How HIPAA Privacy Rules Affect You—in Plain English

Male physician with his finger across his lips saying "Shhh."
HIPAA privacy rules make health care providers and insurers keep information about you private. Image © Pedro Castellano/Getty Images

HIPAA stands for the Health Insurance Portability and Accountability Act. Passed in 1996, it affects health care consumers in several ways, one of which is a safeguard on privacy when it comes to personal health information.

HIPAA provisions (and the various rules that were made during the implementation process) are part of the Code of Federal Regulations. You can see all the details in 45 C.F.R. 160 and in 45 C.F.R. 164 Subpart A and Subpart E. And the Department of Health and Human Services has a summary of the HIPAA privacy rule on their website.

HIPAA's Privacy Rules

HIPAA created strict rules about keeping health care related personal information private. The law requires health care providers, health insurers, and the companies they work with to keep any personally-identifiable health information private. Providers and health insurers can’t disclose your personally-identifiable information unless it’s to a person who needs the information because they’re involved in your care, processing payment for your care, or the information is necessary to facilitate health care operations.

This means nurses can’t chat about patients in the hospital cafeteria where they might be overheard. Your physician can’t disclose information about your care to your ex-spouse or your church pastor unless you authorize it. That's why the forms you fill out at the doctor's office ask you whether they can discuss your care with a family member or even leave a voice mail message for you. If a coworker calls the hospital to see how you’re doing after your surgery, unless you’ve given your permission for the hospital to share your information with the caller, the caller will get no information. HIPAA privacy rules are also part of the reason your doctor's office can't email you information about your health care without using an encryption service, but can send the information via fax.

Health care providers are allowed to share your protected health information if necessary to facilitate health care operations. Here are a couple of examples:

  • Hospitals are required to engage in quality assurance and improvement activities. Although the quality improvement nurse isn’t involved in your care when you’re hospitalized with pneumonia, she accesses your medical record to get information for an audit examining how quickly patients hospitalized with pneumonia receive their first dose of antibiotics.
  • Your doctor’s office is changing the software vendor for its electronic health records. The day of your doctor’s appointment, Sandy, a representative from the new software vendor, is working with the office staff to help them learn the new software. As Sandy works with the office nurse, she will see your protected health information being entered into the new electronic medical record. She has to in order to ensure the nurse is using the software correctly. However, because Sandy is a business associate of your health care provider, she is also bound by HIPAA privacy regulations and must keep any protected health information she becomes privy to confidential.

You have a right to find out how your health information can be shared, and to request that certain information not be shared, depending on the circumstances.

Exceptions to the Privacy Rule

There are exceptions to the privacy rule for purposes of law enforcement and public health. For example, even though the results of a child’s physical exam are considered protected health information, the pediatrician, emergency room doctor, or nurse caring for the child must share those results with child protective services if the exam is suspicious for child abuse.

Likewise, even though the results of your syphilis test are considered protected health information, your health care provider must report positive results to public health authorities so measures can be taken to control the spread of the disease. Additionally, your provider or insurer must share your protected health information when commanded to do so by a court order.

What to Do if Your Privacy Has Been Violated

If you feel your HIPAA privacy rights have been violated, you have some options. Before deciding what to do, ask yourself what kind of outcome you’re hoping for. Are you looking for an apology? Do you want a change to procedures or systems so that a similar privacy violation won’t occur again? Do you want the person or entity responsible for the breach to be punished? Do you want to be compensated financially?

Depending on your goals, consider one of the following actions:

  • Speak directly with the provider you feel is responsible for the violation.
  • Speak with the privacy officer of the hospital, nursing home, facility, or health plan.
  • Speak with the risk manager of the hospital, nursing home, or facility. Sometimes the risk management department goes by a marketing-friendly name like “Patient Safety Department.”
  • Make a formal complaint to the Office of Civil Rights, U.S. Department of Health & Human Services.
  • Contact an attorney if you feel you need to pursue a civil case for financial damages caused by the privacy violation.
Was this page helpful?

Article Sources

Verywell Health uses only high-quality sources, including peer-reviewed studies, to support the facts within our articles. Read our editorial policy to learn more about how we fact-check and keep our content accurate, reliable, and trustworthy.