Last updated 1 month ago. Our resources are updated regularly but please keep in mind that links, programs, policies, and contact information do change.
Medical data serves as the backbone of America’s healthcare system, essential for treatment, billing, and public health monitoring.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) governs most medical privacy in the United States. This law grants you significant rights over your health information while allowing healthcare to function smoothly and protecting public safety.
Understanding exactly who can see your medical records, when they can access them, and what you can do about it requires navigating a number of rules, exceptions, and competing interests.
Understanding HIPAA: The Foundation of Health Privacy
What HIPAA Actually Does
HIPAA emerged as a wide-ranging law, but its lasting public impact comes from the “Administrative Simplification” provisions. These sections required the U.S. Department of Health and Human Services to create national standards protecting sensitive patient health information from unauthorized disclosure.
When Congress failed to enact specific privacy legislation within the timeline set by the Act, HHS stepped in and created the Standards for Privacy of Individually Identifiable Health Information, now known as the HIPAA Privacy Rule. The final version was published in 2000 and became enforceable in 2003.
The Privacy Rule aims to balance individual health information protection with the flow of health information needed to provide high-quality care and protect public health.
The Privacy Rule works alongside three other regulations:
The Security Rule specifies safeguards that must protect health information in electronic form.
The Breach Notification Rule requires covered entities and their business associates to notify affected individuals, HHS, and sometimes the media following a breach of unsecured health information.
The Enforcement Rule contains provisions for investigations, penalties for violations, and procedures for hearings.
The Office for Civil Rights (OCR) within HHS enforces all these rules.
What Information Gets Protected
The Privacy Rule protects “Protected Health Information” (PHI). This covers individually identifiable health information held or transmitted by a covered entity or its business associate, in any form—electronic, paper, or oral.
Information qualifies as PHI when it meets two criteria. First, it must relate to:
- The individual’s past, present, or future physical or mental health or condition
- The provision of health care to the individual
- The past, present, or future payment for health care provided to the individual
Second, the information must either identify the individual or provide a reasonable basis to believe it can identify the individual.
This connection between health data and personal identifiers triggers HIPAA protection. A blood pressure reading stored with a patient’s name becomes PHI. The same reading stripped of identifying information does not qualify for HIPAA protection.
The 18 Identifiers That Create PHI
The Privacy Rule specifies 18 distinct identifiers that, when associated with health information, make it PHI. Removing all these identifiers renders data “de-identified” and no longer subject to HIPAA restrictions.
| Identifier Number | Identifier Type |
|---|---|
| 1 | Names |
| 2 | All geographic subdivisions smaller than a state (street address, city, county, etc.) |
| 3 | All elements of dates (except year) for dates directly related to an individual |
| 4 | Telephone numbers |
| 5 | Fax numbers |
| 6 | Electronic mail addresses |
| 7 | Social Security numbers |
| 8 | Medical record numbers |
| 9 | Health plan beneficiary numbers |
| 10 | Account numbers |
| 11 | Certificate/license numbers |
| 12 | Vehicle identifiers and serial numbers, including license plate numbers |
| 13 | Device identifiers and serial numbers |
| 14 | Web Universal Resource Locators (URLs) |
| 15 | Internet Protocol (IP) address numbers |
| 16 | Biometric identifiers, including finger and voice prints |
| 17 | Full face photographic images and any comparable images |
| 18 | Any other unique identifying number, characteristic, or code |
What HIPAA Doesn’t Cover
Several categories of health-related information fall outside PHI protections:
De-identified Information that has had all 18 identifiers removed faces no HIPAA restrictions. This creates a legal pathway for organizations to strip personal identifiers from large datasets and sell or use that aggregate data for research, public health analysis, and commercial purposes.
Employment Records containing health information in your personnel file at work are not PHI. This includes doctor’s notes for sick leave or workplace injury records. The law considers these employment records maintained by a company as an employer, not as a healthcare provider.
FERPA Records maintained by educational institutions, such as a school nurse’s office, are typically protected by the Family Educational Rights and Privacy Act (FERPA), not HIPAA.
