HIPAA, the Health Insurance Portability and Accountability Act, is a federal law passed in 1996 that protects your health information and your ability to keep insurance coverage when you change jobs. Most people know HIPAA as the reason their doctor’s office hands them privacy forms, but the law actually does much more: it sets national standards for how health data is stored, shared, and secured, and it gives you specific rights over your own medical records.
What HIPAA Was Originally Designed to Do
The name itself reveals HIPAA’s first priority: portability. Before the law existed, people who left a job risked losing health insurance coverage or being denied new coverage because of a pre-existing condition. HIPAA made it harder for insurers to shut people out during those transitions.
But the law’s full scope goes well beyond that. The original legislation was written to improve continuity of health insurance coverage, combat waste, fraud, and abuse in health care delivery, promote the use of medical savings accounts, improve access to long-term care, and simplify the administration of health insurance. Over time, the privacy and security provisions became HIPAA’s most visible components, largely because they affect every patient interaction in the health care system.
Who Has to Follow HIPAA
HIPAA doesn’t apply to everyone who handles health information. It applies to three categories of organizations known as “covered entities”: health care providers (doctors, clinics, pharmacies, psychologists, nursing homes, dentists), health plans (insurance companies, HMOs, employer-sponsored plans, Medicare, Medicaid, and military health programs), and health care clearinghouses (organizations that process health data into standardized electronic formats). A health care provider only falls under HIPAA if it transmits information electronically in connection with standard transactions like billing.
Third parties that work with these organizations, called business associates, are also bound by HIPAA. If a hospital hires an outside company to handle its billing or store its records in the cloud, that company must sign a contract agreeing to protect health information under the same rules. If an entity doesn’t fit the definition of a covered entity or business associate, HIPAA doesn’t apply to it. This is why your fitness tracker company or a health app you downloaded isn’t necessarily bound by HIPAA, even though it collects health-related data.
The Privacy Rule: What Counts as Protected Information
The HIPAA Privacy Rule establishes national standards for when your health information can and cannot be shared. It covers what the law calls “protected health information,” or PHI. This includes any information in your medical or billing records that can be linked to you as an individual: your diagnoses, test results, treatment history, prescriptions, and insurance details, along with identifiers like your name, address, date of birth, and Social Security number.
In general, covered entities can use your PHI for treatment, payment, and health care operations without asking your permission. Your doctor can share your lab results with a specialist who’s treating you, and your insurer can access your records to process a claim. For most other uses, the organization needs your written authorization. You have the right to know how your information is being used and to be notified of the organization’s privacy practices.
Exceptions to the Privacy Rule
There are situations where your health information can be disclosed without your authorization. Covered entities may share PHI with law enforcement to prevent a serious and imminent threat to someone’s health or safety, to report what they believe is evidence of a crime on their premises, to comply with a court order or subpoena, or to help identify a suspect, fugitive, or missing person (though only basic demographic information). Providers are also required by many state laws to report certain injuries, like gunshot or stab wounds, directly to law enforcement. Child abuse or neglect can be reported to authorized officials without a parent’s agreement.
The Security Rule: Protecting Electronic Records
While the Privacy Rule covers how health information is used and shared, the Security Rule focuses specifically on protecting electronic health records. It requires covered entities and business associates to implement three types of safeguards.
Administrative safeguards include conducting risk assessments to identify vulnerabilities, designating a specific person responsible for security policies, training staff on proper data handling, and establishing contingency plans for emergencies like data backup and disaster recovery. Organizations must also have procedures for identifying and responding to security incidents.
Physical safeguards address the tangible environment: limiting who can physically access the facilities and equipment where electronic health data is stored, securing workstations, and controlling how hardware and storage media are moved, reused, or disposed of.
Technical safeguards involve the digital protections: restricting system access to authorized users, logging and monitoring activity in systems that contain health data, verifying the identity of anyone who requests access, ensuring data hasn’t been altered or destroyed, and encrypting information transmitted over networks.
Your Rights Under HIPAA
HIPAA gives you a concrete set of rights over your own health information. You can inspect, review, and get copies of your medical and billing records. In most cases, your provider or health plan must deliver those copies within 30 days. If your records are stored off-site, they get up to 60 days, and in either case they can extend the deadline by another 30 days if they give you a written explanation for the delay.
You also have the right to request corrections. If something in your record is inaccurate or incomplete, you can ask your provider to amend it. You can request an “accounting of disclosures,” which is a list of instances when your health information was shared with another person or organization outside of routine treatment and payment. And if you believe your information was used or shared in a way that violates the Privacy Rule, or if you were unable to exercise any of these rights, you can file a complaint with your provider, your insurer, or directly with the federal government.
What Happens When HIPAA Is Violated
The Office for Civil Rights at the Department of Health and Human Services enforces HIPAA. Penalties are structured in four tiers based on the level of negligence involved. An unknowing violation carries fines of $100 to $50,000 per incident, with an annual cap of $25,000 for repeat violations. Violations due to reasonable cause range from $1,000 to $50,000 per incident, capped at $100,000 annually. Willful neglect that’s corrected within the required time period brings fines of $10,000 to $50,000 per incident, up to $250,000 per year. Willful neglect that goes uncorrected hits the maximum: $50,000 per violation with an annual ceiling of $1.5 million.
Criminal violations can also lead to prosecution, with penalties that include jail time in cases involving intentional misuse of health information.
The Breach Notification Rule
When a data breach exposes your protected health information, HIPAA requires the organization to notify you within 60 days of discovering the breach. If the breach affects 500 or more people, the organization must also notify prominent local media outlets and report to the Secretary of Health and Human Services within that same 60-day window. Breaches affecting fewer than 500 people are reported to HHS on an annual basis, due within 60 days after the end of the calendar year in which they were discovered.
Recent Changes: Reproductive Health Privacy
A 2024 final rule added new protections specifically for reproductive health care information. Under this update, covered entities and business associates are prohibited from using or disclosing PHI to support a criminal, civil, or administrative investigation into someone for seeking, obtaining, providing, or facilitating reproductive health care that was lawful in the state where it was provided or protected under federal law. The rule also bars using health records to identify individuals for the purpose of such investigations.
The rule includes a built-in presumption: if a different provider delivered the reproductive care (not the one receiving the records request), that care is presumed to have been lawful unless the entity receiving the request has actual knowledge otherwise or receives factual information demonstrating a substantial basis that the care was unlawful. This addition was designed to prevent health records from being weaponized in states with restrictive reproductive health laws.