The House Committee on Oversight and Government Reform (Committee) is examining whether White House staff engaged in a "cover-up of President Biden's mental decline" and whether the laws governing presidential incapacity are in need of reform. As part of that investigation, the chairman requested that the Physician to the President under President Biden appear for a voluntary transcribed interview addressing "the accuracy, transparency, and credibility" of his "medical assessments" of the former President. The physician's attorney declined that invitation on the ground that providing such an interview would violate physician-patient confidentiality, the District of Columbia (D.C.) physician-patient confidentiality law, and the American Medical Association's Code of Medical Ethics. The Committee disagreed with those arguments, and the chairman issued a subpoena for the physician to appear at a deposition. He did so on July 9, 2025, but—on advice of counsel—refused to answer any questions posed to him by asserting both his Fifth Amendment privilege against self-incrimination and the "physician-patient privilege."
Other CRS products, available here and here, address the application of the Fifth Amendment privilege in congressional investigations. This Sidebar considers the seldom-asserted "physician-patient privilege" and its potential application in congressional investigations, as well as other privacy-based legal limitations on the disclosure of patient information. Physician-patient confidentiality protects the sanctity of the physician-patient relationship by guarding information exchanged between physicians and their patients. As a legal matter, however, federal courts have never recognized the existence of a common law physician-patient privilege. Instead, what confidentiality protections exist in this area stem primarily from state medical privacy laws or federal laws and regulations like the Health Insurance Portability and Accountability Act (HIPAA) and the Department of Health and Human Services' (HHS's) HIPAA privacy rule (Privacy Rule). President Biden's former physician does not appear to have claimed that his testimony is barred by HIPAA-related restrictions, and as described below, it does not appear that state privacy laws can, as a constitutional matter, limit Congress's ability to conduct otherwise valid investigations. Other constitutional principles, however, may constrain Congress's ability to obtain personal health information generally, or personal health information of Presidents and former Presidents more specifically.
Witnesses before congressional committees will at times invoke common law privileges—or privileges created by courts based on legal tradition—as a justification for not complying with a committee subpoena. Congress will sometimes accept these privileges, especially the attorney-client privilege, but that recognition has historically been at the discretion of the investigating committee or, in many cases, the committee chair. Although the Supreme Court recently observed in dicta that recipients of a congressional subpoena "have long been understood to retain common law . . . privileges with respect to certain materials," Congress has generally not viewed its investigative powers as legally constrained by common law privileges.
Whatever the legal status of common law privileges in congressional investigations today, the federal courts have never recognized a common law privilege protecting physician-patient communications. While Congress may opt to recognize such a privilege in its proceedings, the Supreme Court, lower federal courts, and leading evidentiary treatises agree that "the physician-patient evidentiary privilege is unknown to the common law." There may be sound policy reasons for protecting this type of information—such as encouraging patients to speak frankly to their doctors without fear that those communications will subsequently be revealed to others or protecting a patient from the embarrassment that may follow from the "disclosure of his ailments"—but these concerns do not, according to the courts, override the maxim that a witness (whether in court or before a legislature) has a "general duty to give what testimony one is capable of giving." The Supreme Court has made clear, however, that "the common law is not immutable but flexible" and is continually subject to "evolutionary development." In 1996, for example, the Court established, for the first time, a common law privilege protecting confidential communications between a psychotherapist and her patient. While many of the reasons behind protecting communications with a psychotherapist may also apply to discussions with any physician, the majority opinion did not address a more general physician-patient privilege in that 1996 case.
As a result, though it is possible that federal courts could recognize a common law physician-patient privilege in the future, current legal justifications for a physician seeking to withhold testimony from Congress based on privacy considerations would appear to be limited to express protections in state and federal statutes and regulations.
The primary federal authorities governing the confidentiality of personal health information are HIPAA and the Privacy Rule that implements that statute. HIPAA prohibits the wrongful disclosure of individually identifiable health information and, as enacted in 1996, directed HHS to issue regulations governing the privacy of such information—what is known as the Privacy Rule. Under the Privacy Rule, "a covered entity" may not disclose "protected health information" without the authorization of the affected individual unless that disclosure meets an identified exception. A health care provider is a "covered entity" if he or she "transmits any health information in electronic form in connection with" certain transactions that relate to the payment and administration of health care. "Protected health information" in this context can include individually identifiable health information, in any form or medium, created or received by a covered health care provider relating to the "physical or mental health or condition of an individual." Although the Privacy Rule creates a complex regulatory regime, it appears that the rule would apply to information contained in most patients' medical records, including those that document a physician's assessments and diagnoses. If that is the case, and if the physician at issue electronically transmits health information in connection with a HIPAA-covered transaction, then on the Privacy Rule's face, disclosure of any protected information by that physician to Congress may need to be made either with the patient's authorization or pursuant to an identified exception.
The Privacy Rule creates various exceptions to its general requirement of patient authorization, but it does not contain an explicit exception for disclosures made to Congress during an investigation. There are provisions that could permit disclosures pursuant to a committee subpoena under specific circumstances, including exceptions for "health oversight activities" or "judicial and administrative" subpoenas, but it is unclear how these provisions apply in a congressional investigation. Nevertheless, it seems unlikely that an agency rule could, consistent with the separation of powers, limit a congressional committee's constitutional "power of inquiry." While the statutory delegation to HHS under HIPAA was extremely broad, the law made no reference to how congressional inquiries should be treated. Even had the law explicitly restricted congressional access to personal health information—or authorized HHS to do so—it is not clear that one Congress could use federal law to constrain a future Congress's exercise of its constitutional investigative powers by removing a committee's ability to access relevant information to which it would otherwise be entitled. With this in mind, it appears that applying the Privacy Rule to a congressional investigation would raise a number of legal questions, but as previously noted, President Biden's former physician has not relied on HIPAA in his refusal to disclose physician-patient information to the Committee. He has instead focused on the D.C. physician-patient confidentiality statute.
