HIPAA and Medical Privacy: What Patients and Providers Need to Know

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes the federal baseline for protecting individually identifiable health information in the United States. This page covers the law's core definitions, how its Privacy and Security Rules operate in practice, the scenarios in which protections apply or yield to other interests, and the boundaries that distinguish permissible from prohibited disclosures. Understanding these frameworks is essential for patients asserting rights over their records and for providers navigating compliance obligations under federal oversight.

Definition and Scope

HIPAA, codified at 45 C.F.R. Parts 160 and 164, creates enforceable standards for the use and disclosure of Protected Health Information (PHI). PHI is defined as any individually identifiable health information held or transmitted by a covered entity or its business associate, in any format — electronic, paper, or oral (HHS Office for Civil Rights).

Covered entities under HIPAA fall into three categories:

1. Health plans — insurers, HMOs, Medicare and Medicaid programs
2. Healthcare clearinghouses — entities that process nonstandard health information into standard formats
3. Healthcare providers — any provider transmitting health information electronically in connection with covered transactions (e.g., billing)

Business associates — third-party vendors handling PHI on behalf of covered entities, such as billing companies or cloud storage providers — are also directly subject to HIPAA's Security Rule and breach notification requirements under the HITECH Act of 2009.

HIPAA does not apply to all entities holding health data. Employers maintaining employee records in a non-healthcare capacity, life insurers, and most consumer health apps are outside its direct scope. State laws may impose stricter or supplementary requirements; where a state law is more protective of privacy, it preempts the federal standard (45 C.F.R. § 160.203).

The scope of HIPAA intersects directly with patient rights in healthcare and with the broader regulatory framework described in healthcare regulation and federal agencies.

How It Works

HIPAA's operational structure rests on three interlocking rules.

The Privacy Rule (45 C.F.R. Part 164, Subpart E)

The Privacy Rule governs who may access PHI and under what conditions. It establishes a general prohibition on use or disclosure without patient authorization, then carves out specific permitted uses:

• Treatment, payment, and healthcare operations (TPO) — providers may share PHI among treating clinicians without separate authorization
• Public health activities — reporting communicable diseases to state health departments
• Judicial and administrative proceedings — with appropriate legal process
• Law enforcement — under tightly defined circumstances
• Decedent information — coroners and medical examiners, subject to limits

Patients have affirmative rights under the Privacy Rule: the right to receive a Notice of Privacy Practices, the right to request restrictions on certain disclosures, and the right to an accounting of disclosures that occurred without authorization (HHS, Summary of the HIPAA Privacy Rule).

The Security Rule (45 C.F.R. Part 164, Subpart C)

The Security Rule applies exclusively to electronic PHI (ePHI). It requires covered entities to implement administrative, physical, and technical safeguards. Required safeguards include unique user identification, automatic logoff, audit controls, and transmission encryption. Addressable safeguards — those that must be implemented or documented as unnecessary — include encryption of ePHI at rest. This framework is relevant to the infrastructure discussed in electronic health records.

The Breach Notification Rule (45 C.F.R. Part 164, Subpart D)

Covered entities must notify affected individuals within 60 days of discovering a breach involving unsecured PHI. Breaches affecting 500 or more individuals in a single state require simultaneous notification to the HHS Secretary and prominent media outlets in that state (45 C.F.R. § 164.406).

Common Scenarios

Scenario 1: Releasing Records to a Third Party

A patient's employer requests medical records from a treating physician. This disclosure is not covered under TPO and requires written patient authorization unless a specific exception applies (e.g., workers' compensation statutes). Unauthorized release constitutes a Privacy Rule violation. See also medical records access for the procedural framework governing patient-directed record requests.

Scenario 2: Mental Health and Substance Use Records

Psychotherapy notes receive heightened protection under HIPAA and require separate authorization even for TPO disclosures. Substance use disorder treatment records maintained by federally assisted programs receive an additional, independent layer of protection under 42 C.F.R. Part 2, administered by SAMHSA, which is stricter than the baseline HIPAA standard. This intersects with mental health services and substance use disorder services.

Scenario 3: Telehealth Encounters

Telehealth platforms transmitting ePHI must meet the Security Rule's technical safeguard requirements. Platforms operating as business associates must have signed Business Associate Agreements (BAAs) with covered entities before handling any PHI (HHS Telehealth Guidance). The compliance dimension of telehealth services includes these BAA and encryption obligations.

Decision Boundaries

The following numbered framework maps the threshold questions that determine whether a disclosure is permissible:

1. Is the entity a covered entity or business associate? If no, HIPAA does not apply; assess applicable state law.
2. Is the information PHI? De-identified data (meeting the Safe Harbor or Expert Determination method under 45 C.F.R. § 164.514) is outside HIPAA's scope.
3. Does a permitted use or required disclosure apply? The 12 national priority purposes enumerated in the Privacy Rule (45 C.F.R. § 164.512) cover public health, research, law enforcement, and others.
4. Is patient authorization present and valid? A valid authorization must name the recipient, describe the information, state the purpose, and carry an expiration date or event.
5. Does a stricter state or federal standard override? For 42 C.F.R. Part 2 data or state mental health statutes, the more protective rule governs.

PHI vs. De-identified Information — Key Contrast:
HIPAA's Safe Harbor method requires removal of 18 specific identifiers (including name, geographic data smaller than state, all dates except year for individuals over 89, phone numbers, and device identifiers) before data loses its PHI status. Expert Determination requires a qualified statistician to certify that re-identification risk is "very small" — a higher evidentiary bar but one that permits retention of more granular data elements.

Civil monetary penalties range from $100 to $50,000 per violation category per year, with an annual cap of $1,919,173 per violation category (adjusted for inflation) under tiered culpability standards (HHS OCR Civil Money Penalties). Criminal penalties under 42 U.S.C. § 1320d-6 reach up to 10 years imprisonment for offenses involving intent to sell or use PHI for commercial advantage.

References

• U.S. Department of Health and Human Services — HIPAA for Professionals
• HHS Office for Civil Rights — Summary of the HIPAA Privacy Rule
• Electronic Code of Federal Regulations — 45 C.F.R. Parts 160 and 164
• HHS — HITECH Act Enforcement Interim Final Rule
• SAMHSA — 42 C.F.R. Part 2: Confidentiality of Substance Use Disorder Patient Records
• HHS OCR — HIPAA Enforcement Process and Civil Money Penalties
• [HHS — Telehealth and HIPAA](https://www.hhs.gov/hipaa/for-professionals/special-topics/tele