Your Patient Privacy Rights in Healthcare

Explore Your Patient Privacy Rights in Context

HIPAA (the Health Insurance Portability and Accountability Act) is a U.S. federal law that sets national standards for protecting the privacy and security of health information held by health care providers, health plans, labs, and their contractors. It includes the parties involved in the delivery of your healthcare and its billing. While other U.S. laws and regulations play critical roles in employment, credit, housing, educational, and many other contexts, HIPAA governs one of the most important sources of your personal health information: the records collected, held, and shared by health care providers and health plans. Below is a description of your rights and important information you should know.

1. Your patient privacy rights in medical insurance

   HIPAA-covered health plans include health insurance companies, health maintenance organizations (HMOs), employer-sponsored group health plans, and government health programs such as Medicare and Medicaid. By contrast, self-administered group health plans with fewer than 50 participants are generally not considered HIPAA-covered health plans.

   When your insurer is a HIPAA-covered health plan, you have important privacy rights, including:

   • Right to a Notice of Privacy Practices explaining how the plan may use and share your protected health information and what rights you have.
   • Right to access your records—to inspect and obtain a copy of the health information the plan holds about you. Limited exceptions include psychotherapy notes and information compiled for legal proceedings (prepared in anticipation of, or for use in, a civil, criminal, or administrative action), though you may still be able to access the underlying records. Other limited denial situations can include certain correctional settings, temporary research-related suspensions you agreed to, information restricted by another law, or information obtained from a non-health care provider under a promise of confidentiality. In rare cases, access may be denied (or denied subject to review) if access is likely to endanger someone's life or physical safety or cause substantial harm, including in some situations involving a personal representative.
   • Right to request a correction or amendment to health information the plan maintains about you.
   • Right to an accounting of disclosures of your health information made in the prior six years with the major exception of disclosures made for treatment, payment, and health care operations).
   • Right to request restrictions on certain disclosures, including a special right to restrict disclosure to a health plan for a service you pay for out of pocket in full.
   • Right to request confidential communications, such as being contacted at a different address or phone number, or through a safer method.
   • Right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights if you believe your plan violated HIPAA's privacy or security rules.

   HIPAA-covered health plans:

   • Cannot impose preexisting-condition exclusions for covered individuals.
   • Cannot discriminate based on "health factors" when setting eligibility, benefits, or premiums in most group health plan contexts. "Health factors" include health status, medical condition (physical or mental), claims experience, receipt of health care, medical history, genetic information, and disability.

   What to do: Ask your plan for its Notice of Privacy Practices, request a copy of your records (and correct errors), use confidential communications if needed, get an accounting of disclosures, if appropriate, and file a complaint with the U.S. Health and Human Services' Office of Civil Rights if you believe your HIPAA rights were violated. If you have an incident to report, please let us know.

    

2. HIPAA doesn't cover every place your health data goes

   Consumer apps, wearables, health devices, and many health-related websites fall outside HIPAA unless they are provided through (or on behalf of) your health care provider or health plan—even if you share the same sensitive information with them that you share with your clinician. Because they aren't HIPAA-covered, the rules of your engagement are set by their privacy policy and terms of service—and by using the product, you're agreeing to those terms. Be careful: in many cases, the health data they collect from you—and may share or sell—can be more valuable than the service they provide.

   States also require your healthcare providers to submit copies of your personal health records to statewide data collections. These state-run datasets are not covered by HIPAA and, and in many states, versions with direct identifiers removed may be shared broadly or sold under state law. (Learn more about state data collections.) In some states, you may be able to have your information excluded by paying in full out of pocket, hough the rules vary widely by state.

   What to do: Ask whether a company or app is "HIPAA-covered," and read the privacy policy and terms of service before sharing your personal information. Learn more at thedatamap.org. If you have an incident to report, please let us know.

    

3. Your information can be used or shared without asking you

   HIPAA grants your healthcare providers access to your health information for routine uses and disclosures for treatment, payment, and health care operations—without getting your permission each time. These are entities involved in your direct care or the billing of your care.

   HIPAA permits research uses of your health information from healthcare providers without your explicit permission—such as when an Institutional Review Board approves a research protocol or when explicitly identifying information are removed—regardless of whether you sign a separate consent or privacy notice form and even if you stated you did not want your information shared with researchers.

