Is a Patient’s Immigration Status Considered Protected Health Information?
By: Michael W. Blaise
Lorance & Thompson, P.C.

The Allied World Risk Management Group is frequently asked whether a patient’s immigration status is considered protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. This article outlines risk management considerations when determining whether patient consent is needed to release information regarding a patient’s immigration status.

Potential Professional Dilemma- Case Example (using fictional names)

Elisa Similika is a licensed mental health professional. Her practice is affiliated with a large private health care network.

Late in the afternoon, her office assistant, Karen, is processing the initial paperwork for a new patient named Mr. Galvan. According to the intake form, Mr. Galvan is seeking assistance for anxiety and depression. Karen notices that Mr. Galvan’s identification card does not have the typical appearance of a state issued driver’s license.

Sad teenage girl with depression sitting on stairway

Elisa participates in the scheduled session with Mr. Galvan. While assessing Mr. Galvan’s presenting complaints, Elisa learns that he and his family illegally entered the United States seven years earlier. His son was recently apprehended by federal officials and is now facing deportation. The impending deportation has created a variety of financial, marital and psychological problems for Mr. Galvan.

Karen approaches Elisa afterwards and asks permission to report Mr. Galvan to the federal immigration authorities. As this is a health care setting, Elisa is uncertain whether she, or anyone else in her office, can disclose Mr. Galvan’s identity.

Background Analysis

In 2016, there were approximately 40 million adult immigrants in the United States and an additional 35 million children with foreign-born parents.1 Whether a person is in the country illegally may not initially be important, relevant treatment information. Still, a patient’s immigration status is a factor that may need to be assessed during a comprehensive mental health exam due to the potential stressors placed on the family or individual seeking help.

A 2017 study on the health of undocumented Mexican immigrants found that a significant percentage (23%) of participants in the study had a mental disorder.2 The authors of the study explained:

“Undocumented immigration to the United States often presents with multiple stressors and contextual challenges, which may increase risk for mental disorders. For instance, physical, verbal, psychological and sexual violence is widespread among undocumented immigrants. Also, common to the undocumented experience is discrimination, stigmatization, marginalization, isolation, fear of deportation, exploitability, victimization, living in unsafe neighborhoods, and socioeconomic disadvantage.”

The political and social pressures associated with heightened governmental immigration enforcement has created a sense of danger in immigrants and their families who need health care. Many times, patients may defer evaluation and treatment to avoid the perils of prosecution, family separation and/or deportation. Similarly, professionals providing necessary services may be alarmed that they may be promoting illegal immigration or violating federal laws designed to curb the influx of undocumented foreigners.

Is a Patient’s Immigration Background Protected?

Many mental health care professionals face the dilemma of disclosing a patient’s immigration status to governmental agencies such as the U.S. Immigration and Customs Enforcement or U.S. Department of Homeland Security.

The National Immigration Law Center (“NILC”) published a fact sheet that delineates the rights of health care providers and patients in order to avoid legal consequences for the treatment of patients with immigration challenges. The NILC materials state that “… health care providers have no affirmative legal obligation to inquire into or report to federal immigration authorities about a patient’s immigration status.”3 This advisory opinion is based on the HIPAA Privacy Rule that prohibits the use or disclosure of patient information without the patient’s consent. Recognizing there are exceptions to HIPAA’s general privacy rule, the NILC’s fact sheet mentions that information may be shared but is not required.4

According to the NILC, patients may be more vulnerable to immigration enforcement actions when they are in a public environment, such as a health care facility, as opposed to areas considered private. In addition, the NILC states that health care personnel may refuse to provide information about a patient to law enforcement officials unless the request for information arises pursuant to a warrant or court order for a specified, identified individual. The direct takeaway from this statement means that medical, nursing, and other ancillary personnel are not required to provide a wholesale account of the immigration status of specific patients contained in any client database maintained by the provider.

While the NILC discourages the documentation of immigration status in a patient’s chart or electronic medical records, there are occasions when immigration issues account for certain individual and familial factors that influence psychiatric assessment and diagnosis such as depression, anxiety disorders, and alteration as coping mechanisms.

Again, HIPAA provides definitional assistance so that immigration status remains protected. 45 C.F.R. Section 160.103 mandates that individually identifiable health information is protected if it “… relates to the past, present or future physical or mental health or condition of an individual.”

Therefore, a mental health professional should assess if a patient’s immigration concern is relevant to the past medical history, chief presenting complaint or differential diagnosis. If, after legitimate clinical inquiry, the immigration status of a patient can be found to relate to the patient’s health condition, it will be deemed individually identifiable information and hence will be considered PHI subject to the Privacy Rule’s protections.5

Exceptions to PHI Protections

As stated by 45 CFR 164.512(1)(i), a covered entity may disclose PHI to comply with a court order. This may include divulging the information to administrative tribunals that preside over immigration hearings.

Since a patient’s immigration status is most likely protected by HIPAA, it should not be released other than for treatment, payment, or health care operations without the patient’s consent. However, there are instances where certain exceptions mandate release of PHI without patient authorization. Some examples include domestic violence reports, child abuse/neglect reports, or cooperating with criminal investigations occurring on the premises of a facility. However, these exceptions may not provide complete protection to disclosure. The mere presence of a patient with undocumented alien status seeking treatment, without additional facts, does not in itself represent a reportable crime.6 Additionally, it should be noted that the language of the exception specifies that a covered entity may disclose PHI in cases of a crime on the premises, not that the entity is required to do so. Thus, even when a patient with undocumented status seeking treatment commits a crime on the premises, a clinician or health care organization can, but is not mandated, to disclose PHI.


There are many evolving issues health professionals must consider when confronted with a patient from another country. There is legal support for the position that, under the HIPAA Privacy Rule, immigration status should be regarded as PHI with few valid exceptions for unauthorized release.

It appears that the crucial element to determine whether a patient’s immigration standing constitutes PHI is if the information relates to the past, present or future physical mental health or condition of the individual.

It is important for clinicians and health care organizations to know that disclosing a patient’s immigration status to governmental enforcement agencies, without valid exception, may be a HIPAA violation.

Risk Management Tips

  • Understand Federal/State privacy laws
  • Provide staff with training related to Federal/State privacy laws
  • Develop office policies pertaining to whether/when patient information/PHI is released
  • Develop/Implement a HIPAA compliant release of information document to be used whenever PHI is released
  • Document assessments thoroughly, specifically noting those factors contributing to the patient’s presenting complaint
  • Consult a local attorney/risk management professional with any questions

About the Author

Michael W. Blaise is a shareholder at Lorance & Thompson in Houston. In 1991, he graduated from the University of Houston Law Center. He specializes in health care litigation.

1 Derr, Ameial, “Mental Health Service Use Among Immigrants in the United States,” Psychiatric Services 67:3, March 2016.

2 Garcini, L.M., Mental Disorders Among Undocumented Mexican Immigrants in High Risk Neighborhoods: Prevalence, Co-Morbidity and Vulnerabilities. J Consult Clin Psychol, 2017 Oct; 85(10): 927-936.

3 See, “Health Care Providers and Immigration Enforcement,” National Immigration Law Center, April 2017.

4 Id. at 2.

5 AMA Journal of Ethics, Case and Commentary, January 2019. Scott J. Schweirkart, JD, MBE.

6 Sconyers J, Tate T. How should clinicians treat patients who might be undocumented? AMA J Ethics. 2016;18(3):229-236.