No single law regulates electronic health records (EHRs) in the United States. Instead, a framework of federal laws works together: HIPAA sets the privacy and security baseline, the HITECH Act accelerated EHR adoption and toughened enforcement, and the 21st Century Cures Act requires health data to flow freely between systems. State laws add additional protections on top of these federal requirements. Here’s how each piece fits together.
HIPAA: The Privacy and Security Foundation
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the law most people associate with health record protection, and for good reason. Its two core components, the Privacy Rule and the Security Rule, establish the national floor for how electronic protected health information (ePHI) must be handled.
The Privacy Rule governs who can access, use, and share your individually identifiable health information. It introduced the “minimum necessary” standard, meaning healthcare organizations should only access the specific data needed for a given task, not your entire record. The Security Rule complements this by requiring organizations to put administrative, physical, and technical safeguards in place to keep ePHI confidential, intact, and available when authorized users need it. In practical terms, that means things like access controls, encryption, audit logs, and workforce training.
HIPAA applies to “covered entities” (health plans, healthcare providers who transmit data electronically, and healthcare clearinghouses) and their “business associates,” which includes any vendor or contractor that handles health data on their behalf. If a cloud storage company hosts a hospital’s patient records, for example, that company is bound by HIPAA’s rules too.
The HITECH Act: Stronger Enforcement and EHR Incentives
Signed into law on February 17, 2009, as part of the American Recovery and Reinvestment Act, the Health Information Technology for Economic and Clinical Health (HITECH) Act had two major goals: push healthcare providers to actually adopt EHR systems, and give HIPAA real teeth.
On the adoption side, HITECH created financial incentives for providers who demonstrated “meaningful use” of certified EHR technology. This program (later renamed “Promoting Interoperability”) is a big reason why the vast majority of hospitals and physician offices now use electronic records rather than paper charts.
On the enforcement side, HITECH dramatically increased penalties for HIPAA violations. It established four tiers of penalties based on the level of negligence involved, with a maximum of $1.5 million per violation category per year. Before HITECH, organizations that didn’t know about a violation and couldn’t reasonably have known faced no penalty at all. That changed: even unknowing violations now carry fines under the lowest penalty tier. The only safe harbor is if you correct the violation within 30 days and it wasn’t caused by willful neglect.
HITECH also created the Breach Notification Rule, which requires covered entities to notify affected individuals promptly after discovering a data breach. When a breach affects more than 500 people, the organization must also notify the HHS Secretary and the media. Smaller breaches are reported to HHS on an annual basis.
The 21st Century Cures Act: Ending Information Blocking
Passed in 2016, the 21st Century Cures Act tackled a different problem. Even though most providers had adopted EHRs, many systems couldn’t (or wouldn’t) share data with each other. Patients struggled to get their own records, and providers couldn’t easily send information to other clinicians involved in a patient’s care.
The law’s most significant provision for EHRs is its information blocking rule. Information blocking is any practice by a healthcare provider, health IT developer, or health information network that is likely to interfere with the access, exchange, or use of electronic health information. In plain terms: if a hospital or software vendor makes it unnecessarily difficult for you to get your records, or for another provider to receive them, that’s a violation.
There are limited exceptions. A provider can restrict data sharing if it would pose a security risk, if the request is genuinely infeasible, or if a fee is involved, though that fee cannot be based on the revenue the requester might earn from the data. When a provider can’t fulfill a data request in the specific format requested, they’re still required to provide it in an alternative way.
ONC Certification and Technical Standards
The 21st Century Cures Act also strengthened the role of the Office of the National Coordinator for Health Information Technology (ONC), which runs the Health IT Certification Program. Any EHR system used to meet federal program requirements must be “certified,” meaning it has been tested and meets specific standards for functionality, security, and interoperability.
Two key frameworks support this. The United States Core Data for Interoperability (USCDI) defines a standardized set of health data categories and elements that certified systems must be able to exchange. Think of it as a common language so that when one system sends a patient’s medication list or lab results to another, both systems understand the format. The Trusted Exchange Framework and Common Agreement (TEFCA) goes further by establishing a nationwide infrastructure for sharing health information across organizational and network boundaries, removing the need for individual data-sharing agreements between every pair of organizations.
On the patient-facing side, CMS requires that Medicare Advantage organizations, Medicaid and CHIP programs, Medicaid managed care plans, and qualified health plans on federal exchanges make claims, encounter data, and clinical data (including lab results) available to patients through standardized APIs. These APIs use a technical standard called FHIR (Fast Healthcare Interoperability Resources), which allows third-party apps to pull your health data with your permission, similar to how a banking app connects to your bank account.
Your Right to Access Your Own Records
Under HIPAA’s Privacy Rule, you have the right to obtain copies of your health records in electronic form. Providers generally must respond within 30 days. They can charge you for the cost of producing copies, but the fees are limited. Organizations that don’t want to calculate their actual per-page costs can charge a flat fee of up to $6.50 for an electronic copy. That $6.50 figure is an option for simplicity, not a universal cap. Some entities calculate their actual costs instead, but either way, the fees must be reasonable and cost-based.
The 21st Century Cures Act reinforced this right by making it illegal for providers or their EHR vendors to create unnecessary barriers to your access. If your doctor’s office tells you they can’t export your records electronically, or charges exorbitant fees, that could constitute information blocking.
How State Laws Layer On Top
HIPAA sets a federal floor, not a ceiling. State laws that provide stronger privacy protections than HIPAA remain in effect. For example, if a state law gives patients more rights over their mental health records or restricts sharing of substance abuse treatment data more tightly than HIPAA does, healthcare organizations in that state must follow the stricter standard.
A state law is only preempted (overridden) by HIPAA when it directly conflicts with the federal rule and does not offer greater privacy protection. Even then, exceptions exist for state laws related to public health reporting, disease surveillance, child abuse reporting, and controlled substance regulation. Several states, including California, Washington, and New York, have enacted health privacy statutes that go well beyond HIPAA in specific areas, so the regulatory landscape you face depends partly on where you live and receive care.
In practice, this means healthcare organizations operating in multiple states often need to comply with a patchwork of requirements, following whichever rule (federal or state) provides you with the strongest protection in any given situation.