Browse libraryBrowse library
Guide

HIPAA & Privacy Rights

What HIPAA protects, who can access records, and how advocates can work with patient authorization.

14 min read

What this guide covers

HIPAA(the Health Insurance Portability and Accountability Act) is the federal privacy and security framework most U.S. patient advocates bump into when someone says, "We can't tell you that—HIPAA." This guide explains what HIPAA actually requires, what rights patients have, and how advocates can work with privacy rules instead of fighting them blindly.

HIPAA is not the only law that matters. States may offer stronger protections. Schools, employers, life insurers, and police investigations follow different rules. When a situation turns on state law, check state guides and local legal help—but start with HIPAA for hospitals, doctors, labs, pharmacies, and health plans.

Step-by-step help for getting copies of records is in Accessing Medical Records. Help for signing up caregivers and advocates is in Personal Representatives & Authorization. This article focuses on the privacy rules themselves.

What HIPAA is (and is not)

HIPAA's Privacy Rule sets national standards for how covered entities may use and disclose protected health information (PHI)—individually identifiable health information held or transmitted by those entities. The Security Rule requires safeguards for electronic PHI. Together they aim for confidentiality, integrity, and appropriate access—not secrecy from the patient themselves.

HIPAA is not:

  • A complete medical malpractice or quality-of-care law (though privacy violations can be enforced separately)
  • A guarantee that any person may ask any provider about any patient (family still usually needs permission)
  • The same as FERPA (school records), the FTC Health Breach Notification Rule (some apps), or state consumer privacy laws
  • A private right for patients to sue in federal court for most everyday privacy slip-ups (enforcement is mainly through HHS and, in some states, attorney general actions)

HHS summarizes patient rights and provider duties on its HIPAA for Individuals hub. Use official summaries when a clinic cites "policy" that sounds stricter than law.

Who must follow HIPAA

Main categories advocates see:

  • Health care providers who transmit health information electronically in connection with standard transactions—most hospitals, physician groups, labs, pharmacies, and dentists
  • Health plans—private insurers, Medicare and Medicaid programs in their administrative roles, employer-sponsored group health plans (not the employer itself for employment records)
  • Health care clearinghouses and certain business associates (vendors that handle PHI for covered entities, such as billing companies, EHR hosts, and transcription services)

Many apps, wearables, and direct-to-consumer labs sit in gray zones. If HIPAA does not apply, other laws might. Do not assume HIPAA blocks a conversation with a nonprofit support group or a landlord—that often means HIPAA never applied in the first place.

Core privacy ideas

Privacy vs. right of access

Privacy limits who else may see PHI. Access gives the patient (or personal representative) the right to obtain copies of their own information in a designated record set. Those ideas pull in opposite directions on purpose: your neighbor cannot call the clinic, but you can request your chart even if the clinic would prefer not to prepare copies.

Advocates helping with appeals or billing need to separate "May I speak with the billing office?" from "Please send the patient their records." The first usually needs authorization; the second is a patient access request under Accessing Medical Records.

Minimum necessary

Covered entities should limit disclosures to the minimum necessary to accomplish the purpose. That does not mean patients only get summaries—it applies to workforce members and many routine disclosures. When an insurer requests records for a claim, the provider should not ship the entire lifetime chart if ten pages answer the question.

When you authorize a disclosure, be specific: dates, providers, and document types. Narrow authorizations protect the patient and speed processing.

Uses without patient OK

HIPAA allows many uses and disclosures without a separate signed authorization, including:

  • Treatment, payment, and health care operations (TPO)—care teams coordinating, billing insurers, quality improvement inside the organization
  • Required by law—court orders, mandatory disease reporting, workers' compensation where state law requires
  • Public health and safety—outbreak reporting, FDA recalls, abuse reporting where state law mandates
  • Appointment reminders and similar health-related outreach

Payment includes sharing information with health plans to get claims paid—that is why insurers receive diagnosis and procedure codes on claims. It does not mean the plan may publish the patient's chart publicly.

When written permission is required

A separate HIPAA authorization (distinct from the Notice of Privacy Practices acknowledgment) is generally required before sharing PHI for purposes outside TPO and other permitted categories—for example:

  • Sending records to a life insurer or employer wellness vendor
  • Marketing communications paid for by a third party
  • Research (unless IRB waiver or preparatory-to-research rules apply)
  • Many lawyer-driven requests where not required by legal process
  • Letting a family member or friend receive clinical updates when they are not the personal representative

Valid authorizations must include core elements: description of information, who may disclose and receive, purpose, expiration, and right to revoke in writing, plus signatures and dates (HHS — Authorization requirements). Vague "any and all records forever" forms are common but risky—narrow them when you can.

Template and signing workflows: Personal Representatives & Authorization and Patient Rights Templates.

Rights patients have under HIPAA

Access copies

Patients generally may inspect and obtain copies of PHI in a designated record set, with limited exceptions (certain psychotherapy notes, some ongoing research records, and rare safety-based denials). Timelines and fee rules are detailed in Accessing Medical Records.

Request amendments

If the patient believes information is inaccurate or incomplete, they may request an amendment. The provider may deny the request in specified circumstances but must explain why and offer a statement of disagreement in the record. Amendments are not instant erasure—wrong entries may be supplemented rather than deleted.

