
For Public
Back to Main Navigation
I Need a Lawyer I Have a Dispute with my Lawyer I Need Information For Educators For Paralegals Help for Lawyers & Law Students Free/Reduced Help
Lawyer Search Legal Resources Directories Careers Contact Us
my StateBar
Back to Main Navigation
my Media my CLETracker my Profile my Memberships my Dues my History my Staff Log Out
Skip Navigation LinksHome > News & Publications > General-Article
  • March 13, 2025

    Interacting with Law Enforcement: Reproductive Health Privacy and ICE Enforcement

    What is a health care provider to do when law enforcement comes knocking and the target is a patient? Stephane Fabus highlights the legal and compliance considerations for navigating interactions with law enforcement officials, given the recent changes in reproductive health privacy and the rollback of ICE’s Protected Areas policy.

    Stephane P. Fabus

    Share This:

    The start of 2025 brought with it new challenges for health care providers in interacting with law enforcement while maintaining compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and related privacy laws, like 42 CFR Part 2 governing the confidentiality of substance use disorder records.

    First, covered entities faced the Dec. 23, 2024, compliance date for the HIPAA Privacy Rule To Support Reproductive Health Care Privacy (Final Rule), which requires covered entities and their business associates to not use or disclose protected health information (PHI) for purposes of investigation or prosecution of lawful reproductive health care.

    Stephane Fabus headshot Stephane P. Fabus, Marquette 2012, is a shareholder with Hall, Render, Killian, Heath & Lyman, PC in Milwaukee, where she focuses her practice on assisting health care clients in a wide range of areas.

    It also requires them to obtain an attestation from law enforcement requesting PHI under certain circumstances to ensure compliance with this new restriction.

    Second, on Jan. 21, 2025, the Department of Homeland Security (DHS) rescinded its “Protected Areas” policy that since 2011 had largely restricted the U.S. Immigration and Customs Enforcement (ICE) and Customs and Border Protection from conducting enforcement actions in or near “protected areas” or “sensitive locations,” including medical facilities.

    This recent action led health care providers to assess their response in the event of ICE enforcement actions in or near their facilities, which could include seeking patient information, attempting to access patient care areas, and arresting undocumented persons.

    This article highlights the legal considerations for navigating interactions with law enforcement officials in light of these recent changes.

    Reproductive Health Privacy

    To strengthen HIPAA’s privacy protections for reproductive health care, the Final Rule included additional privacy protections when PHI is sought for purposes of identifying, investigating, suing, or prosecuting someone for seeking, obtaining, providing, or facilitating lawful reproductive health care, including but not limited to abortion.

    The Office of Civil Rights (OCR) indicated that the Final Rule was designed to support and clarify the privacy interests of individuals who seek lawful reproductive health care, not to obstruct lawful investigations or prevent states from imposing liability on unlawful reproductive health care provisions.

    However, OCR acknowledged that the new regulatory presumptions may create difficulties for enforcement agencies and officials in investigating whether reproductive health care was lawful under the circumstances in which it was provided.

    After considering those interests, OCR determined that countervailing privacy benefits justify these effects.

    Among other changes, the Final Rule prohibits covered entities and their business associates from using or disclosing PHI to identify a person for purposes of or to conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such is lawful under the circumstances in which it is provided (the Prohibition).

    To support this Prohibition, covered entities and their business associates are required to obtain a written attestation from a requestor before using or disclosing PHI “potentially related” to reproductive health care when the request relates to one of the following purposes:

    • health oversight activities;

    • judicial and administrative proceedings;

    • law enforcement purposes; and

    • disclosures to coroners and medical examiners.

    The Final Rule broadly defined “reproductive health care” as any health care “that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” The definition is intended to include, but not be limited to:

    • contraception;

    • preconception screening and counseling;

    • pregnancy management and pregnancy-related conditions;

    • diagnosis and treatment of conditions that affect the reproductive system and other types of care; and

    • services and supplies used for the diagnosis and treatment of conditions related to the reproductive system.

    Attestations for Release of PHI

    Obtaining an attestation is required in addition to compliance with the Privacy Rule’s other conditions for these types of permissive uses and disclosures.

    OCR’s model attestation form and instructions can be accessed on the hhs.gov website.

    The attestation must be limited to the specific use or disclosure, meaning that each use or disclosure of PHI will require a new attestation. An attestation may not be combined with any other document, except where needed to demonstrate a permitted purpose (such as where the requestor provides factual evidence that the reproductive health care was unlawful).

    Additionally, an attestation is invalid where the regulated entity has actual knowledge that contains material information that is false or a regulated entity in the same position would not reasonably believe that the attestation is true.

    A regulated entity is not required to investigate the validity of an attestation, and is generally permitted to rely on an attestation if it reasonably determines that the request is not for a prohibited purpose or where adequate supporting documentation is provided.

    ICE Enforcement Activity

    When interacting with ICE agents, as with other law enforcement officials, health care providers need to remain cognizant of their duty of confidentiality and requirements to safeguard PHI, including compliance with all federal and state privacy laws.

    For example, HIPAA prohibits covered entities from disclosing PHI to law enforcement unless an exception applies, such as a legally sufficient court order, certain administrative requests, and limited information to identify or locate a suspect, fugitive, material witness, or missing person.

    HIPAA permits, but does not require, disclosures of PHI to law enforcement. Notably, Wisconsin law is more restrictive than HIPAA and therefore further limits how law enforcement, including ICE agents, may access PHI without a court order.

