You can see the bones of a stronger limit during drafting (as "required" by warrants), but then weakened to allow mere "administrative requests".
> Law Enforcement Purposes. Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances, and subject to specified conditions: (1) as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests; (2) to identify or locate a suspect, fugitive, material witness, or missing person; (3) in response to a law enforcement official's request for information about a victim or suspected victim of a crime; (4) to alert law enforcement of a person's death, if the covered entity suspects that criminal activity caused the death; (5) when a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and (6) by a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-reg...
Language in the agreement says it will allow ICE to access personal
information such as home addresses, phone numbers, IP addresses, banking
data, and social security numbers. (Later on in the agreement, what ICE is
allowed to access is defined differently, specifying just “Medicaid
recipients” and their sex, ethnicity, and race but forgoing any mention of IP
or banking data.) The agreement is set to last two months. While the document
is dated July 9, it is only effective starting when both parties sign it,
which would indicate a 60-day span from July 15 to September 15.Just think: If I "only" steal names and address from the psych ward, that's still a breach.