HIPAA is a federal law that protects your health information from being shared without your permission and gives you the right to access your own medical records. Signed into law in 1996, the Health Insurance Portability and Accountability Act does more than most people realize: it sets the rules for how hospitals, insurers, and their partners handle your data, and it created national standards that modernized how the entire healthcare system operates.
What HIPAA Actually Covers
The name gives away the law’s two original goals. “Portability” means protecting your ability to keep health insurance when you change jobs or life circumstances. “Accountability” refers to holding the healthcare industry to consistent standards for handling information and preventing fraud.
The full text of the law addresses five broad areas: making health insurance more portable, preventing healthcare fraud and abuse, simplifying healthcare administration, setting standards for medical savings accounts, and improving access to long-term care. Over time, the privacy and security provisions have become the most visible parts of the law, but HIPAA’s administrative reforms quietly reshaped how every doctor’s office, hospital, and insurer processes claims and shares information.
Who Has to Follow HIPAA
HIPAA applies to three types of organizations, known as “covered entities”: health plans (your insurance company), healthcare providers (doctors, hospitals, pharmacies, labs), and healthcare clearinghouses (companies that process billing data between providers and insurers). If an organization falls into one of these categories, it is legally required to follow HIPAA’s rules.
The law also reaches companies that work with covered entities. These “business associates” include billing services, IT companies that manage electronic health records, law firms, accountants, and data analytics vendors. Any outside company that touches your health information on behalf of a provider or insurer must sign an agreement promising to protect that data and use it only for the purposes they were hired for. An employee who works directly for a hospital or clinic isn’t a business associate; they’re covered under the organization’s own HIPAA obligations.
Protected Health Information
The core of HIPAA’s privacy protections centers on “protected health information,” or PHI. This is any information about your health, treatment, or payment for care that can be linked back to you personally. The law identifies 18 specific types of identifiers that make health data protected:
- Direct identifiers: your name, Social Security number, phone number, fax number, email address, and medical record number
- Account and plan numbers: health plan beneficiary numbers, account numbers, and certificate or license numbers
- Location and dates: any address more specific than your state, plus birth dates, admission dates, discharge dates, and all ages over 89
- Digital identifiers: IP addresses, website URLs, device serial numbers, and vehicle identifiers including license plate numbers
- Biometric and visual data: fingerprints, voiceprints, full-face photographs, and any comparable images
- Catch-all: any other unique identifying number, characteristic, or code that could link data back to you
For health data to be considered “de-identified” and no longer subject to HIPAA’s restrictions, all 18 of these identifiers must be stripped out. Even a ZIP code can count as identifying if it covers a small enough population (fewer than 20,000 people).
Your Rights Under the Privacy Rule
HIPAA gives you a legal, enforceable right to see and receive copies of the information in your medical records. You can request copies from your healthcare provider or health plan, and you can also direct them to send your records to someone else of your choosing. If you just want to look at your records in person rather than get copies, the provider must arrange a convenient time and place for you to do so, and they cannot charge you a fee for simply viewing your information.
These rights exist for practical reasons. When you can access your own health information, you’re better equipped to monitor chronic conditions, stick to treatment plans, spot errors in your records, and track your progress in wellness programs. You also have the right to request corrections to your records if you find mistakes, which matters more than most people think. An error in your medical history, like a misrecorded allergy or an incorrect diagnosis, can follow you through every future medical encounter.
The Security Rule
While the Privacy Rule governs who can see your health information, the Security Rule addresses how that information is protected in electronic form. It requires covered entities and business associates to implement three categories of safeguards for electronic health records:
- Administrative safeguards: policies and procedures for managing data security, including employee training, risk assessments, and access controls that determine which staff members can see what
- Physical safeguards: protections for the actual buildings, equipment, and devices where electronic health data is stored, such as locked server rooms, workstation security, and controls on portable devices
- Technical safeguards: the technology itself, including encryption, audit trails that track who accessed records, and authentication systems that verify user identities
The law requires these safeguards to be “reasonable and appropriate,” which means a large hospital system and a solo physician’s office don’t need identical security setups, but both need to demonstrate they’ve assessed their risks and addressed them.
What Happens After a Data Breach
When a breach of unsecured health information occurs, HIPAA’s Breach Notification Rule sets strict timelines. The organization must notify every affected individual within 60 days of discovering the breach. If 500 or more people are affected, the organization must also notify the media and report directly to HHS within that same 60-day window. Smaller breaches affecting fewer than 500 individuals can be reported to HHS annually, with reports due within 60 days of the end of the calendar year. Business associates that discover a breach must notify the covered entity they work for within 60 days as well.
These deadlines exist to give you time to take protective steps, like monitoring for identity theft, as quickly as possible after your information has been exposed.
Penalties for Violations
HIPAA violations carry financial penalties that scale based on the level of negligence. The penalty structure has four tiers. For violations where the organization didn’t know and couldn’t reasonably have known about the problem, fines range from $100 to $50,000 per violation, with an annual cap of $25,000 for repeat violations. When an organization had reasonable cause but didn’t act with willful neglect, fines range from $1,000 to $50,000 per violation, capped at $100,000 annually.
The penalties get significantly steeper for willful neglect. If the violation is corrected within the required time period, fines range from $10,000 to $50,000 per violation, with an annual maximum of $250,000. If the organization shows willful neglect and fails to correct the problem, every violation costs $50,000, and the annual maximum reaches $1.5 million. Criminal penalties, including imprisonment, can also apply in cases of deliberate misuse of health information.
Why HIPAA Still Matters
Beyond privacy, HIPAA drove a transformation in how the healthcare industry operates day to day. The law’s administrative simplification provisions created national standards for electronic transactions, code sets, and unique identifiers. Before HIPAA, providers and insurers used different formats for claims, eligibility checks, and payment processing, which created enormous inefficiency. Standardizing these transactions reduced paperwork and streamlined operations across the entire system.
The law also continues to evolve. In April 2024, HHS published a final rule strengthening privacy protections for reproductive health care. The update prohibits covered entities from using or disclosing health information to investigate or penalize someone for seeking, obtaining, providing, or facilitating reproductive health care that is lawful where it was provided. When organizations receive requests for health records that could relate to reproductive care for law enforcement or legal proceedings, they must now obtain a signed attestation confirming the request isn’t for a prohibited purpose. Providers and insurers were also required to update their privacy notices to reflect these new protections.
HIPAA’s importance ultimately comes down to a simple principle: your health information is among the most sensitive data that exists about you, and you should have both protection and control over how it’s used. The law creates the legal framework that makes that possible.