Data privacy in healthcare refers to the rules, practices, and rights that govern who can access, share, and use your medical information. It covers everything from the lab results your doctor stores in an electronic record to the heart rate data your fitness tracker collects. In the United States, the primary framework is HIPAA, but a patchwork of other federal and international laws fills in the gaps, especially as health data increasingly lives on apps and devices outside the traditional doctor’s office.
What Counts as Protected Health Information
Protected health information, commonly called PHI, is any data that connects to your identity and relates to your health, treatment, or payment for care. That includes obvious items like diagnoses, prescriptions, and imaging results. But it also includes your name paired with an appointment date, your insurance ID number, or even your IP address if it’s linked to a health record. The scope is deliberately broad: if a piece of data could reasonably be used to figure out who you are and what medical care you received, it qualifies.
PHI can exist in any format. A paper chart in a filing cabinet, a digital record in a hospital’s system, and a voicemail from your pharmacy all carry the same legal protections. This matters because privacy obligations don’t disappear when information moves between formats or between organizations.
How HIPAA’s Two Main Rules Work
HIPAA contains two distinct rules that work together. The Privacy Rule governs disclosure: it sets boundaries on when your health information can be shared and with whom. The core principle is that PHI should not be disclosed without your consent or used against your wishes. There are defined exceptions, such as sharing data between providers for care coordination, reporting certain public health threats, or complying with court orders. But outside those scenarios, a hospital or insurer needs your authorization before passing your records along.
The Security Rule is more technical. It requires healthcare organizations to put tangible safeguards in place to protect digital health information. That means encryption, password policies, access controls, and regular risk assessments. Organizations must identify vulnerabilities in their systems and document plans to address them. Think of the Privacy Rule as the “who and when” of data sharing, and the Security Rule as the “how we keep it safe” behind the scenes.
Both rules apply to “covered entities,” a category that includes most hospitals, clinics, health insurers, and healthcare clearinghouses, along with the business associates they hire to handle data on their behalf.
Your Rights Over Your Own Records
HIPAA gives you several concrete rights. You can ask to see and get a copy of your health records. You can request corrections if something is inaccurate. You can also ask for an accounting of who your information has been disclosed to and request restrictions on certain uses. These rights apply to every covered entity that holds your data, not just your primary care doctor.
A separate federal law, the 21st Century Cures Act, strengthens these rights further by targeting “information blocking.” Under this law, healthcare providers, health IT developers, and health information networks cannot knowingly interfere with the access, exchange, or use of your electronic health information unless a specific exception applies. Providers who violate this rule face formal disincentives from the Department of Health and Human Services. The practical effect: your doctor’s office can’t refuse to send your records to another provider or to you simply because it’s inconvenient.
What HIPAA Doesn’t Cover
One of the biggest gaps in healthcare privacy involves the health data you generate outside the traditional medical system. Fitness trackers, period-tracking apps, mental health apps, and at-home genetic testing kits often fall outside HIPAA’s reach because the companies behind them aren’t covered entities. A meditation app that logs your mood and sleep patterns, for example, is not bound by the same rules as your therapist’s office.
The Federal Trade Commission partially fills this gap through the Health Breach Notification Rule. This rule requires vendors of personal health records and related entities to notify consumers after a breach involving unsecured information. If the breach affects 500 or more people, the company must also notify the media. But the rule focuses on breach notification, not on limiting how these companies collect or sell your data in the first place. The result is that health-adjacent apps often operate under weaker privacy standards than your hospital does.
How Data Gets De-Identified for Research
Healthcare data is enormously valuable for research, public health planning, and improving treatments. To use it without compromising individual privacy, organizations strip out identifying details through a process called de-identification. HIPAA recognizes two approved methods.
The Safe Harbor method is the more straightforward approach. It requires the removal of 18 specific types of identifiers: names, phone numbers, email addresses, Social Security numbers, medical record numbers, dates more specific than year (for dates tied to an individual), geographic data more specific than a state, biometric identifiers like fingerprints, full-face photographs, IP addresses, and several others. Even zip codes must be generalized so the remaining digits represent a population of more than 20,000 people. Ages over 89 get collapsed into a single “90 or older” category. Once all 18 identifier types are removed and the organization has no reason to believe the remaining data could identify someone, the information is no longer considered PHI.
The Expert Determination method is more flexible but requires a qualified statistician to analyze the dataset and certify that the risk of re-identification is “very small.” The expert must document their methods and reasoning. This approach allows organizations to retain more data detail when they can demonstrate it won’t compromise privacy.
Penalties for Violations
HIPAA violations carry financial penalties that scale with severity. For unknowing violations, the annual maximum for repeat offenses is $25,000. Violations due to reasonable cause cap at $100,000 per year. Willful neglect that gets corrected within the required time period can reach $250,000 annually. And willful neglect that goes uncorrected tops out at $1.5 million per year. Criminal penalties, including imprisonment, apply in the most egregious cases involving intentional theft or sale of health information.
Beyond regulatory fines, the financial fallout from a data breach in healthcare is staggering. According to IBM’s annual cost-of-a-breach analysis, healthcare has the highest average breach cost of any industry at $10.93 million per incident. That figure reflects not just penalties but also the cost of investigation, notification, system remediation, legal fees, and lost patient trust. For patients, a breach can mean years of identity theft risk and the exposure of deeply personal medical details.
International Approaches to Health Data Privacy
Outside the United States, the European Union’s General Data Protection Regulation treats health data as a “special category” of personal data that receives extra protection. Processing health information is prohibited by default under Article 9. It’s allowed only under specific conditions: the individual gives explicit consent, the processing is necessary for medical diagnosis or treatment, or there’s a public health interest at stake. EU member states can impose additional restrictions on top of these baseline requirements, and several have done so for genetic and biometric data.
The practical difference between HIPAA and the GDPR is one of scope. HIPAA applies to specific types of organizations in the healthcare system. The GDPR applies to any entity that processes health data on EU residents, regardless of whether that entity is a hospital, a tech company, or a fitness app. This means a health app operating in Europe faces far stricter obligations than the same app operating solely in the United States.
Why Healthcare Data Is a High-Value Target
Medical records contain a dense concentration of personal information: names, dates of birth, Social Security numbers, insurance details, and clinical histories all bundled together. Unlike a stolen credit card number, which can be canceled and replaced, a medical history is permanent. This makes healthcare data more valuable on black markets and more damaging when exposed.
The shift to electronic health records and the growing use of telehealth, patient portals, and connected medical devices have expanded the number of access points that need protection. Each new system that touches patient data creates another potential vulnerability. For healthcare organizations, privacy is not a one-time compliance exercise but an ongoing process of risk assessment, staff training, and system monitoring that evolves as technology changes.