    Health care providers are required to implement physical, technical, and administrative safeguards to protect the privacy of PHI. While ICE agents will generally be permitted to enter public areas of a health care facility (e.g., lobbies, waiting rooms, and parking lots) like any other member of the public, they can be denied access to nonpublic or privacy areas (e.g., patient rooms and treatment areas) unless the ICE agent presents a warrant signed by a judge, such as a search and seizure warrant, which has the force of a court order. In contrast, administrative warrants, such as warrant of removal/deportation signed by an ICE officer (not a judge), do not have the force of a court order and the health care facility may deny access to nonpublic areas.

    If ICE agents are going to access nonpublic or private areas of the medical facility, procedures should be followed to limit their access to PHI to the greatest extent possible, such as having them escorted to the area by a workforce member after health care staff have been notified so that they can remove PHI from view.

    Similarly, health care providers are required to only produce documents demanded by a warrant or court order signed by a judge but not subpoenas signed by an ICE agent or most other administrative requests. Such subpoenas and administrative requests should be responded to by legal counsel to ensure compliance with applicable state and federal law.

    Workforce members should be reminded of the obligation not to provide patient records or other PHI to ICE agents unless the organization has determined that it is legally appropriate to do so.

    Considerations for Compliance

    In planning for compliance in interactions with law enforcement, health care providers should be prepared to interact with law enforcement agents (including ICE) in a manner that is responsive to information requests as required by law but remains consistent with applicable privacy laws.

    Compliance considerations to consider include:

    Updating policies and procedures. Health care providers will want to review and update law enforcement-related policies and procedures to address law enforcement requests and prioritize legal compliance during law enforcement interactions. These policies should address the permissibility of disclosures of PHI to law enforcement, processes for handling law enforcement presence at facilities, obtaining attestations when required and how to respond to court orders, warrants, subpoenas and other administrative requests.

    Staff should be appropriately educated on their role in any law enforcement interaction and reminded of their obligations to maintain patient privacy and an environment that supports high quality health care. Individuals will need to be designated to assess attestations and determine what PHI may be shared with law enforcement.

    Assigning an individual as the designated law enforcement liaison. Health care providers could designate a liaison to directly handle interactions with law enforcement and a cross-functional response team, including legal, compliance, security, and senior leadership, to provide support. The liaison and response team should be provided specific training and resources on compliant interactions with law enforcement, including access to outside counsel. Additionally, workforce members should be educated on how and when to contact the liaison and response team.

    Assessing data collection procedures. Health care providers need to understand the implicated PHI they have in their possession and the functionality and limitations of their health information technology systems. It may be difficult to identify or flag PHI subject to the Final Rule’s prohibitions due to the broad definition of reproductive health care and its prevalence in various areas of the electronic health record, requiring more manual processes to implement compliance.

    Additionally, Wisconsin health care providers are not required to inquire about a patient’s immigration status. Limiting collection to only necessary information may reduce the burdens of documentation production in response to ICE requests.

    Ensuring regulatory compliance. Law enforcement requests remain subject to HIPAA’s minimum necessary requirements and generally need to be included in any accounting of disclosures requested by an individual. Appropriate documentation should therefore be maintained related to any interaction with law enforcement.

    Conclusion

    Health care providers face continuing challenges given the ever-changing privacy regulatory landscape, including in the complex area of interacting with law enforcement.

    Monitoring these changes and being prepared to assess policies and procedures, implement new processes balancing sometimes competing organizational interests, and educating and training staff are key to ensuring compliance.

    This article was originally published on the State Bar of Wisconsin’s Health Law Blog. Visit the State Bar sections or the Health Law Section webpages to learn more about the benefits of section membership.



    Share This:

    Need help? Want to update your email address?
    Contact Customer Service, (800) 728-7788

    Health Law Section Blog is published by the State Bar of Wisconsin; blog posts are written by section members. To contribute to this blog, contact Kristen Nelson and review Author Submission Guidelines. Learn more about the Health Law Section or become a member.

    Disclaimer: Views presented in blog posts are those of the blog post authors, not necessarily those of the Section or the State Bar of Wisconsin. Due to the rapidly changing nature of law and our reliance on information provided by outside sources, the State Bar of Wisconsin makes no warranty or guarantee concerning the accuracy or completeness of this content.

    © 2025 State Bar of Wisconsin, P.O. Box 7158, Madison, WI 53707-7158.

    State Bar of Wisconsin Logo

Join the conversation! Log in to leave a comment.

News & Pubs Search

Show Advanced Filters
Search Prior to 2002
-
Format: MM/DD/YYYY

Help for Members

Ethics Hotline WisLAP Practice411 Mentoring Program

Your Membership

FAQs Your Benefits Maintaining Your Membership

Connect with Us

Customer Service Social Media Staff Directory Find Us

Audiences

For New Lawyers For Public For Law Students For Paralegals For Media For Educators

Directories

Lawyer Search Court Directory Circuit Court Rules Lawyer-to-Lawyer Directory State Bar Leadership Professional Services & Experts Law-Related Organizations and Agencies

Get Involved

Advocate Volunteer → Pro Bono → Write/Speak → Leadership and Committees → ABA Delegates Join LRS Panel Sections/Divisions Committees

Diversity & Inclusion

Diversity Clerkship Program Diversity and Inclusion Oversight Committee What We Are Doing

Work for Us

Open Positions Application Process Benefits

Classifieds | Advertise

View Classifieds Place a Classified Ad Advertise With Us

Wisconsin Law Foundation

Donate Apply for Grants Awards and Scholarships For Fellows

Help for the Public

Lawyer Referral Service Common Legal Questions Resources for the Public

Legal Reports and History

Legal Reports → Reports → Resarch & Reports Legal History
Advertise With Us Legal Privacy Translation
©2025 State Bar of Wisconsin. All rights reserved.