Understanding HIPAA and Your Health Data Privacy Rights

Your medical records contain some of the most sensitive information about you — diagnoses, medications, mental health history, genetic data, and more. The Health Insurance Portability and Accountability Act (HIPAA) is the federal law that governs how this data is collected, stored, shared, and protected. Understanding your rights under HIPAA is essential to maintaining control over your health data privacy.

What Is HIPAA?

HIPAA is a federal law enacted in 1996 that establishes national standards for protecting sensitive patient health information. It applies to "covered entities" — healthcare providers, health plans, and healthcare clearinghouses — as well as their business associates who handle protected health information (PHI) on their behalf.

The law is built on four key pillars:

• The Privacy Rule: Governs who can use PHI, for what purposes, and what rights patients have over it.
• The Security Rule: Sets standards for electronic PHI (ePHI) security, including technical safeguards.
• The Breach Notification Rule: Requires entities to notify patients and regulators when a data breach occurs.
• The Enforcement Rule: Gives the Office for Civil Rights (OCR) authority to investigate complaints and impose penalties.

Your Rights Under HIPAA

As a patient, HIPAA grants you specific rights over your health information:

1. Right to Access Your Records

You have the right to view and obtain copies of your medical records. Healthcare providers must provide access within 30 days of your request — though proposed 2026 updates would shorten this to 15 days. You may also request records in a specific electronic format.

2. Right to Request Corrections

If you believe your medical records contain errors, you can submit a written request to have them corrected. Your provider must respond within 60 days, either making the correction or providing a written explanation for denying the request.

3. Right to an Accounting of Disclosures

You can request a list of all instances where your PHI was shared with third parties for purposes beyond treatment, payment, and healthcare operations. This accounting must cover the prior six years.

4. Right to Request Restrictions

You can ask your healthcare provider to restrict how your information is used or disclosed. While providers aren't always required to agree, they must comply if you've paid for a service entirely out of pocket and request that information not be shared with your health plan.

5. Right to Confidential Communications

You can request that healthcare providers contact you through specific channels — for example, only by mail to a certain address, or only by phone at a specific number.

6. Right to a Notice of Privacy Practices

Every covered entity must provide you with a clear explanation of how they use and protect your health information. The deadline for updating these notices to comply with the latest rule changes was February 16, 2026.

What HIPAA Does NOT Cover

One of the biggest misconceptions about HIPAA is that it protects all health data. It doesn't. HIPAA only applies to covered entities and their business associates. This means the following are generally not protected by HIPAA:

• Health apps and fitness trackers: Data from apps like period trackers, mental health apps, and wearables typically falls outside HIPAA protection.
• Employer wellness programs: If your employer runs a wellness program directly (not through a health plan), HIPAA may not apply.
• Health data you share on social media: Once you voluntarily post health information, HIPAA does not protect it.
• Health data brokers: Companies that aggregate and sell health-related data scraped from public records, purchasing behavior, or app data operate outside HIPAA's reach.
• DNA testing services: Companies like 23andMe and Ancestry are generally not HIPAA-covered entities.

What to Do If Your HIPAA Rights Are Violated

1. File a complaint with the provider: Start by contacting the healthcare provider's privacy officer directly.
2. File a complaint with HHS: You can file a complaint with the Office for Civil Rights (OCR) within 180 days of the violation at hhs.gov/hipaa/filing-a-complaint.
3. Document everything: Keep copies of all communications, denial letters, and records of the violation.
4. Contact your state attorney general: Many states have additional health privacy laws with their own enforcement mechanisms.

Civil penalties for HIPAA violations can reach up to $2.13 million per violation category per year. Criminal penalties can include fines up to $250,000 and imprisonment.

How to Protect Your Health Data Beyond HIPAA

Given HIPAA's limitations, here are practical steps to protect your health data:

• Review app permissions: Check what health data your phone apps have access to and revoke unnecessary permissions.
• Be cautious with health apps: Read privacy policies before using period trackers, mental health apps, or fitness platforms.
• Opt out of health data brokers: Companies that aggregate health-related data can be targeted with removal requests.
• Request itemized bills carefully: When paying out of pocket, request that the provider not share information with your insurer.
• Use PrivacyOn: PrivacyOn monitors 100+ data brokers — including those that aggregate health-related data — and automatically requests removal of your personal information.

The Bottom Line

HIPAA provides important protections for your medical records, but it doesn't cover the growing universe of health data collected by apps, brokers, and advertisers. Understanding both what HIPAA protects and what it doesn't is the first step toward taking full control of your health data privacy.