The HIPAA Privacy Rule is a federal regulation that sets national standards for protecting your health information. Published in December 2000 by the Department of Health and Human Services, it governs how doctors, hospitals, insurers, and their partners can use and share the medical data they collect about you. It also gives you specific rights over that information, including the right to see it, get copies, and request corrections.
The rule is designed to strike a balance: protecting your privacy while still allowing health information to flow where it needs to go for quality care, insurance claims, and public health efforts.
What Counts as Protected Health Information
The Privacy Rule protects what’s called “protected health information,” or PHI. This is any health data that can be linked back to you as an individual. It covers information in any form, whether it’s in a paper chart, an electronic record, or spoken aloud during a phone call.
What makes health data “identifiable” is the presence of any of 18 specific identifiers. These include the obvious ones like your name, Social Security number, and date of birth. But the list goes further than most people expect. It also covers telephone numbers, email addresses, medical record numbers, health plan ID numbers, IP addresses, biometric data like fingerprints, full-face photographs, and even vehicle license plate numbers. Geographic information smaller than a state (your street address, city, or ZIP code) also qualifies.
If all 18 identifiers are stripped from a dataset, the information is considered “de-identified” and is no longer subject to the Privacy Rule. This is how researchers can study health trends without triggering privacy protections.
Who Has to Follow the Rule
The Privacy Rule applies to three categories of organizations known as “covered entities”:
- Health care providers such as doctors, clinics, dentists, psychologists, pharmacies, and nursing homes, but only if they transmit health information electronically in connection with standard transactions like billing.
- Health plans including private insurance companies, HMOs, employer-sponsored plans, Medicare, Medicaid, and military and veterans health programs.
- Health care clearinghouses, which are organizations that process or convert health data between nonstandard and standard electronic formats.
There’s also a fourth category: business associates. These are companies that perform services for covered entities and handle PHI in the process, such as billing companies, IT contractors, cloud storage providers, or law firms. A covered entity must have a written contract with each business associate spelling out how they’ll protect your information. Business associates are directly liable for certain HIPAA violations, not just contractually responsible.
If an organization doesn’t fall into any of these categories, HIPAA doesn’t apply to it. This is why fitness apps, most employers (outside their role as health plan sponsors), and social media companies generally aren’t bound by the Privacy Rule, even if they handle health-related data.
When Your Information Can Be Shared
The Privacy Rule doesn’t lock down your health information completely. It permits covered entities to use and disclose PHI without your written authorization in several common situations. The most routine are treatment, payment, and health care operations. Your doctor can share your records with a specialist you’ve been referred to. Your hospital can send billing information to your insurer. A health plan can review claims data for quality improvement.
Other permitted disclosures without your authorization include situations involving public health surveillance, law enforcement requests that meet specific legal criteria, judicial proceedings, organ donation coordination, workers’ compensation cases, and threats to public safety. In most other situations, a covered entity needs your written authorization before sharing your PHI.
The Minimum Necessary Standard
Even when a disclosure is permitted, covered entities can’t just hand over your entire medical record. The Privacy Rule requires them to limit what they share to the minimum amount of information needed to accomplish the purpose. A billing department processing an insurance claim doesn’t need your full psychiatric history, for example.
There are exceptions. The minimum necessary standard does not apply when a provider shares information for treatment purposes, when you request your own records, when you’ve signed an authorization, or when HHS itself requests information for enforcement. For routine disclosures like standard insurance claims, organizations are expected to have standing policies that define what gets shared. For unusual, one-off requests, each disclosure must be reviewed individually.
Your Rights Under the Rule
The Privacy Rule grants you several concrete rights over your health information. You can request access to and obtain copies of your medical records. You can ask for corrections if you believe something is inaccurate. You can request an accounting of disclosures, which is essentially a log of who your information has been shared with and why. You can also ask a provider or health plan to restrict certain disclosures, and you can opt out of receiving fundraising communications.
Covered entities are also required to give you a Notice of Privacy Practices. This document, written in plain language, must explain how the organization may use and disclose your PHI, what your rights are and how to exercise them, the organization’s legal duties regarding your information, and who to contact with questions or complaints. The notice must include an effective date. You’ve likely signed an acknowledgment of this document at a doctor’s office, even if you didn’t read it closely.
How State Laws Interact With HIPAA
HIPAA acts as a federal floor for privacy protections, not a ceiling. If your state has a health privacy law that’s more protective than HIPAA, the state law wins. For instance, if a state law prohibits disclosing HIV status in a situation where HIPAA would technically permit it, the state law controls because it offers greater privacy protection and there’s no true conflict between the two.
A state law is only “preempted” (overridden) by HIPAA when it would be impossible to comply with both, or when the state law stands in the way of HIPAA’s goals. In practice, this means you may have stronger privacy protections than the federal baseline depending on where you live, particularly around sensitive areas like mental health, substance use treatment, and reproductive health records.
Reproductive Health Care Protections
A 2024 final rule added new protections specifically for reproductive health care information. Covered entities and their business associates are now prohibited from using or disclosing PHI to support investigations into, or impose liability on, any person for seeking, obtaining, providing, or facilitating lawful reproductive health care.
The rule applies when the reproductive health care was lawful in the state where it was provided, or when it’s protected or authorized by federal law. When a different entity provided the care (not the one receiving the records request), the rule presumes the care was lawful unless the entity receiving the request has actual knowledge otherwise or receives factual information demonstrating a substantial basis that the care was unlawful. This addition was designed to prevent medical records from being weaponized in states that have restricted reproductive health care access.
Penalties for Violations
The Office for Civil Rights at HHS enforces the Privacy Rule. Penalties are structured in four tiers based on the level of fault:
- Unknowing violations: $100 to $50,000 per violation, up to $25,000 per year for repeat violations.
- Reasonable cause: $1,000 to $50,000 per violation, up to $100,000 per year for repeat violations.
- Willful neglect, corrected in time: $10,000 to $50,000 per violation, up to $250,000 per year.
- Willful neglect, not corrected: $50,000 per violation, up to $1.5 million per year.
Because a single data breach can involve thousands of individual records, each counted as a separate violation, the financial exposure from a serious incident can be enormous. Criminal penalties, including imprisonment, are also possible for knowing misuse of health information, though those cases are handled by the Department of Justice rather than HHS.