Who Must Follow HIPAA Rules
HIPAA’s protections depend on who holds your health information, not the information itself. Understanding these “gatekeepers” is essential to grasping the true scope and limitations of your health privacy rights.
Covered Entities: The Front Line
HIPAA rules apply only to “Covered Entities.” Organizations that don’t meet this definition face no HIPAA requirements. This creates the “HIPAA protection gap,” where identical health information can be protected in one context but unprotected in another.
Three categories qualify as covered entities:
Health Care Providers include doctors, clinics, hospitals, psychologists, dentists, chiropractors, nursing homes, and pharmacies. However, a provider only becomes a “covered entity” if they transmit health information electronically in connection with standard transactions for which HHS has adopted standards. The most common example is billing an insurance company electronically. A cash-only provider who avoids these electronic transactions may not be a covered entity.
Health Plans include health insurance companies, Health Maintenance Organizations (HMOs), employer-sponsored group health plans, and government-funded programs like Medicare, Medicaid, and military and veterans’ health programs.
Health Care Clearinghouses act as intermediaries, processing nonstandard health information from one entity into standard format, or vice versa. Medical billing services that reformat a doctor’s customized claim data to meet national insurance company standards are common examples.
Business Associates: The Extended Network
Covered entities rely on extensive networks of external vendors and contractors. When a covered entity hires an outside person or company to perform a service involving PHI use or disclosure, that vendor becomes a “Business Associate.”
Business associates include:
- Third-party administrators processing insurance claims
- Law firms, accountants, and consultants serving hospitals
- IT contractors and electronic health record providers
- Cloud storage providers hosting medical data
- Companies providing physical record storage or shredding services
- Medical transcription services
- Billing and collection agencies
HIPAA requires a Business Associate Agreement (BAA) to ensure PHI remains protected as it flows from covered entities to vendors. This contract legally binds business associates to the same privacy and security standards as covered entities.
This system creates a “chain of trust” extending HIPAA protections to subcontractors. A single patient’s data might move from their doctor’s office (covered entity) to a billing company (business associate), which uses a cloud hosting service (subcontractor and business associate). A data breach at any link can compromise patient PHI.
The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 made business associates directly liable for HIPAA violations. The federal government can now investigate and levy penalties directly against business associates for non-compliance, rather than only holding the original covered entity responsible.
Your Rights Under HIPAA
The HIPAA Privacy Rule grants individuals federally protected rights designed to give you control over your health information, ensuring transparency and empowering active participation in your care.
The Right to Access Your Records
You have a legal right to inspect and obtain copies of your medical records and billing records held by healthcare providers and health plans. This right applies to clinical laboratory test results, medical images like X-rays, insurance information, wellness program files, and clinical case notes.
Making the Request: A provider or health plan may require written requests and may ask you to use their specific form. However, their process cannot create unreasonable barriers or delays. They cannot require you to physically visit the office to fill out a form if you want records mailed.
Verification: They must take reasonable steps to verify your identity before providing access, but this process must be reasonable and cannot create obstacles.
Timeliness: The covered entity must provide access to your records within 30 calendar days of receiving your request. They can extend this once for 30 days, but only if they provide written explanation for the delay within the initial 30-day period.
Format: You have the right to receive records in the form and format you request, if the provider can readily produce it. This explicitly includes common electronic formats like PDFs sent via email or files on a USB drive.
Fees: A provider can charge a “reasonable, cost-based fee” for providing copies. This fee can only include the cost of labor for copying (paper or electronic), supplies (like a USB drive or paper), and applicable postage. The fee cannot include costs for searching, retrieving, or preparing records for copying. For electronic copies of records already stored electronically, HHS guidance clarifies that total fees should generally not exceed $6.50.
Unpaid Bills: A provider cannot deny you copies of your records because you haven’t paid for services received.
The Right to Correct Your Records
If you believe information in your medical or billing records is incorrect or incomplete, you can request that the covered entity amend that information.
The provider or health plan must act on your request within 60 days, with a possible 30-day extension if they notify you in writing.
