Privacy in healthcare is your right to control who sees your personal health information and how it’s used. In the United States, this right is primarily protected by a federal law called HIPAA (the Health Insurance Portability and Accountability Act), which sets rules for hospitals, doctors’ offices, insurance companies, and their business partners. But healthcare privacy extends beyond a single law, covering everything from what your doctor can share about you to how a fitness app handles your heart rate data.
What Counts as Protected Health Information
Healthcare privacy revolves around a category of data called protected health information, or PHI. This is any information that could identify you and relates to your health, treatment, or payment for care. It includes the obvious things like your name, birth date, and Social Security number, but also medical record numbers, health plan IDs, email addresses, IP addresses, biometric data like fingerprints, and even full-face photographs.
The scope is broader than most people realize. Your billing records, lab results, X-rays, insurance claims, clinical notes, and wellness program files all qualify. If a piece of data can be linked back to you and touches your health in any way, it’s protected. This applies whether the information is stored on paper in a filing cabinet, in an electronic records system, or archived offsite.
Your Rights Over Your Own Records
HIPAA gives you a legal, enforceable right to see and get copies of nearly all the health information kept about you. You can request your medical records, billing records, lab results, imaging files, and clinical case notes. You can also direct your provider to send copies to someone else, like another doctor or a family member.
When you make a request, the provider has 30 calendar days to respond. They’re required to give you what you asked for, though they don’t have to create new documents like summaries or explanations that don’t already exist. Two narrow categories are excluded from your access rights: a therapist’s personal psychotherapy notes (kept separate from your main chart) and information compiled for use in legal proceedings.
You also have the right to request corrections to your records if you spot an error, and to receive an accounting of who your information has been disclosed to. Every healthcare provider and insurance plan must give you a Notice of Privacy Practices, a plain-language document explaining how they use your data and what your rights are. Starting in February 2026, these notices must also specifically address how substance use disorder records are handled.
When Providers Can Share Without Your Permission
Healthcare privacy is not absolute. There are specific situations where providers can, and sometimes must, share your information without asking you first. These exceptions exist because certain public interests outweigh individual privacy in limited circumstances.
Providers can report known or suspected child abuse or neglect to social services or law enforcement. They can notify public health authorities about certain diseases, injuries, births, and deaths to support disease surveillance and outbreak control. If you’ve been exposed to a communicable disease, a provider may be legally authorized to inform you or others at risk. Health information can also be disclosed to the FDA for purposes like tracking adverse drug reactions, enabling product recalls, or conducting safety surveillance.
These exceptions are narrowly defined. A provider can’t simply share your records with anyone who asks. The disclosure has to serve a specific, legally authorized purpose, and only the minimum necessary information should be shared.
How Your Data Is Secured
HIPAA’s Security Rule sets national standards for protecting electronic health information. Healthcare organizations must implement technical safeguards including access controls that limit who can view records, audit systems that log every time someone accesses or modifies health data, and encryption that converts information into unreadable code during storage and transmission. Encryption works by scrambling data so that only someone with the correct digital key can read it, making stolen files essentially useless to an attacker.
Despite these requirements, healthcare is one of the most targeted industries for cyberattacks. In 2024, healthcare organizations filed 592 reports of hacking incidents with the federal government, affecting a record 259 million Americans. The bulk of that number came from a single ransomware attack on Change Healthcare, a company that processes medical claims, which compromised records for 190 million people. These numbers highlight a difficult reality: even with legal protections in place, digital health data remains a high-value target.
What HIPAA Doesn’t Cover
One of the biggest gaps in healthcare privacy is that HIPAA only applies to traditional healthcare entities: hospitals, doctors, insurance plans, and the companies they contract with to handle data. It does not cover the growing universe of health-related apps and consumer devices. Your fitness tracker, diet app, connected blood pressure cuff, and mental health chatbot likely collect sensitive health information but operate entirely outside HIPAA’s reach.
The Federal Trade Commission partially fills this gap. The FTC enforces its Health Breach Notification Rule, which requires companies not covered by HIPAA to notify consumers, the FTC, and in some cases the media if there’s a breach of identifiable health data. Amendments finalized in July 2024 clarified that makers of health apps, wearable devices, and similar products must comply. For example, a fitness app that collects your height, weight, and heart rate, even if it just syncs with a wearable tracker, is considered a vendor of personal health records under this rule.
Still, the protections for app-collected health data are thinner than what HIPAA provides. These companies must avoid deceptive practices and report breaches, but they face fewer restrictions on how they use or share your data day to day. Reading a health app’s privacy policy before entering personal information is one of the few practical defenses available.
Penalties for Violating Healthcare Privacy
HIPAA violations carry financial penalties that scale with the severity of the offense. There are four tiers:
- Unknowing violations carry fines of $100 to $50,000 per incident, with an annual cap of $25,000 for repeat violations.
- Reasonable cause (the organization should have known but didn’t act with willful neglect) ranges from $1,000 to $50,000 per violation, capped at $100,000 annually.
- Willful neglect, corrected in time starts at $10,000 per violation, with an annual maximum of $250,000.
- Willful neglect, not corrected carries a flat $50,000 per violation and an annual cap of $1.5 million.
The HHS Office for Civil Rights investigates complaints and conducts compliance reviews. Penalties can be financial, but serious cases can also result in criminal charges, particularly when employees deliberately access or sell patient information.
De-Identification: When Health Data Loses Its Protection
There is a legal pathway for using health data without privacy restrictions: stripping it of anything that could identify a specific person. HIPAA recognizes two methods for this. The “Safe Harbor” method requires removing 18 categories of identifiers, including names, dates (except year), phone numbers, email addresses, Social Security numbers, medical record numbers, photos, and even ZIP codes for areas with fewer than 20,000 residents. The “Expert Determination” method allows a qualified statistician to certify that the risk of re-identification is very small.
Once data is properly de-identified, it’s no longer considered protected health information and can be used freely for research, analytics, or product development. This process is how large datasets power medical studies and, increasingly, health-related artificial intelligence tools without technically violating privacy rules. The concern is that as data science advances, combining multiple de-identified datasets could make it possible to re-identify individuals, a risk that current regulations were not designed to fully address.