PRIA Logo
Back to search
HealthcareACA / Healthcare Marketplace

HIPAA & Health Information Privacy

13 min read·Updated May 14, 2026

HIPAA & Health Information Privacy

HIPAA — the Health Insurance Portability and Accountability Act of 1996 — is the federal law that governs how healthcare organizations handle your medical information. Its Privacy Rule and Security Rule together define what "protected health information" (PHI) is, who can access it, when it can be shared without your consent, and what security measures covered entities must maintain. Covered entities include health plans, healthcare providers, and healthcare clearinghouses — and their "business associates" (cloud vendors, billing companies, IT providers, lawyers) who handle PHI on their behalf. Core rights: you can access your own medical records within 30 days of requesting them, request corrections, and receive an accounting of disclosures. Key limits: your provider can share information with other treating providers and your payer without explicit consent, but cannot sell your PHI or use it for marketing without specific authorization. Violations can be severe: civil penalties range up to roughly $2.19 million per identical violation category per year (2026 inflation-adjusted), though OCR caps Tiers 1–3 at $25K, $100K, and $250K respectively under its 2019 enforcement-discretion notice; criminal violations for knowingly obtaining PHI to sell or cause harm carry up to 10 years imprisonment. HIPAA is commonly misunderstood — it does NOT apply to employers, life insurers, or most apps — meaning your health app, gym, or wellness program may share your data without HIPAA constraint.

Current Law (2026)

<!-- pria:personalize type="bracket-highlight" field="entity_type" -->
ParameterValue
Core statutesHealth Insurance Portability and Accountability Act (HIPAA, 1996); HITECH Act (2009); 42 U.S.C. §§ 1320d-1320d-9
Implementing regulationsHIPAA Privacy Rule (45 C.F.R. Part 160, Part 164 Subparts A, E); Security Rule (Subpart C); Breach Notification Rule (Subpart D)
Enforcement agencyHHS Office for Civil Rights (OCR)
Covered entitiesHealth plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically
Business associatesThird parties that handle PHI on behalf of covered entities (cloud providers, billing companies, IT vendors, lawyers)
Protected health information (PHI)Individually identifiable health information — diagnosis, treatment, payment, and related data
Breach notificationMust notify affected individuals within 60 days; breaches of 500+ individuals must be reported to HHS and media
Civil penaltiesTiered 2026 statutory cap of $2,190,294 per identical violation category per year (Jan 28 2026 inflation adjustment); OCR enforcement caps for Tiers 1–3 are $25K/$100K/$250K per the 2019 Notification of Enforcement Discretion
Criminal penaltiesUp to $250,000 fine and 10 years imprisonment for obtaining/disclosing PHI with intent to sell or cause harm
<!-- /pria:personalize -->
  • 42 U.S.C. § 1320d-2 — Standards for privacy of individually identifiable health information (Secretary of HHS prescribes standards governing use and disclosure of PHI by covered entities)
  • 42 U.S.C. § 1320d-3 — Wrongful disclosure of individually identifiable health information (criminal penalties for knowing violations)
  • 42 U.S.C. § 1320d-5 — General penalty for failure to comply (tiered civil monetary penalties based on level of culpability)
  • 42 U.S.C. § 1320d-6 — Wrongful disclosure penalties (up to $50,000/$100,000/$250,000 and 1/5/10 years depending on severity)
  • 42 U.S.C. § 17932 — HITECH breach notification (covered entities must notify individuals, HHS, and potentially media of breaches of unsecured PHI; business associates must notify covered entities)
  • 42 U.S.C. § 17934 — HITECH — application to business associates (business associates are directly liable for HIPAA Privacy and Security Rule compliance)

Implementing Regulations (45 CFR Parts 160, 164)

  • 45 CFR Part 160 — General administrative requirements:

    • § 160.103 — Definitions: covered entity, business associate, protected health information (PHI), individually identifiable health information, health care operations, designated record set
    • § 160.402–160.426 — Enforcement: HHS OCR investigation procedures, compliance reviews, civil money penalties (four-tier penalty structure based on culpability), affirmative defenses

  • 45 CFR Part 164, Subpart A — General provisions: applicability, definitions, preemption of less protective state laws

  • 45 CFR Part 164, Subpart C — Security Rule (ePHI):

    • § 164.308 — Administrative safeguards: risk analysis, workforce training, access management, security incident procedures, contingency planning, evaluation
    • § 164.310 — Physical safeguards: facility access controls, workstation security, device and media controls
    • § 164.312 — Technical safeguards: access controls, audit controls, integrity controls, transmission security (encryption, authentication)

  • 45 CFR Part 164, Subpart D — Breach Notification Rule:

