Can a public hospital withhold patient information from a state open records request under HIPAA?
Short Answer
Generally, yes. A public hospital can — and usually must — withhold individually identifiable patient information from a state open records (sunshine or public records) request. Although a government-run hospital is a “public body” subject to open records laws, those laws almost always include an exemption for records whose disclosure is barred by another federal or state law. The HIPAA Privacy Rule is exactly such a law.
How the Two Laws Fit Together
Open records statutes are built on a presumption of disclosure, but they also contain exemptions. A common category exempts records that are confidential or prohibited from release under other statutes. When a public hospital is a HIPAA “covered entity,” protected health information (PHI) falls squarely into that category.
HIPAA permits disclosure of PHI only when the Privacy Rule allows or requires it. A routine open records request from a member of the public is not, by itself, one of the permitted bases. So the open records exemption and HIPAA reinforce each other: the hospital withholds the PHI.
Important Nuances
- It depends on the record, not the request. Information that is not PHI — budgets, contracts, board minutes, aggregate statistics, staffing policies — is generally still releasable.
- De-identified data that meets HIPAA’s de-identification standard is no longer PHI and may be disclosable.
- State law can be stricter. Many states have their own medical-confidentiality statutes that apply independently of HIPAA.
- Other lawful channels exist. A patient (or their authorized representative) can request their own records, and disclosures may be allowed for treatment, payment, court orders, or specified public-health purposes.
- Don’t over-withhold. Agencies should redact the PHI and release the rest, rather than denying an entire document. A clear, lawful basis should be cited in any denial.
Practical Takeaway
Treat the request as a two-part analysis: first, does an open records exemption apply, and second, does HIPAA (or a state confidentiality law) prohibit release? For patient information the answer is typically to redact or withhold the PHI while disclosing non-exempt material. When in doubt, route the question through legal counsel or your privacy officer.
For related guidance, see the FOIA and public records topic hub.
Sources & further reading
Authoritative government and non-profit references.
- FOIA frequently asked questions — FOIA.gov / U.S. DOJ
- NIST Privacy Framework — NIST
How to cite this page
APA
RM University Editorial. (2026). Can a public hospital withhold patient information from a state open records request under HIPAA?. Records Management University. https://www.recordsmgmt.org/questions/can-a-public-hospital-withhold-patient-information-from-a-state-open-records-request-under-hipaa/
MLA
RM University Editorial. "Can a public hospital withhold patient information from a state open records request under HIPAA?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/can-a-public-hospital-withhold-patient-information-from-a-state-open-records-request-under-hipaa/.
Related questions
- Am I supposed to get an acknowledgement letter after I file a FOIA request, and what should it contain?
- Are emails on a city council member's personal phone subject to state public records law?
- Are police body-camera footage and incident reports public records under state law?
- Are state university student disciplinary records subject to public records requests, or does FERPA block them?
- Can a business stop an agency from releasing its confidential information under FOIA (reverse FOIA)?