   HIPAA permits your health information to be included in datasets that may be widely shared—or even sold—without your explicit permission when it is treated as "de-identified" under HIPAA standards. In practice, this typically means removing direct identifiers such as your name, reporting dates only as years, and limiting geography (for example, to the first two digits of a ZIP code), while leaving diagnoses, procedures, provider, and payment information intact. These disclosures can occur regardless of whether you sign a separate consent or privacy notice form and even if you stated you did not want your information shared. Here is an example of accurately putting names back on de-identified health records.

   HIPAA only applies to the doctors, hospitals, labs, health plans, and others involved in your direct medical care and its billing. HIPAA does not apply to personal health information captured or shared with apps, websites, or online discussions unless these are available through your healthcare provider.

   In many cases, health-related data that isn't covered by HIPAA is governed only by the privacy policies and terms of service of the apps, websites, wearables, or devices that collect it. Unless those documents clearly limit sharing, the organization may disclose the data broadly or sell it to others—even with identifying details and without your knowledge.

   What to do: Ask your healthcare provider's privacy officer what's included in "operations" and who may receive your information and for what purpose. Learn more about who is receiving personal health information at thedatamap.org. Read the privacy policies and terms of service associated with apps, devices, and websites carefully. If you have an incident to report, please let us know.

    

4. You have a right to access your medical records (with limited exceptions)

   You can generally inspect and get a copy of your health records. Some information may be excluded (for example, certain psychotherapy notes) and you may have to make a separate request from each healthcare provider.

   You may not be able to get a copy of your health information captured by an app or health device that is not subject to HIPAA.

   What to do: Use patient portals and download your records for your own files. If these options are not available, request copies in writing and keep a record of your request. If you have an incident to report, please let us know.

    

5. You can request corrections and amendments to your record

   If you believe something in your health record held by a HIPAA-covered provider is wrong or incomplete, you can request an amendment. The provider must review your request and follow HIPAA's process for approving or denying it.

   If the information is collected or held by a consumer app, website, wearable, or device that is not covered by HIPAA, you can still ask for a correction—but the company generally has no legal obligation to make changes unless it has promised to do so in its privacy policy or terms of service.

   What to do: Be specific—identify the exact entry and provide supporting documentation if you have it. If you have an incident to report, please let us know.

    

6. You can request an accounting of disclosures

   Under HIPAA, an "accounting of disclosures" is a report you can request from your healthcare provider or health plan that itemizes the times your health information was disclosed to someone outside the organization during the last 6 years (or a shorter period you specify), including disclosures made by or to their business associates.

   A HIPAA "accounting of disclosure" must include the date of the disclosure, the name (and address, if known) of the recipient, a brief description of what information was disclosed, and a brief statement of the purpose for the sharing. The accounting does not include disclsoures made: to you; for treatment, payment, healthcare operations; with your written authorization; made to family and friends involved in your care; for national security or law enforcement purposes; or, made when the information is included in a dataset that does not contain explicit idntifiers and is de-identified under the provisions of HIPAA. The healthcare provider or health plan receiving your request must respond within 60 days and the last 12 months is free.

   Apps, websites, wearables, and other consumer devices that collect or hold your personal information often do not provide a detailed accounting of when, how, and with whom your data was shared. However, most publish a privacy policy and terms of service that describe—often in broad terms—the categories of third parties with whom they may share your health information.

   What to do: Ask for an accounting from your healthcare providers and health plans if you suspect your information was shared outside typical care or billing flows.. If you have an incident to report, please let us know.

    

7. You can request added protections

   You can ask your healthcare provider or health plan to contact you in a safer way (different address, phone number, etc.). If you pay for health services out-of-pocket, you may be able to eliminate certain disclosures.

   What to do: If safety is a concern, consider requesting confidential communications immediately and in writing. If you have an incident to report, please let us know.

    

8. Your right to control health data used for marketing

   Consumer apps, websites, wearables, and other devices that are not provided by your health care provider or health plan may share, give away, or sell data with your name and contact information attached, even to companies looking to market or sale products to you. Unless their privacy policy or terms of service clearly prohibit it, these companies may disclose or sell explicitly identifiable information for marketing or other purposes.