If Accepted: The entity will append corrected or additional information to the record without deleting original information. They must make reasonable efforts to notify others who may have received incorrect information.
If Denied: A covered entity can deny your request if they believe existing information is accurate and complete. If denied, they must provide written denial in plain language. You then have the right to submit a written “statement of disagreement.” The provider must attach your statement to the disputed record and include it with any future disclosures of that information.
The Right to an Accounting of Disclosures
You can receive an “accounting of disclosures” that lists certain instances where your PHI was shared for purposes other than treatment, payment, and healthcare operations. You can request an accounting for disclosures made up to six years prior to your request.
This right lets you see where information went for non-routine purposes, including disclosures to:
- Public health authorities
- Law enforcement officials
- Workers’ compensation programs
- Researchers (in some cases)
- Anyone as a result of a court order
The accounting is not required to include disclosures made for Treatment, Payment, or Health Care Operations (TPO). Since the vast majority of PHI disclosures fall under TPO—such as routine sharing between your primary care doctor and a specialist, or between your hospital and insurer—the report provides an incomplete picture of who has seen your data.
Routine Sharing: Treatment, Payment, and Operations
HIPAA was designed to avoid creating barriers to high-quality healthcare delivery. The Privacy Rule permits covered entities to use and disclose PHI for three fundamental purposes without obtaining your specific written authorization: Treatment, Payment, and Health Care Operations (TPO).
This TPO permission drives the U.S. health data system and represents the largest category of information sharing. When you first visit a provider, you receive a “Notice of Privacy Practices” explaining these permitted uses and disclosures. By seeking care from that provider, you acknowledge this system.
This creates a default “opt-in” for the vast majority of PHI disclosures. The default state of your health data under HIPAA is “shareable for approved purposes,” not “locked down.” Privacy protection comes from strictly limiting sharing purposes, not preventing sharing itself.
Treatment
This encompasses providing, coordinating, or managing health care and related services. It allows healthcare professionals to communicate freely to ensure you receive the best possible care.
Examples include:
- Your primary care physician sending your medical record to a specialist they’re referring you to
- A hospital sharing lab results and medical history with the nursing home you’re being transferred to
- Two doctors consulting about your diagnosis and treatment plan
- A pharmacist using information from your doctor to fill a prescription
Payment
This category includes activities required to obtain payment or reimbursement for healthcare services you receive.
Examples include:
- Your hospital submitting a claim to your health insurance company that includes your diagnosis and procedures performed
- Your health plan contacting your provider to verify medical necessity of a service
- A provider disclosing information to a collection agency to obtain payment for an overdue bill
- A hospital providing your insurance information to an ambulance company so they can bill for transport services
Health Care Operations
This broad category covers necessary administrative, financial, legal, and quality improvement activities of a covered entity.
Examples include:
- A hospital reviewing medical records of patients with certain conditions to assess treatment outcomes and improve care quality
- Training medical students or other healthcare professionals
- Contacting you with appointment reminders
- Conducting business planning, legal services, and auditing functions, including fraud and abuse detection and compliance programs
- A provider disclosing information to a health plan for quality-related purposes, such as for the plan’s Health Plan Employer Data and Information Set (HEDIS)
Consent vs. Authorization
HIPAA distinguishes between “consent” and “authorization.” Covered entities are permitted to obtain your general consent for TPO uses and disclosures. This is often a simple, one-time signature on an intake form.
An authorization is a much more detailed and specific permission you must grant before your PHI can be used or disclosed for purposes outside TPO. Your specific, written authorization is generally required before your information can be used for marketing purposes or sold to a third party.
When Records Can Be Shared Without Your Consent
The HIPAA Privacy Rule contains specific national interest and public priority exceptions that permit PHI disclosure without your authorization. These exceptions balance individual privacy rights against significant societal needs like protecting public health, ensuring legal system integrity, and maintaining national security.
For Public Health and Safety
HIPAA recognizes that health information access is critical for public health authorities to carry out their mission. The Privacy Rule permits covered entities to disclose PHI without patient authorization to public health authorities like the Centers for Disease Control and Prevention (CDC) or state and local health departments.
