HIPAA stands for the Health Insurance Portability and Accountability Act, a 1996 federal law that establishes standards for protecting sensitive health information from being disclosed without a patient’s consent. It governs how doctors, hospitals, insurance companies, and their partners handle your medical data, and it gives you specific rights over your own health records.
What HIPAA Actually Covers
HIPAA applies to “covered entities,” a legal term for three types of organizations: healthcare providers (doctors, dentists, psychologists, pharmacies, nursing homes, clinics), health plans (insurance companies, HMOs, employer health plans, Medicare, Medicaid, and veterans health programs), and healthcare clearinghouses (companies that process health data into standardized formats). The key detail is that providers only fall under HIPAA if they transmit health information electronically, which in practice means nearly all of them.
The law also reaches companies that work on behalf of these organizations. If a hospital hires an IT firm to manage its patient database, or a billing company to process claims, those outside partners are called “business associates” and must follow the same rules. The covered entity is required to have a written contract spelling out what the business associate can and cannot do with patient data. Business associates are directly liable for violations, not just contractually responsible.
If an organization doesn’t fit into any of these categories, HIPAA doesn’t apply to it. This is why fitness apps, most employer wellness programs, and consumer DNA testing services generally operate outside HIPAA’s reach.
The Privacy Rule: What Counts as Protected Information
The Privacy Rule is the core of HIPAA. It defines “protected health information” (PHI) as any health data that can be linked to a specific person. The law identifies 18 types of identifiers that make health information protected:
- Personal details: names, phone numbers, fax numbers, email addresses, Social Security numbers
- Geographic data: street addresses, cities, counties, and most zip codes
- Dates: birth dates, admission dates, discharge dates, and dates of death (year alone is allowed, but full dates are protected). All ages over 89 are also protected.
- Account and record numbers: medical record numbers, health plan beneficiary numbers, account numbers, certificate or license numbers
- Digital and physical identifiers: vehicle identification and license plate numbers, biometric data like fingerprints and voiceprints, full-face photographs
- Catch-all: any other unique identifying number, characteristic, or code that could link data back to a person
A lab result on its own isn’t PHI. A lab result attached to your name, date of birth, or medical record number is. The distinction matters because researchers and public health agencies can often use health data that has been stripped of all 18 identifiers without triggering HIPAA requirements.
When Your Information Can Be Shared Without Permission
HIPAA isn’t a total lockdown on your health data. The Privacy Rule allows providers to use and disclose your information without your explicit authorization in several common situations. Treatment is the broadest exception: your primary care doctor can send your records to a specialist, a pharmacist can access your prescription history, and therapists in a group therapy setting can discuss your health openly, all without a separate permission form from you.
Your information can also be shared for payment purposes (so your insurer can process a claim) and for healthcare operations (quality improvement, training, audits). Beyond these routine uses, HIPAA permits disclosures for public health activities, law enforcement requests with proper legal authority, and situations involving serious threats to health or safety.
Your Rights Under HIPAA
HIPAA gives you direct control over your health records in ways many people don’t realize. You have the right to request and receive a copy of your medical records from any covered provider or insurer. You also have the right to ask for corrections if you spot errors in your health information. Providers can charge a reasonable fee for copying records, but they cannot refuse to give you access.
You can also request an “accounting of disclosures,” which is essentially a log of who your health information has been shared with and why. And you can ask providers to restrict how they share your data or to communicate with you in specific ways, like sending appointment reminders only to a particular phone number.
The Security Rule: Protecting Electronic Records
While the Privacy Rule covers all forms of health information (paper, verbal, electronic), the Security Rule focuses specifically on electronic protected health information. It requires covered entities and business associates to implement three categories of safeguards.
Administrative safeguards are policies and management practices. Organizations must conduct thorough risk assessments to identify vulnerabilities in how they store and transmit electronic health data, then put measures in place to reduce those risks to a reasonable level. This includes training employees, designating a security officer, and creating contingency plans for emergencies.
Physical safeguards control who can physically access the systems that store health data. This means locked server rooms, workstation security policies, and rules about how devices containing patient information are disposed of or reused. Technical safeguards are the digital protections: encryption, access controls that limit who can view records, audit trails that log every time someone opens a file, and secure transmission methods for sending data between systems.
What Happens When a Breach Occurs
When protected health information is improperly accessed, used, or disclosed, HIPAA’s Breach Notification Rule kicks in. The requirements depend on how many people are affected.
For breaches affecting 500 or more individuals, the covered entity must notify the Department of Health and Human Services within 60 days. If 500 or more residents of a single state are affected, the organization must also alert prominent media outlets in that area within the same 60-day window. For smaller breaches affecting fewer than 500 people, organizations can report them in a batch to HHS no later than 60 days after the end of the calendar year in which they were discovered. In all cases, affected individuals must be notified directly.
Penalties for Violations
HIPAA violations carry civil penalties organized into four tiers based on the level of fault. If an organization didn’t know about the violation and couldn’t have reasonably prevented it, fines range from $100 to $50,000 per violation, with an annual cap of $25,000 for repeat offenses. When there’s reasonable cause but no willful neglect, fines range from $1,000 to $50,000 per violation, capped at $100,000 annually.
The penalties get steeper when negligence is deliberate. Willful neglect that gets corrected in time carries fines of $10,000 to $50,000 per violation, up to $250,000 per year. Willful neglect that goes uncorrected hits the maximum: $50,000 per violation with an annual ceiling of $1.5 million. Criminal penalties, including imprisonment, can apply in the most egregious cases involving intentional theft or sale of health information.
Recent Changes to HIPAA
In April 2024, HHS finalized a new rule specifically strengthening privacy protections around reproductive health care. The 2024 Privacy Rule prevents covered entities from disclosing protected health information about lawful reproductive health care for purposes of investigating or penalizing patients or providers. It also bars organizations from denying someone “personal representative” status (the ability to make healthcare decisions for another person) solely because that person provided or helped facilitate reproductive health care. These changes were designed to address concerns that arose after shifting legal landscapes around reproductive rights at the state level.