Accounting of disclosures

Patients may request an accounting of disclosures made in the six years before the request for disclosures outside TPO and certain other routine categories. Many day-to-day treatment and payment disclosures are excluded, so the list may be shorter than patients expect—but it can reveal surprises like law enforcement or litigation-related releases.

Restrictions & confidential communications

Patients may ask providers not to share certain information with a health plan when the patient paid out of pocket in full for that service (if the provider agrees). They may also request confidential communications—for example, calls only to a specific phone number or mail to a different address. Providers must accommodate reasonable requests.

Notice of Privacy Practices: providers must give patients a notice explaining uses, rights, and how to complain. Patients acknowledge receipt; that is not the same as signing away rights.

Mistakes advocates make

“HIPAA won’t let us talk”

Front-desk staff sometimes use HIPAA to end uncomfortable calls. Ask what rule applies: Is the caller not an authorized representative? Is the patient present and able to consent verbally to share with this person? Is the facility using a policy stricter than HIPAA? Reasonable facility policies exist, but blanket refusal without offering a path (authorization form, patient on the line, nurse callback with consent) deserves escalation to patient relations or privacy officer.

Verbal permission only

Many clinicians will discuss information with a family member if the patient is in the room and nods, or if the patient gives verbal OK on the phone. That can be permitted under professional judgment and HIPAA treatment provisions, but it is fragile. For ongoing advocacy—especially billing and appeals—get written authorization on file.

Wrong or vague forms

Mixing up a consent to treat, a financial responsibility form, and a HIPAA authorization causes weeks of delay. Read what each form actually permits. Insurers sometimes need their own appeal representation forms in addition to HIPAA releases.

Special situations

Minors & adolescents

Parents and guardians usually act for minor children, but state laws may allow minors to consent to certain care (reproductive health, mental health, STI treatment, substance use) and limit parental access to those records. Do not assume one rule nationwide—ask the clinic privacy officer which consent rules apply.

After a patient dies

PHI of deceased individuals is protected for 50 years under HIPAA. Access generally flows to the personal representative of the estate, someone with authority under state law, or family members involved in care in specified ways. Probate documents, executor letters, or state next-of-kin rules matter. See Personal Representatives and End-of-life planning guides for overlapping tasks.

Substance use & Part 2

Federal 42 CFR Part 2 adds stricter rules for many substance use disorder treatment programs. Sharing records often requires patient consent with specific federal elements, beyond routine HIPAA. If SUD treatment is involved, ask whether Part 2 applies before planning disclosures to insurers or family.

Research & marketing

Marketing under HIPAA has a defined meaning—paid communications about products, for example. Fundraising by covered entities may use limited contact information with an opt-out. Research uses authorizations or IRB procedures. Patients may revoke authorizations for future sharing, but not information already legally disclosed.

Breaches & complaints

A breach is generally impermissible acquisition, access, use, or disclosure of PHI that compromises security or privacy. Covered entities must notify patients, and large breaches trigger media and HHS reporting. Patients who suspect snooping in an electronic chart, a lost laptop, or a fax to the wrong number may file a complaint with the HHS Office for Civil Rights.

Privacy violations that are not breaches—denied access, excessive fees, refusal to amend—also may be OCR complaints. State attorneys general and hospital accreditation bodies are additional paths described in Where to File Complaints.

Document dates, names, and what you were told. OCR investigates systematically; a clear timeline helps.

Scenarios beginners run into

Spouse blocked from updates

Unless the spouse is a documented personal representative or the patient consents, the clinic may only share limited information (for example, general condition in a hospital directory if the patient opted in). Fix: patient signs authorization naming the spouse, or joins a call and authorizes discussion in real time.

Insurer wants everything

For a claim appeal, send what supports the denied service—not the patient's entire chart unless truly needed. Authorize a date range and document type. Pair with Appeals Roadmap and Denial Decoder.

Employer asking for records

The employer's HR department is usually not a HIPAA covered entity for employment records, but the group health plan is separate. HR should not demand full medical records for sick leave without a proper authorization or fitness-for-duty process defined by policy and law. Direct the request to forms the patient chooses to sign—or to occupational health under narrow scope.

Someone accessed the portal

Change passwords, review portal access logs if offered, and report suspected unauthorized access to the provider's privacy officer. Ask whether a breach notification is required. If identity theft is involved, note credit monitoring options the facility may offer after confirmed breaches.

Example:

Situation:Adult daughter calls ICU daily. Staff refuse to say more than "stable" without paperwork, but the father is alert and wants updates shared.

Action: Nurse brings authorization form to bedside; father signs release for daughter to receive clinical information by phone. Daughter also requests copies of notes for a pending insurance appeal using records access—two related but separate permissions.

Official resources

Accessing Medical Records

How patients and authorized representatives can request copies of medical and billing records.

Read guide

Personal Representatives & Authorization

HIPAA releases, healthcare power of attorney, caregiver access, and when providers can speak with family.

Read guide

Where to File Complaints

State health departments, licensing boards, OCR, CMS, insurance departments, and hospital accreditation bodies.

Read guide

The weekly brief

Patient advocacy notes, in your inbox.

One short email a week — policy changes, denial trends, and new guides. Free. No spam.

  • ~1 email / week
  • Plain English
  • Unsubscribe anytime

Join 38,000+ readers. See our privacy policy.