HIPAA exists to protect your health information from being shared without your knowledge while also making sure that information can still flow between doctors, insurers, and other providers who need it to care for you. Signed into law in 1996, the Health Insurance Portability and Accountability Act originally had two goals: helping people keep their health insurance when they changed jobs, and reducing fraud and inefficiency in the healthcare system. Over time, its privacy and security provisions became its most well-known features, shaping how every doctor’s office, hospital, pharmacy, and insurance company handles your personal medical data.
Insurance Portability: The Original Goal
The word “portability” in HIPAA’s name points to a problem that was widespread in the mid-1990s. Workers who left a job or got laid off often lost their health coverage entirely, and pre-existing conditions could make it nearly impossible to get new insurance. HIPAA set rules requiring insurers to offer coverage to people moving between group health plans, limiting how long a new plan could exclude coverage for pre-existing conditions. The law also addressed fraud, waste, and abuse in healthcare billing, and pushed the industry toward standardized electronic transactions to cut down on paperwork. These provisions still apply, but they tend to get far less attention than the privacy protections that came later.
What Counts as Protected Health Information
HIPAA’s Privacy Rule, finalized in 2002, created a legal framework around something called protected health information, or PHI. This covers any individually identifiable information related to your past, present, or future health, the care you receive, or how that care is paid for. It includes the obvious things like diagnoses, lab results, and prescriptions, but also demographic details like your name, address, birth date, and Social Security number when they’re linked to health data.
PHI is protected regardless of format. Paper charts in a filing cabinet, electronic records in a hospital database, and even a spoken conversation between your doctor and a specialist all fall under the same rules. The core principle is that your health information should be properly safeguarded but still available to flow where it needs to go for treatment, payment, and healthcare operations.
Who Has to Follow HIPAA
HIPAA applies to three categories of “covered entities”: healthcare providers (doctors, clinics, dentists, psychologists, chiropractors, nursing homes, pharmacies), health plans (insurance companies, HMOs, employer health plans, Medicare, Medicaid, and veterans health programs), and healthcare clearinghouses that process billing data. There’s an important caveat for providers: they’re only covered if they transmit health information electronically in connection with standard transactions like billing. In practice, this captures virtually every provider in the country.
Beyond covered entities, HIPAA also reaches their business associates, meaning any outside company that handles PHI on their behalf. Think billing services, IT contractors, cloud storage providers, or law firms reviewing medical records. These business associates must sign written agreements committing to the same privacy and security standards, and they’re directly liable for violations.
What HIPAA doesn’t cover is just as important to understand. Your fitness tracker company, most health apps, your employer (outside of its role as a health plan sponsor), and social media platforms are generally not bound by HIPAA. If you share your own health information publicly, HIPAA doesn’t apply to that either.
Your Rights Under HIPAA
HIPAA gives you a specific set of rights over your own health records. You can ask to see and get a copy of your medical records. You can request corrections if something is wrong. You’re entitled to a notice explaining how your information may be used and shared. You can decide whether to give permission before your data is used for purposes like marketing. You can ask a provider or insurer to restrict how they use or share your information. And you can get a report showing when and why your health information was shared for certain purposes.
These rights mean that your medical records aren’t locked away from you. If a provider makes it difficult to access your own records, that’s a potential HIPAA violation you can report to the U.S. Department of Health and Human Services.
How Your Data Must Be Secured
HIPAA’s Security Rule focuses specifically on electronic health information and requires three layers of protection. Administrative safeguards include things like risk assessments, employee training, designating a security official, and having a plan for security incidents and emergencies. Physical safeguards limit who can physically access the servers, computers, and facilities where health data is stored, including rules for how hardware and storage media are handled when they’re moved or disposed of. Technical safeguards require access controls so only authorized people can view records, audit logs that track who accessed what and when, integrity controls to prevent data from being altered or destroyed, identity verification, and encryption or other protections for data sent over networks.
When Your Information Can Be Shared Without Permission
HIPAA doesn’t require your authorization for every single disclosure. There are situations where the law permits (or requires) sharing PHI without your explicit consent, and understanding these exceptions gives you a more realistic picture of what HIPAA actually does.
Your information can be shared without your authorization when required by law, for public health purposes like tracking infectious diseases or reporting to the FDA, to report suspected child abuse or domestic violence, for health oversight activities like audits and investigations, in response to court orders or subpoenas, for certain law enforcement purposes such as locating a missing person or reporting a death from criminal conduct, to coroners or medical examiners, to facilitate organ donation, for approved research with privacy board oversight, and to prevent a serious and imminent threat to someone’s health or safety. Workers’ compensation claims and certain government functions like military health activities also qualify.
Even with these exceptions, the law requires that disclosures be limited to the minimum information necessary for the purpose. A public health agency tracking a disease outbreak doesn’t get your entire medical history.
What Happens After a Data Breach
When a covered entity discovers that PHI has been compromised, HIPAA’s Breach Notification Rule sets strict timelines. Affected individuals must be notified in writing, by first-class mail or email if they’ve agreed to electronic notices, within 60 days of discovering the breach. If a breach affects 500 or more people, the entity must also notify HHS within that same 60-day window. Smaller breaches can be reported to HHS annually, but individuals still must be notified within 60 days.
When contact information is outdated for 10 or more affected people, the entity has to post a notice on its website for at least 90 days or run notices in major local media, along with a toll-free number that stays active for at least 90 days so people can check whether their data was involved.
Recent Changes to Reproductive Health Privacy
In April 2024, HHS published a final rule adding new protections specifically for reproductive health information. The rule prohibits covered entities and their business associates from disclosing PHI for the purpose of investigating or imposing legal liability on someone for seeking, obtaining, providing, or facilitating reproductive healthcare that was lawful where it was provided. It also bars using PHI to identify individuals for such investigations.
The rule includes a presumption: if a different provider delivered the reproductive care, it’s presumed lawful unless the entity receiving the records request has actual knowledge that it wasn’t. This change was a direct response to concerns that health records could be used to prosecute patients or providers in states with restrictive reproductive health laws, and it represents one of the most significant expansions of HIPAA’s privacy protections since the original Privacy Rule.