Permitted disclosures include:
Reporting Diseases and Vital Events: Reporting cases of communicable diseases (measles, tuberculosis), injuries, or vital events such as births and deaths.
Public Health Surveillance and Investigation: Aiding in public health surveillance, investigations, and interventions.
Child Abuse and Neglect: Reporting suspected cases of child abuse or neglect to appropriate government authorities authorized by law to receive such reports.
FDA-Regulated Products: Disclosing information to entities subject to Food and Drug Administration (FDA) jurisdiction for public health purposes related to quality, safety, or effectiveness of FDA-regulated products. This includes reporting adverse events, tracking products, and enabling product recalls.
Communicable Disease Exposure: Notifying someone who may have been exposed to a communicable disease or may be at risk of contracting or spreading a disease, if the covered entity is authorized by law to do so.
For Legal and Governmental Purposes
Your PHI is not shielded from the legal system. The Privacy Rule contains specific provisions allowing disclosure in judicial, administrative, and law enforcement contexts.
Judicial and Administrative Proceedings: A covered entity may disclose PHI in response to a direct order from a court or administrative tribunal. It may also disclose information in response to a subpoena, discovery request, or other lawful process if it receives satisfactory assurances that the person whose information is being sought has been notified and given an opportunity to object.
Law Enforcement Purposes: This complex area has numerous specific permissions for disclosure to law enforcement officials without your consent:
- To comply with laws requiring such reporting, such as laws mandating reporting of gunshot wounds or other violent injuries
- In response to a court order, warrant, subpoena, or administrative request
- To identify or locate a suspect, fugitive, material witness, or missing person (limited to basic demographic and identifying information)
- In response to a request for information about a crime victim, provided the victim agrees (or in limited emergency situations if the victim cannot agree)
- To alert law enforcement of a patient’s death if there’s suspicion it resulted from criminal conduct
- To report evidence of a crime that occurred on the covered entity’s premises
- To avert a serious and imminent threat to the health or safety of any person or the public
Workers’ Compensation: Covered entities may disclose PHI as authorized by and to the extent necessary to comply with laws relating to workers’ compensation or similar programs providing benefits for work-related injuries or illnesses. HIPAA generally defers to information-sharing rules established by these state-run systems.
For National Security and Intelligence
One of the broadest and least transparent exceptions relates to national security.
The National Security Exception: The rule permits covered entities to disclose PHI to “authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by the National Security Act.” This could include agencies such as the Federal Bureau of Investigation (FBI), Central Intelligence Agency (CIA), and National Security Agency (NSA). This provision doesn’t require a warrant or subpoena; it permits covered entities to disclose information at their discretion in response to a request from an authorized official.
Protective Services: A related exception allows disclosure to provide protective services to the President, other officials, or foreign heads of state.
The USA PATRIOT Act: This separate law further expands government authority. It allows federal agents to obtain special court orders to seize “any tangible things,” including medical records, for foreign intelligence and anti-terrorism investigations. The Act includes a strict gag order, meaning the hospital or clinic receiving the order cannot tell anyone—including the patient whose records were taken—that the search occurred. Your records could be obtained under this authority and you would likely never know, even if you requested an accounting of disclosures.
With Family, Friends, and Other Caregivers
To avoid interfering with care, HIPAA provides flexibility for sharing information with people involved in your care.
If you are present and have the capacity to make decisions, a provider can share relevant PHI with a family member, friend, or other person you identify as being involved in your care or payment for care, as long as you agree or don’t object when given the opportunity.
If you are incapacitated, unavailable, or in an emergency situation, a provider may use their professional judgment to share information with a caregiver if they determine it’s in your best interest. They must only share information directly relevant to that person’s involvement in your care.
Special Protections for Sensitive Information
The U.S. legal system recognizes that some health information is more sensitive than others. While HIPAA establishes strong baseline protection for all PHI, federal law provides even stricter protections for certain categories where potential for stigma, discrimination, and harm is greatest.
