HIPAA and Medical Privacy: What Patients and Providers Need to Know

The Health Insurance Portability and Accountability Act of 1996 — almost always shortened to HIPAA — is the foundational federal law governing who can see, share, and use a patient's medical information in the United States. It applies to hospitals, physician practices, health insurers, pharmacies, and a long chain of business associates who handle health data on their behalf. Understanding where HIPAA's protections begin and end matters enormously, because the law is both broader and narrower than most people assume.

Definition and scope

HIPAA's Privacy Rule — formally published by the U.S. Department of Health and Human Services (HHS) and codified at 45 CFR Parts 160 and 164 — establishes national standards for protecting "protected health information," or PHI. PHI is any individually identifiable information held by a covered entity that relates to a person's past, present, or future physical or mental health, the provision of healthcare, or the payment for that care. That definition sweeps in 18 specific identifiers — names, geographic data smaller than a state, dates tied to an individual, phone numbers, email addresses, Social Security numbers, and more — as catalogued by HHS's de-identification guidance.

"Covered entities" under HIPAA fall into three categories: health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically. A solo family physician qualifies. So does a national insurer. A covered entity's contractors — law firms, billing companies, cloud storage vendors — qualify as "business associates" and carry overlapping obligations under the Business Associate Agreement framework.

One point worth stating plainly: HIPAA does not apply to every organization that happens to know something about someone's health. An employer who learns an employee has diabetes from a casual conversation is not a covered entity. A wellness app that a person downloads on their own is likely not covered. The Federal Trade Commission has noted a significant gap in federal health privacy protections for consumer-facing digital health products that fall outside HIPAA's scope — a gap with real consequences as telehealth and virtual care platforms multiply.

How it works

HIPAA's privacy framework operates on a principle of minimum necessary use: covered entities may use or disclose only the PHI needed to accomplish the stated purpose. A billing department doesn't need a patient's psychiatric history to process a claim for a knee X-ray.

The Privacy Rule permits — without patient authorization — a core set of disclosures for treatment, payment, and healthcare operations (collectively called "TPO"). Beyond TPO, most other disclosures require the patient's written authorization, with specific exceptions carved out for public health activities, law enforcement under defined conditions, judicial proceedings, and research subject to Institutional Review Board oversight.

The HIPAA Security Rule adds a parallel layer for electronic PHI (ePHI), requiring covered entities to implement administrative, physical, and technical safeguards. HHS's Office for Civil Rights (OCR), which enforces both rules, can impose civil penalties ranging from $100 to $50,000 per violation, with annual caps reaching $1.9 million per violation category under the tiered structure established by the HITECH Act (45 CFR § 160.404).

Patients themselves hold a defined set of rights, which interact directly with medical records and health data rights: the right to access their records, request amendments, receive an accounting of disclosures, and request restrictions on certain uses.

Common scenarios

The situations where HIPAA confusion tends to cluster fall into a recognizable pattern:

  1. Hospital sharing with family members. A covered entity may share information with a patient's family, friends, or caregivers if the patient is present and does not object, or if the provider uses professional judgment to conclude disclosure is in the patient's best interest when they cannot consent. This is not a blanket prohibition — it is a structured discretion standard.
  2. Employer requests for medical information. Employers are generally not covered entities. But when an employer requests records from a provider — say, to adjudicate a workers' compensation claim — the provider is releasing PHI and HIPAA's authorization requirements apply to that transaction.
  3. Mental health records. Psychotherapy notes receive heightened protection under HIPAA and cannot be released even for TPO purposes without specific authorization. This distinction matters significantly within mental health services, where the treatment relationship depends heavily on confidentiality.
  4. Deceased patients. PHI of a deceased individual remains protected for 50 years following the date of death under 45 CFR § 164.502(f).
  5. Breach notification. When unsecured PHI is compromised, covered entities must notify affected individuals within 60 days of discovering the breach, notify HHS, and — for breaches affecting 500 or more individuals in a state — notify prominent media outlets in that state (45 CFR § 164.404–414).

Decision boundaries

The practical friction in HIPAA compliance usually sits at three edges. First, the line between treatment coordination and impermissible disclosure: a specialist sharing records with a primary care physician is routine TPO; sharing those same records with an employer's occupational health contractor requires careful analysis. Patients navigating how to choose a healthcare provider have a legitimate interest in understanding who sits inside and outside that information-sharing circle.

Second, the boundary between state and federal law. HIPAA sets a federal floor, not a ceiling. States may — and frequently do — enact stricter protections, particularly for HIV status, substance use disorder records (separately governed by 42 CFR Part 2), and mental health information. California's Confidentiality of Medical Information Act, for example, imposes obligations that exceed HIPAA in several dimensions. This interaction is a recurring theme across patient rights and protections generally.

Third, the HIPAA-versus-public-health boundary. Covered entities may disclose PHI to public health authorities — including the CDC and state health departments — without patient authorization for activities like disease reporting and outbreak investigation. This is a designed feature of the system, not a loophole, and it reflects a deliberate legislative judgment that population health surveillance requires real data. The tension between that judgment and individual privacy expectations is exactly what makes HIPAA, three decades after its passage, still worth understanding precisely.

 ·   · 

References

Read Next

Telehealth and Virtual Care in the United States ANA › Life Services Authority › National Healthcare Authority Telehealth and Virtual Care in the United States Telehealth has reshaped how... Medical Records and Health Data: Your Rights and Access ANA › Life Services Authority › National Healthcare Authority Medical Records and Health Data: Your Rights and Access Federal law gives patients... Mental Health Services in the US: Access, Types, and Coverage ANA › Life Services Authority › National Healthcare Authority Mental Health Services in the US: Access, Types, and Coverage Mental health services...