    • § 164.404 — Individual notification: without unreasonable delay, no later than 60 days after discovery; content requirements (description of breach, types of information involved, steps individuals should take)
    • § 164.406 — Media notification: breaches affecting 500+ individuals in a state require notification to prominent media outlets
    • § 164.408 — HHS notification: breaches of 500+ reported within 60 days; breaches under 500 reported annually

  • 45 CFR Part 164, Subpart E — Privacy Rule:

    • § 164.502 — Uses and disclosures of PHI: general rule — PHI may be used/disclosed only as permitted; minimum necessary standard — use/disclose only the minimum PHI necessary for the purpose
    • § 164.506 — Uses/disclosures for treatment, payment, and health care operations (TPO) — permitted without individual authorization
    • § 164.508 — Uses/disclosures requiring individual authorization: marketing, sale of PHI, psychotherapy notes, most research
    • § 164.512 — Uses/disclosures not requiring authorization: public health, law enforcement, judicial proceedings, workers' compensation, organ donation, research with IRB/Privacy Board waiver, averting serious threat, government functions
    • § 164.524 — Individual's right of access to PHI: right to inspect and obtain a copy of PHI in the designated record set within 30 days
    • § 164.526 — Right to request amendment of PHI
    • § 164.528 — Right to accounting of disclosures made for purposes other than TPO

  • 45 CFR Parts 160 and 164 — HIPAA Privacy, Security, and Breach Notification Rules (covered entities and business associates; protected health information definition; permitted uses and disclosures; minimum necessary standard; security safeguards — administrative, physical, technical; breach notification within 60 days; civil and criminal penalties — administered by HHS Office for Civil Rights)

  • 45 CFR Part 162 — HIPAA Administrative Simplification: Transaction and Code Set Standards — the technical backbone of electronic healthcare commerce, requiring all covered entities to use standardized formats and code sets for specific healthcare transactions. While the Privacy and Security Rules (Parts 160/164) govern what PHI may be shared and with what protections, Part 162 governs how that information is transmitted electronically in business transactions. Key provisions:

    • Subpart D — National Provider Identifier (NPI): every health care provider that transmits health information electronically in connection with a covered transaction must obtain an NPI — a unique 10-digit identification number assigned by the National Plan and Provider Enumeration System (NPPES); the NPI must be used on all standard transactions in place of legacy identifiers (UPIN, Medicaid provider IDs, etc.); individual providers receive Type 1 NPIs, organizational providers receive Type 2 NPIs; applying for an NPI is free through NPPES.cms.gov; covered entities may not require or accept non-NPI identifiers on standard transactions
    • Subpart J — Code Sets: the Secretary has designated specific code sets as the national standard for medical concepts in covered transactions — (a) ICD-10-CM (International Classification of Diseases, 10th Revision, Clinical Modification) for diagnoses; (b) ICD-10-PCS for inpatient hospital procedures; (c) CPT (Current Procedural Terminology, maintained by AMA) for physician and outpatient procedures; (d) HCPCS (Healthcare Common Procedure Coding System, maintained by CMS) for supplies, equipment, non-physician services; (e) CDT (Code on Dental Procedures and Nomenclature, maintained by ADA) for dental procedures; (f) NDC (National Drug Code, maintained by FDA) for drugs and biologics in retail pharmacy transactions; covered entities must use valid, current code set versions — using outdated codes is a transaction standard violation
    • Standard Transactions — the specific electronic data interchange formats that all covered entities must use for the following transaction types: health care claims (ASC X12N 837, sent by providers to payers); eligibility and benefit inquiry/response (ASC X12N 270/271, used to check patient insurance coverage); claim status inquiry/response (ASC X12N 276/277); referral certification and authorization (ASC X12N 278); enrollment and disenrollment (ASC X12N 834, health plans to employers or government programs); premium payments (ASC X12N 820); coordination of benefits; health care electronic funds transfer and remittance advice (ASC X12N 835 + NACHA CCD+); Medicaid pharmacy subrogation. All covered entities conducting these transactions must use the standard format — trading partner agreements imposing non-standard requirements are prohibited
    • Operating Rules: in addition to transaction format standards, CMS has adopted CAQH CORE operating rules for three transactions — eligibility (270/271), claim status (276/277), and EFT/ERA (835) — establishing additional technical requirements for response time, hours of availability, and data content; health plans (payers) that conduct more than $5 million in annual transactions must comply; failure to comply subjects the plan to civil monetary penalties

    The Administrative Simplification standards are the reason your doctor's office can send claims electronically to any insurer using the same 837 format, and the reason your insurer can respond with a standardized 835 remittance. Before HIPAA, each payer used proprietary formats requiring providers to maintain separate EDI systems for each trading partner. Compliance for covered entities primarily means: (1) ensuring your billing software uses current code sets and transaction standards; (2) ensuring every provider in your system has obtained an NPI and uses it on all transactions; (3) ensuring your clearing house or direct EDI connection produces valid X12 transactions. Enforcement is by CMS (for transaction/code set standards) and OCR (for Privacy/Security rules) — the agencies are separate, and a breach notification violation and a transaction standard violation are independently actionable.

