Data privacy in healthcare is the set of rules, practices, and rights that control who can access, use, and share your medical information. It covers everything from the diagnosis your doctor types into your chart to the heart rate data your fitness tracker uploads to the cloud. In the U.S., the primary framework is HIPAA (the Health Insurance Portability and Accountability Act), but several other federal and international laws fill gaps that HIPAA doesn’t reach.
What Counts as Protected Health Information
Under HIPAA, any piece of data that can identify you and relates to your health, treatment, or payment for care qualifies as protected health information, or PHI. The law defines 18 specific identifiers that must be removed before health data can be considered de-identified. These include the obvious ones: your name, Social Security number, phone number, email address, and medical record number. They also include less obvious ones: vehicle license plate numbers, device serial numbers, IP addresses, biometric data like fingerprints and voiceprints, full-face photographs, and even geographic information more specific than your state.
Dates get special treatment. Any date directly tied to you, such as your birth date, hospital admission date, or discharge date, is protected. If you’re over 89, even your age and birth year are protected; records can only list you as “90 or older.” ZIP codes are partially allowed: the first three digits can stay if the area they represent has more than 20,000 people. If it has fewer, those digits must be replaced with 000.
Privacy vs. Security: Two Different Problems
Privacy and security in healthcare overlap but solve different problems. Privacy is about policy: who is allowed to see your information, for what purpose, and under what conditions. Security is about protection: how electronic systems keep that information safe from unauthorized access, theft, or tampering. HIPAA addresses both through separate rules. The Privacy Rule governs acquisition, use, and disclosure of identifiable health data. The Security Rule, which first required compliance in 2005, focuses specifically on electronic health information and sets administrative, physical, and technical safeguards.
A hospital could have excellent security (encrypted servers, strong passwords, firewalls) but poor privacy practices (staff accessing records they have no reason to view). Or it could have clear privacy policies but weak security that leaves patient data exposed to hackers. Both layers need to work together.
Your Rights Over Your Own Records
HIPAA gives you the right to access your own health information. When you request your records, a provider must respond within 30 calendar days. If the records are archived offsite or otherwise hard to retrieve, the provider can extend that deadline by one additional 30-day period, but only if they notify you in writing during the first 30 days explaining the delay and giving a specific completion date. Only one extension is allowed per request. If a provider denies access, the denial must come in writing within the same timeframe.
For research, the rules around consent have some flexibility. A signed authorization for research use can be set to never expire, lasting until the “end of the research study.” It can also be combined with a consent form to participate in the study itself. Researchers can even obtain authorization for future, not-yet-designed studies, as long as the authorization describes the future research clearly enough that you could reasonably expect how your data might be used.
How the EU Handles Health Data
Outside the U.S., the most influential framework is the European Union’s General Data Protection Regulation (GDPR). The GDPR classifies health data as a “special category” under Article 9, meaning it gets stricter protections than ordinary personal data. Processing health data is prohibited by default unless one of several specific conditions is met.
The most common lawful basis is explicit consent from the patient for one or more specified purposes. But consent isn’t always required. Health data can also be processed when it’s necessary for preventive or occupational medicine, medical diagnosis, providing health or social care, or managing health systems. Public health emergencies open another door: processing is allowed to protect against serious cross-border health threats or to ensure high standards of safety for medical products and devices. In each case, the law requires “suitable and specific measures” to protect the individual’s rights.
Health Apps and Wearables: The HIPAA Gap
One of the biggest misunderstandings in healthcare privacy is assuming HIPAA covers all health data. It doesn’t. HIPAA applies to “covered entities” (hospitals, doctors, insurance plans) and their business associates. The fitness tracker on your wrist, the sleep monitoring app on your phone, and the blood pressure app that syncs with a connected device typically fall outside HIPAA’s reach, even if the health information originally came from a covered entity.
That doesn’t mean these apps are unregulated. The Federal Trade Commission enforces Section 5 of the FTC Act, which prohibits unfair or deceptive practices around the collection, use, and sharing of personal information. Most health app developers are subject to the FTC’s Health Breach Notification Rule, which applies to apps that have the technical capacity to draw information from multiple sources (like user inputs combined with data from a connected fitness tracker) and are primarily managed by or for the individual. If your health app suffers a breach, the developer likely has a federal obligation to notify you, just not under HIPAA.
How Health Data Gets Shared Across Systems
As healthcare moves toward interoperability, where your records follow you from one provider to another, new privacy frameworks have emerged. The Trusted Exchange Framework and Common Agreement (TEFCA) is a federal initiative that defines a common set of privacy and security requirements for health information networks, regardless of whether they’re HIPAA-covered entities. TEFCA establishes baseline legal and technical requirements through a contract called the Common Agreement, signed by all participating networks. These requirements flow down to every participant and subparticipant exchanging data through the system.
The goal is to standardize privacy protections so that when your records move between networks, the same rules apply everywhere. TEFCA’s guiding principles include privacy, security, safety, equity, and transparency.
De-Identification: Using Data Without Identifying You
Researchers and public health agencies need access to large datasets, but they don’t necessarily need to know who you are. HIPAA provides a method called Safe Harbor de-identification, which requires stripping all 18 identifiers from the data. The organization must also have no actual knowledge that the remaining information could be used, alone or in combination with other data, to identify any individual in the dataset.
Once data meets this standard, it’s no longer considered PHI and can be used freely for research, analytics, or public health monitoring without individual authorization. The alternative path, called Expert Determination, involves a qualified statistician certifying that the risk of identifying any person in the dataset is “very small,” but Safe Harbor’s checklist approach is more commonly used because it’s more straightforward to implement.
The Breach Landscape
Healthcare remains one of the most targeted industries for data breaches. In 2025, roughly 62 million individuals were affected by healthcare data breaches in the U.S., an average of about 168,647 people per day. While that number actually represented a decline from the record-setting mega-breaches of prior years, it still underscores why privacy protections matter. Every breached record can contain diagnoses, treatment histories, insurance details, and Social Security numbers, a combination that makes healthcare data far more valuable on the black market than a stolen credit card number.
AI and the New Privacy Frontier
Artificial intelligence is reshaping how healthcare data is both used and protected. On the protection side, AI-driven algorithms can automatically de-identify patient records at scale, flagging identifiers that human reviewers might miss. AI-powered encryption techniques like homomorphic encryption allow computations to be performed on encrypted data without ever decrypting it, reducing the window of vulnerability during transmission and storage. Biometric security systems powered by AI, including facial recognition, add another layer of access control to electronic health records.
At the same time, AI introduces new privacy risks. Training a machine learning model on clinical data can inadvertently memorize and reproduce specific patient details. The countermeasure is a principle called “privacy by design,” where data minimization and purpose limitation are built into AI systems from the start. Only the minimum necessary patient information is collected and processed, and it can only be used for the specific purpose it was gathered for. These principles align with both HIPAA’s minimum necessary standard and the GDPR’s data minimization requirements.