Nearly every state has enacted some form of physician-patient confidentiality law. These laws, however, vary greatly in their scope and in the identified exceptions to any general rule of confidentiality that they impose. The D.C. law that was relied on in the physician's response to the Committee's subpoena provides that "[i]n the Federal courts in the District of Columbia and District of Columbia courts," physicians are not permitted "without the written consent of their client or of the client's legal representative, to disclose any confidential information that the individual has acquired in attending the client in a professional capacity and that was necessary to enable the individual to act in that capacity." The chairman has noted that the plain language of that statute applies only to disclosures made in court, concluding that because "Congress is not a court[,] this Section therefore in no way precludes" testimony before the Committee.
This interpretation appears to be largely consistent with a recent federal district court decision in Arizona that considered this question in the context of a somewhat similar Arizona state law. That law, as described by the court, made any information contained in medical records confidential in "civil and criminal proceedings." Finding the law inapplicable to a committee investigation, the court reasoned that "a congressional subpoena involves neither" type of proceeding and is instead "issued under Congress's constitutional power to conduct investigations . . . ."
Although the D.C. law does not appear to apply to congressional subpoenas, a state medical privacy law that was interpreted to restrict disclosures to Congress would likely raise constitutional concerns. Under the Supremacy Clause of the Constitution, which provides that the "Constitution, and the Laws of the United States . . . shall be the supreme Law of the Land," the Supreme Court has held that a state law is preempted, or superseded by federal action, when it "stands as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress." While preemption cases typically involve conflicts between state and federal statutes, the courts have also suggested that "the constitutional text itself may displace conflicting state law."
As previously noted, congressional investigations are an exercise of federal constitutional power that arises from the legislative power granted to Congress in Article I, Section 1. Therefore, a state privacy law that purports to block congressional access to information to which a committee is otherwise entitled, thereby frustrating Congress's constitutional power of inquiry, would appear to present an obstacle to, and infringe upon, the exercise of a federal power. Although it does not appear that the courts have directly considered the extent to which state laws can inhibit congressional investigations, some federal courts have relied on Supremacy Clause principles to hold that in other exertions of federal investigative power—including during discovery in the federal courts, administrative investigations, and the enforcement of subpoenas issued by federal inspectors general—only federal law, and not state law, can be used to resist the disclosure of information.
This type of implicit federal supremacy is slightly different from the preemption of state law often seen in the statutory context. HIPAA contains a provision that explicitly preempts all contrary state laws, except those that relate to "the privacy of individually identifiable health information." The Privacy Rule, which interprets and implements this provision, exempts from preemption state medical privacy laws that are "more stringent" than federal medical privacy requirements. Thus, while more protective state physician-patient confidentiality laws are not preempted by HIPAA, they may nevertheless be inapplicable in the face of a demand for information during a valid congressional investigation. The alternative could threaten federal supremacy and empower states to frustrate one of Congress's core constitutional powers. (D.C. laws that were affirmatively enacted by Congress—like the 1896, 1963, and 1970 predecessors to D.C.'s current law on physician testimony—can raise Supremacy Clause complications, but the D.C. Circuit has reasoned that "[w]hen Congress acts as the local legislature for the District of Columbia . . . , its enactments should . . . be treated as local law, interacting with federal law as would the laws of the several states.").
Other limitations derived from the Constitution may limit congressional access to certain types of sensitive medical information. First, a committee subpoena for physician testimony about a patient must be relevant to an investigation that serves a valid legislative purpose. Generally, this legislative purpose test is satisfied when a committee is seeking to inform itself for purposes of legislation, and in the vast majority of cases, Congress can inform itself without access to personally identifiable information. In other investigations, personally identifiable health information about individual Presidents may be central to the investigation and inform Congress's legislative judgments.
Second, and related to legislative purpose and investigations involving a President, the Supreme Court held in Trump v. Mazars that "[c]ongressional subpoenas for the President's personal information implicate weighty concerns regarding the separation of powers" and are subject to increased scrutiny. That case involved a President's personal financial information, but its underlying reasoning may also cover personal medical information. The four-part Mazars test—described here—does not bar congressional committees from obtaining personal information about a President but does require a heightened showing of need if a dispute develops, as such requests raise sensitive constitutional concerns. The Supreme Court has left open the question of whether this heightened scrutiny is applicable to the personal information of former Presidents.
Finally, some courts have recognized a qualified constitutional right to informational privacy that could protect an individual's medical information in some situations. The U.S. Court of Appeals for the Third Circuit, for example, has held that "[t]here can be no question that an employee's medical records, which may contain intimate facts of a personal nature, are well within the ambit of materials entitled to [a constitutional] privacy protection." The U.S. Court of Appeals for the Ninth Circuit has similarly recognized that "[i]ndividuals have a constitutionally protected interest in avoiding 'disclosure of personal matters,' including medical information." Other courts, however, have come to different conclusions. The U.S. Court of Appeals for the Sixth Circuit, for instance, has held that "disclosure of [a] plaintiff's medical records does not rise to the level of a breach of a right recognized as 'fundamental' under the Constitution." The Supreme Court appears to have recognized some patient privacy interests in medical information but has not addressed whether that interest is rooted in the Constitution. Even if constitutional privacy protections exist for medical information, the protections would not be considered absolute, and a disclosure would not "automatically amount to an impermissible invasion of privacy." The patient's interest in confidentiality would likely need to be balanced against the government's—or, in a committee investigation, Congress's—need for the information.