Psychotherapy Notes: The Highest Protection Level
HIPAA affords special, elevated status to psychotherapy notes, treating them differently from all other mental health information.
Definition: The law defines psychotherapy notes very narrowly. They are personal notes of a mental health professional recorded during a counseling session that are kept separate from the rest of the patient’s medical record. This definition excludes information about medication prescription and monitoring, counseling session start and stop times, treatment modalities and frequencies, clinical test results, and summaries of diagnosis, functional status, or treatment plan. That information is considered part of the general medical record and subject to standard HIPAA rules.
Why They’re Different: These notes receive special protection because they often contain a therapist’s private impressions and analysis of a conversation, are highly sensitive, and are generally not needed by others for treatment, payment, or healthcare operations.
The Stricter Rule: A covered entity must obtain a patient’s specific, written authorization for nearly any use or disclosure of psychotherapy notes. The general TPO permission that allows routine sharing of other PHI doesn’t apply to these notes. Very few exceptions exist, such as for the originator of the notes to use them for treatment, for the covered entity to defend itself in a legal action brought by the patient, or when disclosure is required by another law, such as a state’s mandatory “duty to warn” statute.
Substance Use Disorder Records: 42 CFR Part 2
Records related to substance use disorder treatment provided by a federally-assisted program are protected by a separate and more stringent federal regulation known as 42 CFR Part 2.
Why It’s Stricter: This law predates HIPAA and was created specifically to address intense stigma associated with substance use disorders. The goal was to encourage individuals to seek treatment without fear that their records would be disclosed to law enforcement, employers, or others in ways that could lead to negative consequences.
The Stricter Rule: Part 2 generally prohibits disclosure of any information that would identify a person as having a substance use disorder without that person’s specific written consent. It places tight restrictions on re-disclosure of this information by anyone who receives it. Part 2 provides much stronger protections against law enforcement access than HIPAA. While HIPAA has numerous exceptions for law enforcement, Part 2 generally requires a specific and heightened type of court order to compel disclosure, and records generally cannot be used to criminally investigate or prosecute the patient without their consent.
Recent Changes: In February 2024, HHS finalized a new rule to better align Part 2 with HIPAA in certain areas to facilitate more integrated care. The new rule allows a patient to give a single, broad consent for all future uses and disclosures for TPO purposes. However, core heightened protections, especially regarding use of records in legal proceedings against the patient, remain in place.
Comparing Privacy Rules for Sensitive Information
The different legal standards for various types of health information can be complex. This table provides a side-by-side comparison:
| Feature | General PHI (HIPAA) | Psychotherapy Notes (HIPAA) | SUD Records (42 CFR Part 2) |
|---|---|---|---|
| Governing Law | HIPAA Privacy Rule | HIPAA Privacy Rule | 42 CFR Part 2 |
| Consent for TPO | Not required (covered by Notice of Privacy Practices) | Specific patient authorization required | Specific patient consent required (though recent rules allow broader TPO consent) |
| Law Enforcement Access | Permitted without consent in many scenarios (warrant, subpoena, serious threat) | Requires specific authorization or court order | Requires specific, heightened court order; cannot be used to prosecute patient without consent |
| Patient Access | Yes, right of access applies | No, patient does not have right of access | Yes, right of access applies |
Health Apps and the Digital Privacy Gap
In an era of smartphones and wearable technology, health information is generated and stored in more places than ever. This has created significant public confusion and a major gap in federal privacy protection.
The HIPAA Protection Gap
The vast majority of health, fitness, and wellness apps you download from an app store are not covered by HIPAA. This critical fact escapes most consumers. These app developers are not “covered entities” because they are not your healthcare provider or insurer. They are also not “business associates” because they provide a service directly to you, the consumer, not on behalf of your doctor.
Because they’re not covered by HIPAA, their collection, use, and sharing of your sensitive health data is governed by completely different rules: their own privacy policy and terms of service, and oversight from the Federal Trade Commission (FTC), which enforces against unfair or deceptive business practices. These protections are often less stringent than those mandated by HIPAA.
