What you need to know about medical privacy

What is HIPAA?

It's the Health Insurance Portability and Accountability Act, a sweeping law passed by Congress in 1996—well before the Affordable Care Act was in the mix—whose primary purpose was to help protect employees and their families from losing health-insurance coverage after a job change or loss.

What does HIPAA have to do with privacy?

One of the provisions of HIPAA—and perhaps the most well-known among consumers—is the HIPAA Privacy Rule, which regulates who can look at and receive your individually identifiable health information. The HIPAA Privacy Rule applies to all forms of protected health information, whether electronic, written, or oral. It is an important tool in helping to protect against health care identity theft.

What type of health information has to be kept private?

HIPAA calls it Protected Health Information (PHI), and it includes any individually identifiable information about your health status, health care that you have received, or payment for health care. The HIPAA Privacy Rule does not apply when the information is used as part of a large data set with no identifiers that connect information to individual patients. Also, the HIPPA Privacy Rule does permit release of your medical files for the purposes of coordinating treatment with another provider, payment, or other health care operations.

Who has to keep my medical information private?

This is a key point. Only "covered entities" are bound by the HIPAA Privacy Rule. Covered entities include:

• individual health care providers, such as doctors, psychologists, chiropractors, dentists, pharmacists, and nurses.
• medical establishments, such as hospitals, clinics, urgent care centers, and nursing homes
• health plans, such as health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, including Medicare and Medicaid
• health care clearinghouses, such as organizations that work with converting health information into electronic format.

Importantly, many entities are not covered by HIPAA. These include your employer, life insurance companies, workers' compensation carriers, and most schools and school districts. Nor does it apply to companies that collect your information through health-tracking apps or activity trakers. And, to the chagrin of many, the HIPAA Privacy Rule does not apply to a friend or family member who breaches your confidence, to your coworker who overhears you talking on the phone, or to the sanitation worker who finds your paperwork in the trash.

How is the HIPAA Privacy Rule enforced?

The federal Office for Civil Rights  (OCR), which is within the U.S. Department of Health and Human Services (HHS), is in charge of enforcement. You, as a consumer, can file a complaint, but you have no standing under this law to sue for a HIPAA Privacy Rule violation. Only the OCR or the U.S. Department of Justice can file an action. 

—Susan Feinstein

Read more Consumer Reports coverage about how HIPAA may affect you:

Will you be able to help your college-age child in a medical emergency?

Is my prescription information private?

For additional information about HIPAA, see the HIPAA FAQs from the U.S. Department of Health and Human Services.