   By contrast, HIPAA requires your written authorization for marketing uses or disclosures of your health information that includes your name and contact information other than as allowed for your care, billing, or research. If a healthcare provider or health plan wants to disclose your personal health information to a third party in exchange for money—especially for marketing—HIPAA requires your written authorization, and that authorization must disclose the payment.

   What to do: Read any authorization forms carefully; don't sign unless you understand what's being shared and why. If you have an incident to report, please let us know.

    

9. If there's a breach of your health information, you must be notified

   If your personal health information is breached by your healthcare provider or health plan, HIPAA requires you be notified without unreasonable delay and no later than 60 days after discovery.

   If the company that lost your health data isn't HIPAA-covered (e.g., apps, wearables, wellness platforms, websites, data brokers), HIPAA's Breach Notification Rule doesn't apply—but that doesn't mean there are no breach-notice obligations.

   • State breach notification laws require notice when certain personal information is accessed or acquired without your authorization. These laws vary by state (what data triggers notice, timelines, whether the state AG must be notified, etc.). (Learn more about the breach laws in your state.)
   • The U.S. Federal Trade Commission's Health Breach Notification Rule (HBNR) applies when a company is not covered by HIPAA but is a vendor of personal health records, a PHR-related entity, or a third-party service provider to those entities—and there is a breach involving unsecured, individually identifiable health information. The company must notify affected individuals, notify the FTC, notify the media, and if the company behind the breach is a third-party service provider, it must notify its customers.

   What to do: If you receive a breach notice, follow the steps provided and ask what data was involved and what protections are being offered. If you have an incident to report, please let us know.

    

10. You can complain with retaliation not allowed

    If you believe your privacy rights were violated by your healthcare provider or health plan, you can complain to the provider or plan and/or the U.S. Department of Health and Human Services' Office for Civil Rights. HIPAA prohibits intimidation or retaliation for filing a complaint.

    If the offender is not a healthcare provider, health plan, or otherwise covered under HIPAA, access to the their service, app, or device may be terminated. They can cancel or suspend your subscription or service access because most consumer apps and services reserve broad termination rights in their terms of service. But they can't do it for illegal reasons like discrimination or retailiation that violates another law, such as a state anti-retaliation law.

    What to do: Document what happened (dates, names, copies of letters) and submit your complaint promptly. Save any evidence you may have, such as screenshots of the issue, policy and terms statemetns, anny emails and any cancellation notices. Check the terms for termination in their terms of use. File complaints, if needed, to the FTC and your state Attorney General consumer protection office. If you have an incident to report, please let us know.

     

11. Your right to “minimum necessary” sharing under HIPAA

    For many non-treatment disclosures, HIPAA requires healthcare providers and health plans to use or share only the minimum necessary information to accomplish the purpose.

    The notion of sharing the minimum information necessary is not applicable to consumer apps, websites, wearables, and services. Any limits on their sharing are those they specify in their privacy policies and terms of service agreements.

    What to do: Ask your healthcare provider and health plan whether "minimum necessary" is being applied when your information is requested for non-treatment reasons. If you have an incident to report, please let us know.

     

Taken together, these HIPAA rights are meant to give you meaningful control and transparency over how your health information is used and shared in your health care and the insurance that pays for it—while also helping you recognize when your data may leave or lie outside HIPAA's protections (such as through apps, state data collections, or "de-identified" datasets). Big gaps remain, especially in state databases, apps, websites, and devices. Vigilance matters: even small disclosures can lead to serious personal consequences.

The biggest gap is that once an organization beyond your health providers and plan has your sensitive health information, you can't see where it goes next—who it was shared with, how it was used, or how to trace harm back to its source. That lack of transparency limits the protection that current legal rights provide.

To stay informed as rules and practices evolve and incidents occur, join our mailing list. And if you experience a concerning situation tied to your health information, please report the incident so we can track patterns and strengthen public accountability. Donate, as you are able, to support this work.

Select another context in which to examine your patient privacy rights:

Note: The content above is general information for the public and is not legal advice for any specific situation. Rights and processes relevant to a particular situation can vary based on circumstances and additional state or federal laws.

This document was created and is maintained by PPR President Dr. Latanya Sweeney. Please share your feedback and let Dr. Sweeney know about the ways you've used it, and if you have any suggestions.