What does HIPAA mean for your privacy?

Just like your financial and personal information, keeping your medical information private is vital. And in today's online world, that can be a challenge.

Ready to start your estate plan?

Excellent TrustScore 4.5 out of 5
1,818 reviews Trustpilot
Woman reading with child sitting on floor

by Edward A. Haman, J.D.
updated May 11, 2023 ·  4min read

Protecting your sensitive medical information is important. While it can be beneficial for your various medical care providers to quickly share your records over the internet, your medical information can also be used for marketing purposes and—just like information you might carelessly post on social media—it might even be accessed by hackers.

To provide some privacy protection for medical information, Congress passed HIPAA, which stands for the Health Insurance Portability and Accountability Act. But while HIPAA provides some privacy protection, it also has its limits.

mom taking son to the doctor

What Is HIPAA and What Is Its Purpose?

HIPAA is a federal law designed to protect a patient's sensitive information from being released without their consent.

So, what does HIPPA mean for your privacy? The short answer is that HIPAA helps protect your privacy, but it probably does not provide as much protection as you might think or as much as you would like.

To understand what HIPAA actually does, it's important to know what its two primary purposes are:

  1. To make it easier for people to obtain and maintain medical insurance, which includes being able to change health insurance plans as your employment situation changes. This is the "portability" part of the Act.
  2. To protect the privacy of patient information. This is the "accountability" part of the Act.

HIPAA Privacy Rules

HIPAA actually consists of two parts: the Act as enacted by Congress and numerous rules created by the U.S. Department of Health and Human Services (HHS) to implement the Act. Two of these rules that set forth privacy requirements are:

  • Standards for Privacy of Individually Identifiable Health Information. Known as the "Privacy Rule," it covers what is called "protected health information" (or PHI).
  • Security Standards for the Protection of Electronic Protected Health Information. Known as the "Security Rule," it has additional requirements for safeguarding PHI that is created, received, stored, or transmitted electronically.

Information that is considered PHI includes:

  • Hospital and physician records regarding your medical conditions and treatments.
  • Prescriptions.
  • Lab test results.
  • Billings and insurance claims.
  • Appointment histories.
  • Financial and personal information, such as your name, date of birth, age, address, phone number, email address, Social Security number, and insurance information.

HIPAA Covered Entities

HIPAA does not apply to everyone. It only applies to what the Act calls a "covered entity," which basically includes:

  • Health care providers.
  • Health plans. This includes Medicare and Medicaid.
  • Business associates of health care providers and plans. These provide billing, claims processing, or other services.

This leaves out many others who may obtain medical information about you and your family. Some examples of organizations that are not covered by HIPAA are life insurance companies, employers, school districts, law enforcement agencies, and many state and municipal agencies. Therefore, the medical information you disclose in your life insurance application, or medical information you give to your child's school, is not protected under HIPAA.

If you let your friend know that you have a particular medical condition, and that friend passes that information to someone else, there is no HIPAA violation because HIPAA does not apply to your friend.

Personal Health Information Disclosures

HIPAA rules set forth circumstances under which PHI can be disclosed by a covered entity. This can be broken down into two categories: disclosures that require your written permission and disclosures that can be made without your permission.

Disclosures Requiring Permission

Generally, patient permission for disclosure of PHI is required, unless the HIPAA Privacy Rule specifically permits disclosure without permission. This includes information:

  • To be used for marketing purposes.
  • Being disclosed in return for financial compensation.
  • Regarding psychotherapy and substance abuse treatment.
  • To be included in a hospital patient directory.
  • Disclosed to a friend or family member with authorization granted by a health care power of attorney or a HIPAA authorization form. This is often done as part of a comprehensive estate plan.

Disclosures Without Permission

Information may be disclosed without your permission if it's necessary for medical treatment, billing, and payment processing.

There are also some rather broad and generally-worded exceptions to the Privacy Rule, which allow government access, such as:

  • When required by law.
  • Public health activities, such as reporting disease outbreaks.
  • Judicial and administrative proceedings, such as court orders and subpoenas.
  • Law enforcement.
  • To prevent or lessen a serious threat to health or safety.
  • Essential government functions.

HIPAA Violations

If a covered entity violates HIPAA rules, it can incur civil fines and criminal penalties. Complaints regarding HIPAA violations are handled by the HHS Office for Civil Rights (OCR).

However, there has been criticism of OCR and the U.S. Department of Justice for failing to aggressively pursue violators.

How You Can Help Protect Your Privacy

Health care providers, medical insurers, and other covered entities typically make efforts to assure they are in compliance with HIPAA privacy rules. This includes training their employees on the rules. However, there are a few things you can do to enhance the privacy, and accuracy, of your medical information:

  • You have the right under HIPAA to see and obtain copies of your medical records. If you find inaccurate information, you have the right to have corrections added to your records.
  • Read privacy notices. These tell you how the covered entity will use and share your information. They will state when information may be disclosed without your permission and what your rights are to limit this sharing of information. Often, they also give you choices to limit or eliminate some of this sharing.
  • Opt out of fundraising and marketing communications.

It's important to understand the basic purpose of HIPAA, its privacy rules, and the limitations of those privacy rules. The HHS website can provide more information about your rights under HIPAA, as can the CDC website.

Ensure your loved ones and property are protected START MY ESTATE PLAN
Edward A. Haman, J.D.

About the Author

Edward A. Haman, J.D.

Edward A. Haman is a freelance writer, who is the author of numerous self-help legal books. He has practiced law in Hawa… Read more

This portion of the site is for informational purposes only. The content is not legal advice. The statements and opinions are the expression of the author, not LegalZoom, and have not been evaluated by LegalZoom for accuracy, completeness, or changes in the law.