If your eyes have ever glazed over while reading a lengthy privacy disclosure form at the doctor, you’ve already been introduced to HIPAA. The Health Insurance Portability and Accountability Act of 1996 established numerous regulations to protect private health data. The law protects health privacy by prohibiting providers from disclosing health care information without your permission in most contexts. It also creates rules for how health information must be stored, and it establishes a complaint procedure for consumers who believe their health privacy rights have been violated. 

Here’s what you need to know.

Your Right to Health Care Privacy

Under the law, most health care providers are prohibited from disclosing health information to third parties without consent. HIPAA covers not only doctors, but midwives, nurse practitioners, nurses, dentists, pharmacists, nursing homes, psychologists, and most other health care providers. It also prevents health insurers from disclosing private health care information, and it bans entities that process that information from leaking it. 

HIPAA protects patients and providers, according to Michelle Katz, LPN, a healthcare advocate and author. “The providers and covered entities will not get sued if they document HIPAA correctly and know the laws, etc., and patients will have their medical information protected to avoid any discrimination, etc.,” she said.

Whether an entity is covered or not depends on whether that provider transmits electronic health information about a health care transaction for which the federal government has created a rule. Practically speaking, this includes all medical providers and insurance plans, since electronic communication is virtually inevitable in today's healthcare environment.

Employers, worker’s compensation providers, life insurance providers, most law enforcement agencies, and other entities that interact with health care information are not governed by HIPAA. They may, however, be governed by additional laws and by contracts with the people they serve. So they’re not necessarily free to share whatever health information they want. 

Most people understand that information about their physical health is private. But HIPAA prohibits disclosure of other information, too. That includes:

  • Details about care provided to a patient, including whether or not a provider has seen that patient, which means a provider cannot, without your permission, verify to your employer that they provided you with treatment.
  • Your name, address, date of birth, or Social Security Number.
  • Any information about your health or condition. No matter how close someone is to you or how frequently that person has been with you to the doctor before, a provider cannot tell them about your health without your permission.

Health care providers and insurers must also take reasonable measures to protect health care data. They can’t, for example, store patient health records on a public server, or leave written records somewhere where the general public can easily access them.

When there is an inadvertent violation — such as a computer hacking or a loss of a physical record — the health care entity is required to take proactive steps to minimize the privacy intrusion. The necessary steps vary with the nature of the violation. For instance, a doctor’s office that has been hacked might need to determine how the hacking occurred and then notify patients about the issue. 

“The downside is that the law is still changing and is very complicated,” Katz said. “So some providers are overly cautious. For example, I had an incident where my spouse at the time had a heart attack, and I could not get any information about him including where he was at the facility as well as any documentation that I needed to be sure we were covered since I was not present at the time. Thus, I learned how important it was to make sure you had a power of attorney at the hospital where you intend to get treatment, which is tough to predict sometimes.”

What Can Be Disclosed Under HIPAA?

A health provider can never publicly disclose a patient’s full health record, but there are some instances in which a provider might be allowed to disclose some things, including:

  • To government reporting agencies, such as the CDC, that gather anonymous health data.
  • To insurers to the extent that disclosure is necessary to pay the patient’s bill.
  • To parents of minor children, who have a right to their children’s medical records.
  • To another doctor they are working with when you are sick, to determine the best course of treatment for you. 
  • To people whom the patient has authorized, or whom a court has appointed as the patient’s legal guardian. For example, an authorized caregiver to a patient with Alzheimer’s can request information about their health.
  • When a patient is a danger to another person or themselves, the provider may be able to contact the authorities.
  • When a patient discloses child abuse or indicates that a child is in imminent danger, most providers are required to report this to the authorities. However, this rule does not mean that they can disclose other confidential health information.

Administrative Requirements Under HIPAA

HIPAA also establishes requirements for steps providers must take to ensure patient privacy. Those include:

  • Appointing a privacy official who develops and implements a privacy plan and makes sure the health provider is compliant with all federal and state privacy laws.
  • Disclosing to patients which health records the entity maintains and stores and how it uses those records.
  • Training all employees, interns, and volunteers on the provider’s policies and procedures for complying with HIPAA.
  • Establishing a process through which patients can complain about HIPAA violations or policies that are noncompliant with HIPAA.

