The Health Insurance Portability and Accountability Act, known as HIPAA, is the primary regulation governing patient privacy in the United States. Signed into law in 1996, its Privacy Rule created the first national standard for protecting medical records and personally identifiable health information. But HIPAA is not the only regulation in play. A growing patchwork of federal, state, and international laws now shapes how patient data is collected, shared, and secured.
What HIPAA Actually Requires
The HIPAA Privacy Rule applies to three types of organizations: health plans, health care clearinghouses, and health care providers that conduct certain transactions electronically. These are called “covered entities.” The rule protects what’s legally defined as “protected health information,” or PHI, which includes any individually identifiable data in a medical record, billing statement, lab result, or insurance claim.
Covered entities must put safeguards in place to protect PHI and can only use or share it under specific conditions. Without your written authorization, a hospital or insurer can generally share your information only for treatment, payment, or health care operations, along with a limited set of other purposes like public health reporting. The rule also gives you concrete rights: you can request a copy of your medical records, ask for corrections to inaccurate information, and direct a provider to send an electronic copy of your records to a third party.
A separate but related piece of HIPAA, the Security Rule, specifically targets electronic health information. It requires covered entities to maintain three categories of protection: administrative safeguards (like staff training and access policies), physical safeguards (like locked server rooms), and technical safeguards (like encryption and audit controls).
Substance Use Records Get Extra Protection
Federal law has long treated substance use disorder records as more sensitive than other medical information. A regulation known as 42 CFR Part 2 prohibits treatment programs from sharing any information that could identify a person as having, or having had, a substance use disorder, unless the patient provides written consent or a court order compels disclosure. Even then, those records cannot be used in legal proceedings against the patient without their consent.
For years, these stricter rules created friction in care settings where doctors needed a complete picture of a patient’s health. The 2020 CARES Act began aligning Part 2 more closely with HIPAA, allowing patients to sign a single consent form covering all future uses of their records for treatment, payment, and health care operations. A 2024 final rule completed those changes, adding breach notification requirements and civil and criminal penalties for violations. Full compliance was required by February 2026.
Reproductive Health Privacy After Dobbs
In response to changing state abortion laws, HHS finalized a new HIPAA rule strengthening privacy protections around reproductive health care. The rule prohibits covered entities from disclosing protected health information for the purpose of investigating or penalizing someone for seeking, obtaining, providing, or facilitating reproductive health care that was lawful where it was provided.
When a covered entity receives a request for records that could relate to reproductive health care, such as requests from law enforcement, courts, or oversight agencies, it must now obtain a signed attestation stating that the information will not be used for a prohibited purpose. The rule also presumes that reproductive health care provided by someone other than the entity receiving the request was lawful. Providers and health plans must update their privacy notices to reflect these changes.
Your Right to Access Your Own Data
The 21st Century Cures Act, passed in 2016 with key provisions taking effect in 2021, tackled a persistent problem: health care organizations blocking or delaying patients’ access to their own electronic health information. The law defines “information blocking” as any practice likely to interfere with the access, exchange, or use of electronic health information, and it applies to health care providers, health IT developers, and health information networks.
In practical terms, your doctor’s office or hospital system cannot refuse to share your records electronically simply because it’s inconvenient, or because they’d prefer you stay within their network. When fulfilling a request, providers must deliver the information in whatever format you ask for. If they’re technically unable to do so, they must offer alternatives in a specific priority order, starting with certified health IT standards and working down to other machine-readable formats. Penalties apply to organizations that violate these requirements.
Health Apps and Wearables: A Regulatory Gap
HIPAA only covers specific types of organizations. The fitness tracker on your wrist, the period-tracking app on your phone, and the mental health chatbot you use at night are typically not covered entities. That means the health data they collect falls outside HIPAA’s reach entirely.
The Federal Trade Commission partially fills this gap through the Health Breach Notification Rule, which requires vendors of personal health records and connected device companies to notify consumers if their unsecured health information is breached. The FTC issued a public warning in 2021 that health apps and connected device companies must comply with this rule, signaling more active enforcement.
At the state level, California’s Consumer Privacy Act (CCPA) classifies health information as “sensitive personal information” alongside genetic data, biometric identifiers, and geolocation. Under the CCPA, you can direct businesses to limit how they use and disclose your sensitive data. However, the CCPA explicitly exempts medical information already governed by other California health privacy statutes, creating a layered system where different rules apply depending on who holds the data and how they collected it.
How Data Gets Used for Research
HIPAA does not block medical research, but it draws a clear line around identifiable information. The Privacy Rule defines a “Safe Harbor” method of de-identification that requires stripping 18 specific identifiers from health data before it can be used freely. These include names, phone numbers, email addresses, Social Security numbers, medical record numbers, and dates more specific than the year (with all ages over 89 collapsed into a single “90 or older” category). Geographic information must be removed down to anything smaller than a state, with limited exceptions for the first three digits of a ZIP code in areas with populations over 20,000. Even full-face photographs, biometric identifiers like fingerprints, and device serial numbers must be removed.
Once data has been properly de-identified, it is no longer considered protected health information and can be shared without restriction. This framework allows large-scale research on health trends while maintaining individual privacy, though critics note that combining de-identified datasets can sometimes allow re-identification.
International Standards: The GDPR Approach
Outside the United States, the European Union’s General Data Protection Regulation (GDPR) takes a broader approach to health data privacy. Under Article 9, health data is classified as a “special category” of personal data alongside genetic information, biometric data, and information about a person’s sex life or sexual orientation. Processing any of this data is prohibited by default.
Exceptions exist, but they’re narrow. Processing is permitted when the individual gives explicit consent, when it’s necessary to protect someone’s vital interests (and the person cannot consent), or when it’s required for employment, social security, or public health obligations under EU or member state law. Individual EU countries can impose additional restrictions on genetic, biometric, or health data beyond what the GDPR requires. This opt-in framework contrasts with the U.S. model, where HIPAA primarily regulates specific types of organizations rather than specific types of data.