    Recent rulemakings: 74 FR 3326 (2009) — updated transaction versions to ASC X12 5010 and NCPDP D.0. 90 FR 40749 (2025) — updated operating rules and transaction standards, including alignment with newer X12 transaction versions for certain payer/provider workflows.

How It Works

HIPAA is the federal framework protecting the privacy and security of your health information — governing how hospitals, doctors, insurers, pharmacies, and their business partners handle your medical records, billing data, and other health-related information.

The Privacy Rule protects Protected Health Information (PHI) — any individually identifiable health information in any form (paper, electronic, or oral) created or received by a covered entity, including diagnoses, treatment plans, prescriptions, lab results, billing records, and insurance claims. HIPAA does NOT protect health information held by non-covered entities — fitness tracker data, health app data, and employer wellness program data typically fall outside HIPAA, though state privacy laws may apply. Covered entities may use and disclose PHI without patient authorization for treatment, payment, and healthcare operations (the TPO exception, codified at 45 CFR § 164.506); other public interest disclosures (public health, law enforcement, research with IRB waiver) are also permitted without authorization. Most other uses — marketing, sale of PHI — require written authorization. Patients have the right to access their records within 30 days, request corrections, receive an accounting of disclosures, and receive a Notice of Privacy Practices. The Security Rule (45 CFR §§ 164.308–164.312) requires administrative, physical, and technical safeguards for electronic PHI: risk analysis, workforce training, facility access controls, encryption, audit controls, and transmission security — scaled to the entity's size and risk environment.

The HITECH Act (2009) added mandatory breach notification at 42 U.S.C. § 17932: if unsecured PHI is breached, covered entities must notify affected individuals within 60 days, notify HHS immediately for breaches of 500 or more individuals (or annually for smaller ones), and notify local media for large breaches. HHS publishes the "Wall of Shame" — a public list of breaches affecting 500 or more individuals that as of 2026 includes thousands of incidents covering hundreds of millions of records. Third parties that handle PHI on behalf of covered entities — cloud hosting providers, billing companies, IT vendors, law firms — must sign Business Associate Agreements (BAAs) and are themselves directly liable for Privacy and Security Rule violations under HITECH, not merely bound through contract.

How It Affects You

<!-- pria:personalize type="eligibility" -->

If you need your medical records: You have a legal right to access your records within 30 days of requesting them in writing (providers can extend once to 60 days). The provider can charge a reasonable, cost-based fee for copies — typically $0.06–$0.25/page for paper copies, or a flat rate for electronic records — but cannot deny access because you owe money on your account. If your records are stored electronically and you request them electronically, most providers must provide them at no cost. If a provider refuses or delays beyond 30 days without explanation, file a complaint with HHS OCR online at hhs.gov/hipaa/filing-a-complaint. OCR investigations have resulted in settlements requiring providers to change practices and pay penalties, including small practices that blocked record access.

If you received a HIPAA breach notification letter: Federal law requires covered entities to notify you within 60 days of discovering a breach. The letter must include: what information was exposed, what the entity is doing to investigate and mitigate, what you can do to protect yourself, and a contact number. For large breaches (500+ individuals), the entity must also notify your local news media. After receiving a breach notice, take concrete steps: consider placing a credit freeze at all three bureaus (free), monitor your Explanation of Benefits statements for claims you don't recognize, and watch for signs of medical identity theft (surprise bills, unfamiliar diagnoses in your records). Your health plan's EOB is the first place medical identity theft typically shows up.

If your health app, fitness tracker, or employer wellness program says it's "HIPAA-compliant": That phrase is often misleading. HIPAA only covers health plans, providers, and their business associates — not apps you download or employer wellness programs. Your Fitbit data, MyFitnessPal account, 23andMe results, and most telehealth apps outside a covered entity relationship are NOT protected by HIPAA. These entities may sell or share your health data under their own privacy policies. Read the actual privacy policy, not the marketing language. The FTC has a separate Health Breach Notification Rule for non-HIPAA health apps, but it doesn't give you the same access and correction rights HIPAA does. Several states (Washington, Connecticut, Nevada) have enacted stronger health data privacy laws that fill some of these gaps.

If you're concerned about your reproductive health records or mental health records: Post-Dobbs, patients in states that restrict abortion have legitimate concerns about whether law enforcement could compel disclosure of reproductive health information. HIPAA does permit disclosure to law enforcement under certain conditions. HHS has issued guidance on reproductive health data protections, but the legal landscape is contested and evolving. For mental health: most mental health records are covered by HIPAA like other medical records, but substance use disorder records have additional protections under 42 CFR Part 2 (stricter consent requirements). Psychotherapy notes have special protection under HIPAA — they're stored separately from the general medical record and are not accessible under the standard right-of-access request. If you're concerned about specific data uses, ask your provider to log a restriction on certain disclosures.

