The primary federal standard protecting the privacy of healthcare records is the Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA. Its Privacy Rule, Security Rule, and Breach Notification Rule form the core framework. Several additional federal laws expand on these protections for specific situations, including the HITECH Act, 42 CFR Part 2 for substance use disorder records, and a 2024 rule shielding reproductive health information.
The HIPAA Privacy Rule
The Privacy Rule is the foundation of federal health record protection. It covers all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form: electronic, paper, or oral. This protected health information (PHI) includes anything that relates to a person’s past, present, or future physical or mental health, the care they received, or payment for that care, as long as it identifies the person or could reasonably be used to identify them. Demographic data like name, address, and date of birth fall under this umbrella.
The rule applies to three categories of organizations, called “covered entities”: health care providers (doctors, hospitals, pharmacies, labs), health plans (insurance companies, HMOs, government programs like Medicare), and health care clearinghouses that process health data. Any outside company these entities hire to handle PHI on their behalf, known as a business associate, must also follow the rules through a written contract.
Under the Privacy Rule, covered entities can use or share your health information without your permission only in limited circumstances. The most common is for treatment, payment, and health care operations. Beyond that, disclosures are permitted for specific public interest purposes like reporting communicable diseases, tracking adverse reactions to FDA-regulated products, and reporting suspected child abuse to authorized government agencies. Outside these defined exceptions, sharing your records requires your written authorization.
Your Rights Under the Privacy Rule
The Privacy Rule gives you a legal right to access your own health records. When you request copies, your provider must respond within 30 calendar days. If the records are archived or otherwise hard to retrieve, the provider can extend that deadline by one additional 30-day period, but only if they notify you in writing with the reason for the delay and a specific date you can expect the records. Only one extension is allowed per request.
You also have the right to request corrections to your records, to receive an accounting of who your information has been disclosed to, and to ask that certain communications be handled confidentially (for example, sending correspondence to a specific address). Every covered entity must provide you with a notice of privacy practices explaining how your information may be used.
The HIPAA Security Rule
While the Privacy Rule sets boundaries on who can see your information and when, the Security Rule dictates how electronic health records (ePHI) must be protected from a technical standpoint. It requires three categories of safeguards.
Administrative safeguards require organizations to conduct thorough risk assessments, implement security policies, control which employees can access records, and train all staff on those policies. Physical safeguards govern who can physically enter the facilities and server rooms where records are stored, plus how hardware and storage devices containing health data are tracked, wiped, and disposed of. Technical safeguards mandate access controls so only authorized users can reach ePHI, identity verification procedures, and encryption or other security measures for data transmitted over networks.
The Breach Notification Rule
When a covered entity discovers that PHI has been exposed or improperly accessed, federal law requires specific notifications based on the size of the breach. If a breach affects 500 or more people in a single state or jurisdiction, the entity must notify all affected individuals, report to the HHS Secretary, and alert prominent local media outlets, all within 60 days of discovering the breach. For breaches affecting fewer than 500 individuals, the entity must still notify affected people within 60 days but can report to HHS annually, with a deadline of 60 days after the end of the calendar year.
The HITECH Act
Enacted in 2009 as part of the American Recovery and Reinvestment Act, the Health Information Technology for Economic and Clinical Health (HITECH) Act significantly strengthened HIPAA. Its most important change was extending direct legal liability to business associates. Before HITECH, if a billing company or cloud storage provider mishandled your records, only the hospital or insurer that hired them faced consequences. HITECH made those third-party companies independently responsible for complying with the Privacy and Security Rules, and expanded enforcement provisions to back that up.
Substance Use Disorder Records: 42 CFR Part 2
Federal law provides an extra layer of privacy for people receiving treatment for substance use disorders. Known as “Part 2” (42 CFR Part 2), this standard applies to any federally assisted program that diagnoses, treats, or refers people for substance use treatment. The core principle is straightforward: no information that could identify someone as having a substance use disorder can be shared unless the patient gives written consent or a court issues an order and subpoena. Even in a lawsuit, Part 2 records cannot be used against the patient without their consent or a court order.
The CARES Act of 2020 brought Part 2 closer to HIPAA by allowing patients to sign a single consent form covering all future uses of their records for treatment, payment, and health care operations. Once a HIPAA-covered entity receives a Part 2 record with that consent, it can re-share the record in any way HIPAA normally allows, with one critical exception: the information still cannot be used in legal proceedings against the patient.
Reproductive Health Privacy Protections
A 2024 final rule added new protections specifically for reproductive health care information. It prohibits covered entities and their business associates from disclosing PHI to support criminal, civil, or administrative investigations into any person for seeking, obtaining, providing, or facilitating reproductive health care that was lawful where it was provided. The rule also bars disclosing records to identify someone for the purpose of such an investigation.
To enforce this, the rule requires that when a covered entity receives a request for PHI that could relate to reproductive health care for purposes like law enforcement, judicial proceedings, or health oversight activities, the requesting party must sign an attestation confirming the request is not for a prohibited purpose. The rule includes a presumption that reproductive health care provided by someone other than the entity receiving the request was lawful.
Penalties for Violations
The Office for Civil Rights (OCR) at HHS enforces HIPAA, and penalties scale based on the level of fault. For 2024, the tiers break down as follows. If an organization didn’t know about the violation and couldn’t have reasonably known, penalties start at $141 per violation, with an annual cap of roughly $2.13 million. When a violation results from reasonable cause rather than neglect, the minimum rises to $1,424 per violation with the same annual cap. Willful neglect that gets corrected within 30 days starts at $14,232 per violation. The steepest penalties apply to willful neglect that goes uncorrected: a minimum of $71,162 per violation, with an annual cap of about $2.13 million. In severe cases, criminal penalties including imprisonment can also apply.
What HIPAA Does Not Cover
One common misunderstanding is that HIPAA protects all health-related data. It does not. HIPAA only applies to covered entities and their business associates. Health data collected by fitness apps, wearable devices, social media platforms, or direct-to-consumer genetic testing companies typically falls outside HIPAA’s reach unless those companies are acting as business associates of a covered entity. Similarly, information you voluntarily share, such as posting about a diagnosis on social media, is not protected. Employers who obtain health information outside of their role as a health plan sponsor are also generally not bound by HIPAA.