HIPAA protects your individually identifiable health information when it’s held by healthcare providers, health insurers, and the organizations that work with them. This includes everything from your medical diagnoses and lab results to your name, address, Social Security number, and even your IP address if it’s linked to your health records. The law creates a set of rules governing who can see this information, how it must be stored, and what rights you have over it.
Protected Health Information: What Counts
The core concept in HIPAA is “protected health information,” or PHI. This is any information about your health, your healthcare, or the payment for your healthcare that can be linked back to you as an individual. A blood pressure reading by itself isn’t PHI. A blood pressure reading attached to your name, date of birth, or medical record number is.
HIPAA identifies 18 specific identifiers that make health data identifiable. When these are attached to health or payment information, that data is protected:
- Names
- Geographic data smaller than a state (street address, city, ZIP code)
- Dates directly related to you (birth date, admission date, discharge date, date of death), plus all ages over 89
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate or license numbers
- Vehicle identifiers and license plate numbers
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers (fingerprints, voiceprints)
- Full-face photographs
- Any other unique identifying number or code
That last catch-all category is intentionally broad. If a piece of data could reasonably be used to identify a specific person in connection with their health information, HIPAA treats it as protected.
Who Has to Follow HIPAA
HIPAA doesn’t apply to everyone who touches health data. It applies to three categories of organizations, known as “covered entities”:
- Healthcare providers who transmit information electronically: doctors, clinics, dentists, psychologists, chiropractors, nursing homes, and pharmacies
- Health plans: insurance companies, HMOs, employer-sponsored health plans, and government programs like Medicare, Medicaid, and veterans’ health programs
- Healthcare clearinghouses: organizations that process health information between providers and insurers, converting it into standardized electronic formats
There’s also a fourth category: business associates. These are companies that perform services for covered entities and handle PHI in the process. Think billing companies, cloud storage providers hosting medical records, or IT firms maintaining a hospital’s computer systems. Covered entities must have a written contract with each business associate spelling out how they’ll protect the data. Business associates are directly liable for HIPAA compliance, not just contractually bound.
What HIPAA Does Not Cover
This is where many people get surprised. HIPAA only applies to covered entities and their business associates. A huge amount of health-related data falls completely outside its reach. Your fitness tracker data, the health information you enter into a wellness app, your Google searches about symptoms, and the data collected by direct-to-consumer DNA testing kits are generally not protected by HIPAA. The companies behind those products aren’t healthcare providers or health plans, so HIPAA doesn’t govern what they do with your information.
Similarly, health information in your employer’s personnel files (like a doctor’s note you submit for sick leave) isn’t covered by HIPAA, because your employer isn’t acting as a covered entity when it collects that information. School health records and most life insurance records also fall outside HIPAA’s scope. Some of these gaps may be partially filled by state privacy laws or other federal regulations, but HIPAA itself doesn’t reach them.
When Your Information Can Be Shared
HIPAA doesn’t lock down your health information completely. Covered entities can use and share your PHI without your explicit authorization for three core purposes: treatment, payment, and healthcare operations.
Treatment means your doctor can share your records with a specialist you’re being referred to, or two providers can discuss your case when coordinating your care. Payment means your provider can send information to your insurer to get reimbursed, and your insurer can use it to determine coverage and process claims. Healthcare operations covers internal activities like quality improvement, staff training and credentialing, audits, fraud detection, and business planning.
For these three purposes, obtaining your written consent is actually optional under the Privacy Rule. Many providers do ask you to sign a consent form, but HIPAA doesn’t require it for treatment, payment, and operations. Outside of those three categories, covered entities generally need your written authorization before sharing your PHI, particularly for things like marketing or selling your data.
Your Rights Over Your Health Data
HIPAA gives you several specific rights regarding your health information. Covered entities and their business associates are legally required to honor them:
- Access and copies: You can ask to see your health records and get copies of them.
- Corrections: You can request that errors in your health information be corrected.
- Privacy notice: You’re entitled to a clear notice explaining how your health information may be used and shared. This is that form you’re handed at every new doctor’s office.
- Authorization control: You get to decide whether your information can be used for certain purposes, like marketing.
- Restrictions: You can ask a covered entity to limit how it uses or discloses your information, though the entity isn’t always required to agree.
- Disclosure accounting: You can request a report showing when and why your health information was shared for purposes beyond treatment, payment, and operations.
How HIPAA Requires Data Security
Beyond privacy rules about who can see your data, HIPAA’s Security Rule requires covered entities and business associates to protect electronic health information with three categories of safeguards. Administrative safeguards include policies, training, and risk assessments. Physical safeguards cover things like facility access controls and workstation security. Technical safeguards involve encryption, access controls, and audit logs for electronic systems.
The Security Rule is intentionally flexible about exactly how organizations meet these requirements, since a small dental practice and a large hospital system have very different resources and risks. But every regulated organization must have documented safeguards in all three categories.
How State Laws Interact With HIPAA
HIPAA acts as a federal floor, not a ceiling. It sets the minimum level of privacy protection across the country, but states are free to pass laws that go further. If a state law provides stronger privacy protections than HIPAA, both apply, and the covered entity must follow the stricter standard. For example, some states restrict disclosure of HIV status more tightly than HIPAA does. In those states, providers must follow the state restriction even though HIPAA would technically permit the disclosure.
A state law only gets overridden, or “preempted,” when it’s impossible to comply with both the state law and HIPAA at the same time, or when the state law actively undermines HIPAA’s goals. In practice, this means your actual privacy protections depend on where you live. States like California and New York have passed health privacy laws that go well beyond what HIPAA requires.