Penalties for Violating HIPAA

Violating a person’s medical privacy can have catastrophic effects. For example, telling an abusive husband about his wife’s hospitalization could put her in danger, while revealing a diagnosis to an employer could subject the employee to discrimination. The penalties depend on the nature of the violation and whether it was intentional.

  • Accidental or unknowing violations carry a fine of $100 per accidental violation.
  • A willful violation that is followed by a reasonable attempt to correct the violation carries a $10,000 penalty per violation.
  • When there is a willful violation that goes uncorrected, the penalty is $50,000 per violation.

Your Right to Access Your Health Records

HIPAA also governs your right to gain access to your own health information and get copies of important medical records. You can request to see your health record, including x-rays, vaccination history, lab tests, and record of your treatments.

To see your health information, you can place a request with your health provider to see your records. You may need to fill out a form at your doctor’s office. Your provider may give you access to an electronic health record free of charge, or they may charge a fee for you to see your medical records. However, your medical provider must inform you of these fees in advance, and the cost must be deemed fair. You have a right to see your medical record within 30 days of placing your request.

Your provider cannot refuse you access to your health records if you have not yet paid your medical bill in full thanks to HIPAA’s protections.

You’re in Control of Who Can See Your Health Records

The HIPAA law also gives you the ability to request to send your health information to anyone you choose, including a home caregiver, family member, new doctor, or to an app or device that monitors your health. You are allowed to request that your doctor or health facility sends your health information to the party of your choice, but you must be aware that once the recipient receives your information that your doctor is no longer responsible for what happens to your health data that they have sent.

It is important to be careful about the decision to send your health information and understand the risks of doing so. Talk with your doctor about who you want to send your health information to and why, and they should help you decide if this is an appropriate choice.

You may need to fill out a form at your doctor’s office if you want to share your health information and they may charge a fair fee for this service.

Other Rules Under HIPAA

Although HIPAA is best known for its privacy rules, the privacy rule comes from just one title of the larger law. HIPAA also establishes other rules and regulations, such as:

  • Allowing the government to conduct periodic audits of health providers’ HIPAA compliance.
  • Regulating insurers by, for example, ensuring that people who lose their jobs can remain on employer-sponsored insurance for a period of time.
  • Prohibiting hospitals from giving health information to relatives over the phone.
  • Standardizing medical billing codes.
  • If you find a mistake on your health record, you can request to have it corrected. If you disagree with your provider about something on your record, you can write a statement about your disagreement and it can be stored with your permanent record.
  • You can request to see a report of everyone who has accessed your record, which is called an “accounting of disclosures.”
  • Allowing you to determine how you want to be contacted by your doctor, for example, which phone number to reach you by, and whether or not your providers can leave a voicemail.
  • Allowing you to request which parties cannot see your information.

Learning More About HIPAA

“Keep in mind that every state further defines HIPAA rules differently,” Katz said. “So it is extremely important that everyone reads their state laws on HIPAA too.”

Your HIPAA rights should be spelled out in detail in documentation provided by your doctor, called the Notice of Privacy Practices. Usually your provider will give you a copy or post in in their office. Be sure to carefully review this notice, because it will say exactly how your rights are protected and how your information is used.

The U.S. Department of Health and Human Services is charged with implementing and overseeing HIPAA compliance. Patients who think their HIPAA rights have been violated can file a complaint with HHS. They can also directly file a complaint with the provider, hospital, or insurer they allege has violated their HIPAA rights.


About the Expert Contributor:

Michelle Katz, MSN, LPN is a well-known healthcare advocate who works to make healthcare accessible to those who may not have thought they could afford the care they needed, as well as easier to understand, by addressing the critical aspects of healthcare in a simpler way. She empowers families and businesses to take control of their situations by introducing the tools they need to get out of medical debt and stay out of medical debt; all stemming from her own experiences. Michelle has published three books, Healthcare for Less101 Health Insurance Tips, and Healthcare Made Easy