It's the Health Insurance Portability and Accountability Act, a sweeping law passed by Congress in 1996—well before the Affordable Care Act was in the mix—whose primary purpose was to help protect employees and their families from losing health-insurance coverage after a job change or loss.
One of the provisions of HIPAA—and perhaps the most well-known among consumers—is the HIPAA Privacy Rule, which regulates who can look at and receive your individually identifiable health information. The HIPAA Privacy Rule applies to all forms of protected health information, whether electronic, written, or oral. It is an important tool in helping to protect against health care identity theft.
HIPAA calls it Protected Health Information (PHI), and it includes any individually identifiable information about your health status, health care that you have received, or payment for health care. The HIPAA Privacy Rule does not apply when the information is used as part of a large data set with no identifiers that connect information to individual patients. Also, the HIPPA Privacy Rule does permit release of your medical files for the purposes of coordinating treatment with another provider, payment, or other health care operations.
This is a key point. Only "covered entities" are bound by the HIPAA Privacy Rule. Covered entities include:
Importantly, many entities are not covered by HIPAA. These include your employer, life insurance companies, workers' compensation carriers, and most schools and school districts. Nor does it apply to companies that collect your information through health-tracking apps or activity trakers. And, to the chagrin of many, the HIPAA Privacy Rule does not apply to a friend or family member who breaches your confidence, to your coworker who overhears you talking on the phone, or to the sanitation worker who finds your paperwork in the trash.
The federal Office for Civil Rights (OCR), which is within the U.S. Department of Health and Human Services (HHS), is in charge of enforcement. You, as a consumer, can file a complaint, but you have no standing under this law to sue for a HIPAA Privacy Rule violation. Only the OCR or the U.S. Department of Justice can file an action.
—Susan Feinstein
Read more Consumer Reports coverage about how HIPAA may affect you:
Will you be able to help your college-age child in a medical emergency?
Is my prescription information private?
For additional information about HIPAA, see the HIPAA FAQs from the U.S. Department of Health and Human Services.
Build & Buy Car Buying Service
Save thousands off MSRP with upfront dealer pricing information and a transparent car buying experience.
Get Ratings on the go and compare
while you shop