Disclosures Permitted by Law
Some laws permit but do not require disclosure. HIPAA requires very few disclosures but permits many (public health, law enforcement, national security). Post-Dobbs HHS guidance limited "required by law" disclosures, and the computer trespasser exception (PATRIOT Act Section 217) lets system owners voluntarily allow interception.
HIPAA itself requires very few disclosures - only to the individual and to HHS in an enforcement action. It permits disclosure when required by another law and for purposes such as public health, law enforcement, and national security.
After the 2022 reversal of Roe v. Wade, HHS Office for Civil Rights clarified that a covered entity is not permitted to disclose PHI to law enforcement as "required by law" where the state law (e.g. one prohibiting abortion) does not expressly require reporting. The entity is permitted to disclose in response to a court order or court-ordered warrant.
The Computer trespasser exception (PATRIOT Act Section 217) permits, but does not require, a system owner/operator to let law enforcement intercept a trespasser's communications if: the owner authorizes it; the officer is lawfully engaged in an investigation; the officer has reasonable grounds to believe the communications are relevant; and the interception captures only the trespasser's transmissions.