Statutes That Go Beyond Fourth Amendment Requirements
After the Supreme Court held the Fourth Amendment did not protect bank records or dialed numbers, Congress added statutory process. RFPA (1978) covers financial records; ECPA (1986) covers electronic communications. HIPAA permits law-enforcement disclosure under a detailed three-criteria test.
Several statutes impose process where the Constitution does not. The Right to Financial Privacy Act of 1978 followed the holding that the Fourth Amendment did not apply to checking accounts; the Electronic Communications Privacy Act of 1986 followed the holding that it did not apply to dialed phone numbers. These require some legal process - but less than a probable-cause warrant. Both are examples of disclosure prohibited unless statutory requirements are met.
HIPAA shows the trade-offs: PHI generally goes to law enforcement only with opt-in consent, but Section 512(f) permits disclosure pursuant to a court order, grand jury subpoena, or administrative request if three criteria are met: the information is relevant and material to a legitimate inquiry; the request is specific and limited in scope; and deidentified information could not reasonably be used. HIPAA also permits disclosure when "required by law" even outside other exceptions.