HIPAA and Medical Services Privacy: What Patients Must Know

Federal law governs what happens to a patient's health information the moment it enters a medical record — who can see it, who can share it, and under what conditions. The Health Insurance Portability and Accountability Act of 1996, enforced by the U.S. Department of Health and Human Services Office for Civil Rights, sets the baseline rules that apply across virtually every corner of American healthcare. Understanding those rules clarifies the difference between a protected right and a reasonable exception — and there are more exceptions than most patients expect.

Definition and scope

HIPAA's Privacy Rule, codified at 45 CFR Parts 160 and 164, defines "protected health information" (PHI) as individually identifiable information relating to a person's past, present, or future physical or mental health condition, the provision of healthcare, or payment for that care. That definition is deliberately broad. A billing statement, a lab result, a prescription number — all qualify.

The Privacy Rule applies to covered entities: health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically (HHS Summary of the HIPAA Privacy Rule). It also extends to business associates — the vendors, IT contractors, and third-party administrators who handle PHI on a covered entity's behalf. A cloud storage company holding hospital records is a business associate subject to HIPAA. A gym that stores a member's injury history is generally not.

The Security Rule, also under 45 CFR Part 164, applies specifically to electronic PHI (ePHI) and requires covered entities to implement administrative, physical, and technical safeguards. Think of the Privacy Rule as setting the policy boundaries and the Security Rule as specifying the locks on the door.

For patients navigating the broader landscape of medical services regulation, HIPAA represents the floor — states can and do enact stricter protections, particularly for mental health records, HIV status, and substance use disorder treatment records under 42 CFR Part 2.

How it works

A covered entity's HIPAA compliance structure rests on a specific framework:

  1. Notice of Privacy Practices (NPP): Providers must give patients a written notice explaining how PHI is used and disclosed. This is the document handed over at intake — the one that frequently gets signed without being read.
  2. Permitted uses and disclosures: PHI may be used without patient authorization for treatment, payment, and healthcare operations (TPO). A cardiologist sharing records with a referring internist requires no separate consent.
  3. Authorization for other disclosures: Disclosures outside TPO — to an employer, a life insurer, or a marketing firm — generally require a signed, written patient authorization meeting specific HIPAA criteria.
  4. Minimum necessary standard: When disclosing PHI, covered entities must make reasonable efforts to share only the minimum information necessary to accomplish the purpose. A receptionist does not need access to a patient's psychiatric history to schedule an appointment.
  5. Patient rights: Patients hold a defined set of rights under the Privacy Rule, including the right to access their own records, request amendments, and obtain an accounting of certain disclosures.

The HHS Office for Civil Rights (OCR) investigates complaints and enforces penalties. Fines are tiered by culpability under 42 U.S.C. § 1320d-5, ranging from $100 per violation for unknowing violations to $50,000 per violation for willful neglect that is not corrected — with annual caps reaching $1.9 million per violation category (HHS Civil Money Penalties).

Common scenarios

Most HIPAA questions patients ask cluster around a handful of recurring situations. Here is how the framework typically resolves them:

Family members requesting information. A hospital cannot share a patient's records with a spouse, parent, or adult child without the patient's authorization — unless the patient is incapacitated and the family member is involved in the patient's care. The rule is not that family is automatically trusted; it is that the patient controls disclosure.

Mental health and substance use records. Standard HIPAA protections apply to mental health records held by most providers. Records from federally assisted substance use disorder programs receive a separate, stricter layer of protection under 42 CFR Part 2, administered by the Substance Abuse and Mental Health Services Administration (SAMHSA). These records cannot be disclosed in most circumstances without specific patient consent — not even to other treating physicians without express permission.

Telehealth visits. Telehealth and virtual medical services operate under the same HIPAA requirements as in-person care. A video platform used for telehealth must be HIPAA-compliant; a standard consumer video app is not. The Office for Civil Rights has issued specific guidance on telehealth and remote communication technologies.

Law enforcement requests. HIPAA permits — but does not require — disclosure to law enforcement under specific circumstances: a court order, a subpoena meeting defined criteria, or identification of a suspect in certain situations. Covered entities retain discretion in many of these cases.

Decision boundaries

The sharpest line HIPAA draws is between authorization and permission. Authorization is explicit, patient-signed consent for a specific disclosure. Permission refers to the categories of disclosure that HIPAA allows without that consent — TPO being the primary example.

A second important boundary separates HIPAA-covered entities from entities that handle health data but fall outside HIPAA's reach. A consumer wellness app, a DNA testing service, or an employer wellness program may collect sensitive health information without triggering HIPAA obligations. The Federal Trade Commission, rather than HHS, has authority over deceptive practices by non-HIPAA entities under 15 U.S.C. § 45 — but FTC enforcement offers different protections than HIPAA's structural requirements.

The patient rights framework that HIPAA establishes sits within a larger ecosystem of federal and state law. HIPAA's right of access entitles patients to receive copies of their own medical records, typically within 30 days of a request, and providers cannot charge fees that exceed the cost of labor, supplies, and postage (45 CFR § 164.524). That right has teeth — OCR has specifically prioritized right-of-access enforcement, completing over 44 enforcement actions related to access complaints as of figures published by HHS.

The line between a permitted disclosure and a HIPAA violation is often narrower than it appears on paper, which is precisely why the minimum necessary standard exists. Every disclosure decision is, in principle, its own compliance event.

References