Sharing someone’s medical information is illegal in specific circumstances, but the answer depends heavily on *who* is doing the sharing. Federal law restricts healthcare providers, insurance companies, and their contractors from disclosing your health information without authorization. Private individuals, like a coworker or family member, are generally not bound by the same federal rules, though other laws may still apply.
Who Is Legally Required to Protect Your Medical Info
The main federal law governing medical privacy is HIPAA (the Health Insurance Portability and Accountability Act), and it only applies to what the law calls “covered entities.” These include doctors, clinics, hospitals, psychologists, dentists, chiropractors, nursing homes, pharmacies, health insurance companies, HMOs, employer-sponsored health plans, and government programs like Medicare and Medicaid. Healthcare providers are covered as long as they transmit information electronically for billing or other standard transactions, which nearly all do.
HIPAA also extends to “business associates,” meaning outside companies and contractors that handle health data on behalf of covered entities. Think billing services, IT vendors managing electronic health records, or a shredding company that destroys old patient files. These companies are legally required to follow parts of the same privacy rules.
If a covered entity or business associate shares your health information without your consent and outside the allowed exceptions, that is a federal violation with real penalties.
What HIPAA Does Not Cover
Here’s the part that surprises most people: HIPAA does not apply to private individuals. If your neighbor, coworker, friend, or even a family member shares your medical information with others, HIPAA has nothing to say about it. There is no federal law that broadly makes it illegal for one private person to tell another person about your health condition.
That said, just because HIPAA doesn’t apply doesn’t mean there are zero consequences. If someone shares your private health information in a way that causes harm, you may have grounds for a civil lawsuit depending on your state’s privacy or defamation laws. And certain relationships carry their own legal obligations, particularly in the workplace.
Medical Privacy at Work
Employers are not HIPAA-covered entities in most cases, but several other federal laws restrict how they handle your health information. Under the Americans with Disabilities Act (ADA), any medical information your employer collects must be stored in confidential files separate from your regular personnel records. Access is limited: supervisors can be told about necessary work restrictions or accommodations, first aid personnel can be informed if your condition might require emergency treatment, and government officials can request records during a compliance investigation. Beyond that, your medical details should stay locked down.
The Family and Medical Leave Act (FMLA) adds another layer. Medical certifications and any records related to your or your family member’s health that were created for FMLA purposes must be maintained as confidential medical records, again kept separate from standard personnel files. If genetic information is involved, even stricter rules under the Genetic Information Nondiscrimination Act (GINA) apply.
So while your boss isn’t bound by HIPAA, sharing your medical details around the office could violate the ADA, FMLA, or GINA, all of which carry legal consequences.
Health Apps and Wearable Devices
Fitness trackers, period-tracking apps, mental health apps, and similar tools collect deeply personal health data, but most of them are not covered by HIPAA because they aren’t healthcare providers or insurers. The Federal Trade Commission (FTC) fills part of this gap. If a health app makes privacy promises, whether explicitly or implied, the FTC requires the company to honor those claims. Even without specific promises, companies are obligated to maintain security appropriate to the sensitivity of the data they hold.
If a health app experiences a data breach, the FTC’s Health Breach Notification Rule may kick in, requiring the company to notify every affected user, notify the FTC, and in some cases notify the media. This rule specifically targets vendors of personal health records that fall outside HIPAA’s reach.
State Laws Can Be Stricter
Several states have medical privacy laws that go further than federal protections. California’s Confidentiality of Medical Information Act (CMIA) is one of the most well known. It prohibits healthcare providers, health plans, and contractors from disclosing medical information without first obtaining an authorization. It also restricts recipients of that information from further sharing it in ways that would violate either the state law or federal regulations.
Other states have their own versions of medical privacy statutes, some covering categories of information (like HIV status, mental health records, or substance abuse treatment) with extra protections. The key takeaway: even if something isn’t a HIPAA violation, it may violate your state’s privacy laws. The specifics depend on where you live and what kind of information was shared.
When Medical Information Can Be Shared Without Consent
HIPAA does allow covered entities to share health information without your authorization in certain situations. These exceptions exist for public safety and legal purposes:
- Imminent threats: A provider can disclose information to someone reasonably able to prevent or reduce a serious and imminent threat to a person or the public.
- Mandatory reporting: Some disclosures are required by law, such as reporting gunshot wounds, stab wounds, or suspected child abuse.
- Law enforcement requests: Providers can respond to court orders, warrants, and certain administrative requests. For general law enforcement inquiries like locating a suspect or missing person, only basic demographic and health information can be shared.
- Crime on the premises: If a provider believes in good faith that a crime occurred at their facility, they can report it.
- Suspicious deaths: When there’s reason to suspect a death resulted from criminal conduct, a provider can alert law enforcement.
- Crime victims: Information about an adult victim can be shared if the victim agrees, or in limited cases if they’re unable to agree. Child abuse or neglect can be reported without a parent’s agreement.
These exceptions are narrowly defined. A provider can’t hand over your full medical history just because law enforcement asks. The information shared must be relevant, specific, and limited in scope.
What Consent Actually Looks Like
When a healthcare provider does need your permission to share medical records, a valid authorization form must include several specific elements: a meaningful description of what information will be disclosed, who is authorized to make the disclosure, who will receive it, the purpose of the disclosure, an expiration date or event, and your signature with the date. A vague, open-ended form that doesn’t specify what’s being shared or to whom doesn’t meet the legal standard.
You also have the right to revoke your authorization at any time, though that won’t undo disclosures that already happened while the authorization was active.
Penalties for Illegal Disclosure
HIPAA violations carry civil penalties on a tiered system based on the level of negligence. Unknowing violations start at $100 per incident, while violations due to willful neglect that go uncorrected can reach $50,000 per violation with an annual maximum of $1.5 million for repeat offenses. These fines add up quickly when a breach affects thousands of patients.
Criminal penalties apply when someone knowingly obtains or discloses identifiable health information. The baseline is a fine of up to $50,000 and up to one year in prison. If the offense involves false pretenses, that jumps to $100,000 and up to five years. The most severe penalties, up to $250,000 and ten years in prison, are reserved for cases where someone intended to sell, transfer, or use health information for commercial advantage, personal gain, or malicious harm.
How to Report a Violation
If you believe a healthcare provider, insurer, or their business associate violated your medical privacy rights, you can file a complaint with the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services. Complaints can be submitted electronically through the OCR Complaint Portal. Anyone can file, not just the person whose information was disclosed. The OCR also handles complaints about substance use disorder treatment programs that violate confidentiality rules under federal regulation known as Part 2.
For violations involving employers, complaints typically go to the Equal Employment Opportunity Commission (EEOC) if the ADA was violated, or the Department of Labor for FMLA-related breaches. State-level violations are handled through your state’s attorney general office or relevant regulatory agency.