It is not common for issues related to the Health Insurance Portability and Accountability Act (HIPAA) to make headlines, particularly in a murder case. HIPAA has recently been the subject of court filings in People v. Luigi Mangione, which is pending before the New York State Supreme Court. The allegations against the defendant stem from the murder of a health insurance company CEO in December 2024.
Healthcare Information Disclosure
According to an ABC news article, in a court filing on Aug. 19, 2025, the defense has accused prosecutors of inappropriately reviewing Mr. Mangione's medical records. The records were apparently turned over by the defendant's health insurance company pursuant to a subpoena it received from the Manhattan district attorney's office. The defense alleges that the records were obtained in violation of HIPAA and included detailed information about the defendant's medical diagnoses, as well as statements made to healthcare providers during treatment.
The district attorney's office reportedly asserted that Mr. Mangione's insurance company provided more information than had been requested. The prosecution indicated that the information it sought was "entirely unremarkable" such as Mr. Mangione's length of coverage and account number. The insurance company has said that its response to the subpoena was proper. The defense has reportedly requested an evidentiary hearing regarding the discrepancy between the information requested by the prosecutors and the information disclosed by the health insurer.
Types of Information Protected by HIPAA
Even seemingly "unremarkable" information such as a health insurance number or coverage dates can be considered "protected health information" (PHI) governed by HIPAA. When held by a regulated entity such as a health plan, HIPAA protects all individually identifiable health information. This includes not only information relating to an individual's physical or mental condition, but also, according to the HIPAA Privacy Rule, information related to "the past, present, or future payment for the provision of health care to an individual."
Individually identifiable health information is protected by HIPAA, and a health plan can disclose it only if permitted by HIPAA and applicable state privacy laws. To avoid HIPAA's application, PHI can be completely de-identified. This can be accomplished if an appropriately qualified expert determines that the information has been sufficiently de-identified or data can be de-identified through a so-called "safe harbor" method. The safe harbor for data de-identification is significant in Mr. Mangione's situation because, to avoid HIPAA's protections, certain data elements would have to be removed from a data set, including dates directly related to an individual (except the year) and health plan beneficiary numbers. Therefore, even if Mr. Mangione's dates of coverage and health plan account number seem unremarkable, they are still protected by HIPAA and may not be used or disclosed by a health plan except through a HIPAA-compliant pathway.
HIPAA Data in Litigation
HIPAA allows covered entities and their business associates to use and disclose PHI as necessary for treatment, payment and healthcare operations. "Healthcare operations" includes, among other things, conducting or arranging for legal services, so HIPAA is typically not an impediment to a party using PHI it holds in connection with its own litigation in a manner consistent with HIPAA and state law.
There are also several ways PHI subject to HIPAA can be disclosed by third parties when necessary for litigation. For example, HIPAA allows disclosures required by law, such as in response to court orders and subpoenas issued by a court. Subpoenas not issued by a court permit the disclosure of PHI only under particular circumstances. If a HIPAA-regulated entity receives a subpoena not accompanied by a court order or a patient's written authorization, the information can be disclosed if the disclosing entity receives one of the following:
- Satisfactory assurance from the party seeking the information that reasonable efforts have been made to ensure that the patient has been notified of the request. The HIPAA-covered entity being asked to disclose the information must receive a written statement and accompanying documentation from the requesting party showing that a good faith attempt has been made to provide written notice to the individual. The notice must include enough information about the litigation to allow the individual to raise an objection to the court, the time to raise objections must have elapsed, and either no objections were filed or all objections were resolved by the court and the disclosure sought complies with such resolution.
- Satisfactory assurance that the requesting party has made reasonable efforts to secure a "qualified protective order" that complies with HIPAA. Satisfactory assurances in this context would require a written statement and accompanying documentation from the requesting party showing either that the parties involved in the dispute have agreed to a qualified protective order and have presented it to the court, or that the party seeking the information has requested a qualified protective order from the court. Qualified protective orders prohibit the parties from using or disclosing the PHI for purposes other than the litigation or proceeding for which the information was requested. In addition, at the end of the litigation, the information must be returned to the HIPAA-covered entity that provided it, or it must be destroyed.
If the covered entity being asked to disclose the information does not have either type of satisfactory assurance, there are other options. For example, the entity receiving the records request could make reasonable efforts to provide sufficient notice to the individual who is the subject of the information. The disclosing entity could also seek its own qualified protective order. Additionally, the information could be disclosed if another HIPAA provision allows it.
A definitive determination regarding whether HIPAA was violated with respect to Mr. Mangione's case would require a careful examination of the wording of the subpoena and all other relevant facts. Even if a subpoena is seeking very limited health-related information from a health plan or other covered entity, however, the requirements of HIPAA and relevant state privacy law must be met.