When HIPAA Applies to an App
HIPAA applies to a mobile app only if it was created by or is being used on behalf of a covered entity.
Example of a Covered App: Your hospital develops and offers its own patient portal app. You use this app to view lab results, message your doctor, and schedule appointments. This app is an extension of the hospital (a covered entity), so all information within it is PHI and protected by HIPAA. If the app is breached, the hospital is responsible under the Breach Notification Rule.
Example of a Non-Covered App: You download a popular calorie-tracking app from the app store. You manually enter your weight, medical conditions, and what you eat. You might sync it with a fitness tracker. This app is a direct-to-consumer product and is not covered by HIPAA.
Your Right to Direct Your Data Creates the Gap
The privacy paradox arises from one of your most important HIPAA rights: the right of access. Under this right, you can instruct your doctor’s office or hospital to transmit an electronic copy of your medical record directly to a third-party app of your choosing. Your provider is legally required to comply with this request if they have the technical capability. They cannot refuse to send the data because they’re concerned about the app’s privacy practices.
This creates a critical handoff of legal responsibility. The moment your provider successfully transmits your health record to the app you designated, that data is no longer PHI and HIPAA protection ceases. The provider’s legal responsibility for that data ends.
If the app developer later sells your data, shares it with advertisers, or suffers a data breach, it’s not a HIPAA violation. By using your HIPAA right to data portability, you can inadvertently lose your HIPAA protection for that data.
Your New Responsibility
This digital landscape places greater responsibility on individuals to protect their own data. Before you grant any app access to your health information—either by manually entering it or by directing your provider to send it—carefully read the app’s privacy policy and terms of service.
You are making a conscious decision to move your data from a space governed by federal health privacy law to a space governed by commercial contract law. That control comes with the responsibility to understand exactly where your data is going and what you’re permitting the app developer to do with it.
When Your Privacy is Violated: Taking Action
HIPAA’s rights and rules are only meaningful if they’re enforced. If you believe your health information privacy rights have been violated, there’s a formal process for reporting the issue and seeking recourse.
Identifying a Potential Violation
Common violations of the HIPAA Privacy Rule include:
- A healthcare provider or health plan impermissibly using or disclosing your PHI, such as sharing it with your employer without your written authorization
- Being denied your right to access your medical records, being forced to wait longer than the 30-day limit, or being charged an unreasonable fee for copies
- A provider or their staff failing to implement reasonable safeguards, such as discussing your condition in a crowded waiting room or leaving paper records containing your PHI in a public area
- Receiving notice that your PHI was compromised in a data breach at your provider, insurer, or one of their business associates
Filing a Complaint with the Office for Civil Rights
The Office for Civil Rights (OCR) within HHS is the primary agency that enforces HIPAA. Anyone can file a health information privacy complaint with OCR if they believe a covered entity or business associate has violated the rules.
How to File: The easiest way to file is through the official OCR Complaint Portal online. You can also file by mail, fax, or email. You should file your complaint within 180 days of when you knew that the act or omission occurred.
What to Expect: OCR will review your complaint to determine if it has jurisdiction (if the complaint is against a covered entity or business associate and alleges a potential violation). If it accepts the complaint for investigation, OCR will gather information from both you and the covered entity. If OCR finds a violation, it may resolve the case by requiring the entity to take corrective actions and enter into a resolution agreement. In more serious cases, OCR can impose financial penalties.
You can find more detailed information about the entire process on the HHS website.
Penalties for Violations
HIPAA is backed by significant financial penalties designed to ensure compliance. OCR can impose civil monetary penalties on covered entities and business associates, with fines ranging from a few hundred dollars to tens of thousands of dollars per violation, depending on the level of negligence.
In the most serious cases, such as the knowing and wrongful disclosure of PHI for commercial advantage or malicious harm, the U.S. Department of Justice can pursue criminal penalties, which can include larger fines and imprisonment.
Our articles make government information more accessible. Please consult a qualified professional for financial, legal, or health advice specific to your circumstances.