If your employer received information about your medical condition: HIPAA does NOT regulate your employer. Your employer can legally learn about your health from sources outside HIPAA — workers' compensation filings, FMLA paperwork, ADA accommodation requests — and cannot be held liable under HIPAA for that information. Employees are often confused by HR statements claiming HIPAA protection when they mean general confidentiality. The actual protections for health information disclosed to employers come from state employment law, the ADA's medical confidentiality requirements, and GINA (for genetic information). If you're concerned about your employer learning about a condition, speak to an employment attorney — not a HIPAA complaint line.

<!-- /pria:personalize -->

State Variations

<!-- pria:personalize type="state-specific" -->
  • HIPAA is a federal floor — states can impose stricter privacy protections for health information
  • Many states have their own health data privacy laws that exceed HIPAA (California CCPA/CPRA, Washington My Health My Data Act, Connecticut health data privacy provisions)
  • State laws on mental health records, substance abuse records, HIV/AIDS information, and genetic data often provide additional protections
  • State breach notification laws may impose faster timelines or broader notification requirements than HIPAA
<!-- /pria:personalize -->

Pending Legislation

  • S 3097 — HIPAA-like privacy/security regime for non-HIPAA companies: access rights, breach rules, AI standards. Status: Introduced.
  • HR 4282 (Rep. Griffith, R-VA) — Require online contact-lens sellers to accept HIPAA-compliant e-prescriptions. Status: Introduced.
  • S 863 (Sen. Cassidy, R-LA) — Consumer rights to access/delete genomic data, HIPAA-limited research use. Status: Introduced.

Recent Developments

  • Healthcare data breaches continue to increase — 2023-2024 saw record-breaking breach volumes, with major incidents affecting tens of millions of individuals
  • HHS OCR has proposed updates to the HIPAA Security Rule to strengthen cybersecurity requirements, including mandatory encryption and multi-factor authentication
  • Substance use disorder records have additional protections under 42 CFR Part 2, which is stricter than HIPAA
  • Reproductive health data privacy has become a major concern post-Dobbs, with debates over whether HIPAA adequately protects reproductive health records from law enforcement
  • AI in healthcare raises new HIPAA questions — use of PHI for AI training, automated clinical decision support, and de-identification standards
  • Telehealth expansion has created new HIPAA compliance challenges for remote care platforms
  • Change Healthcare cyberattack — largest health data breach in U.S. history (February 2024): The cyberattack on Change Healthcare (a UnitedHealth Group subsidiary that processes roughly 15 billion healthcare claims per year) compromised the health data of an estimated 100+ million Americans — nearly one in three people. The attack disrupted billing and claims processing for hospitals, pharmacies, and providers for months. HHS OCR investigated whether Change Healthcare violated HIPAA's Security Rule. The breach triggered congressional hearings and renewed calls for mandatory cybersecurity standards for healthcare IT. For patients: if you receive healthcare, your data was very likely part of this breach. Place a credit freeze at all three bureaus and monitor EOBs for medical identity theft.
  • Trump HHS/OCR and DOGE workforce cuts slow HIPAA enforcement (2025): DOGE-driven HHS workforce reductions cut approximately 10,000 HHS employees in early 2025, including significant reductions at the Office for Civil Rights (OCR), which enforces HIPAA. RFK Jr., confirmed as HHS Secretary in February 2025, has focused HHS on food safety, pharmaceutical transparency, and vaccine policy — not HIPAA modernization. OCR enforcement activity has slowed; the HIPAA Security Rule update proposals from the Biden era (mandatory MFA, encryption, 72-hour incident reporting) remain in proposed form without finalization. State attorneys general — particularly California and New York — have stepped into the HIPAA enforcement gap for significant breaches.
  • HIPAA Security Rule proposed updates stalled under Trump (2025): HHS OCR published a proposed rule in January 2025 to significantly strengthen the HIPAA Security Rule — requiring mandatory encryption of PHI at rest and in transit, mandatory multi-factor authentication, mandatory vulnerability scanning, and faster incident notification. Published in the final days of the Biden administration, the rule has not been prioritized for finalization by the Trump HHS. Healthcare organizations should implement strong security practices regardless: cyber incidents trigger HHS OCR investigations, state AG actions, and class action exposure that operate independently of whether the rule is finalized.

At My Address

See how HIPAA & Health Information Privacy plays out in your area

Pull up the federal-data report for any U.S. ZIP — federal spending, environmental risk, hospitals, schools, your reps, all on one page.

Enter your address