How HIPAA Protects Patient Medical Records and Health Data

The Most Misunderstood Law in American Healthcare

The Health Insurance Portability and Accountability Act generates more confusion per sentence than almost any federal statute. Signed into law in 1996, HIPAA's original purpose was ensuring workers could keep health insurance when changing jobs—the "portability" in its name. The privacy provisions that dominate public consciousness came later, through regulations finalized in 2003. Today, HIPAA governs how 784,000 covered entities and their business associates handle the protected health information (PHI) of over 330 million Americans. In 2023 alone, the Department of Health and Human Services received reports of 725 major breaches affecting 133 million individuals—more than in any previous year.

The Privacy Rule: Who Can See Your Records

The Privacy Rule (45 CFR Parts 160 and 164) establishes national standards for protecting individually identifiable health information. It applies to covered entities and their business associates.

HIPAA does not apply to employers accessing employee health data outside of their role as a health plan sponsor. It doesn't cover fitness apps, most wellness programs, or consumer health data held by companies like Apple or Google—unless those companies act as business associates. This gap surprises many people who assume all health-related data falls under HIPAA.

Protected Health Information: The 18 Identifiers

PHI is any individually identifiable health information held or transmitted by a covered entity. The Privacy Rule defines 18 specific identifiers that, combined with health data, create PHI.

• Names, geographic data smaller than a state, dates (except year) related to an individual
• Phone numbers, fax numbers, email addresses
• Social Security numbers, medical record numbers, health plan beneficiary numbers
• Account numbers, certificate/license numbers
• Vehicle identifiers, device identifiers
• Web URLs, IP addresses, biometric identifiers
• Full-face photographs, any other unique identifying number

Remove all 18 identifiers and the data becomes "de-identified"—no longer subject to HIPAA. Researchers and data analysts use de-identified data extensively for studies that don't require individual identification.

The Security Rule: How Data Must Be Protected

While the Privacy Rule governs who can access PHI, the Security Rule (also in 45 CFR Part 164) specifies how electronic PHI (ePHI) must be safeguarded. Three categories of safeguards apply.

The Security Rule is technology-neutral and "scalable"—a two-physician practice doesn't need the same infrastructure as a 500-bed hospital. But the requirements are not optional. Every covered entity must conduct a risk assessment, implement reasonable safeguards, and document compliance. Failure to perform a risk assessment is the most commonly cited violation in HIPAA enforcement actions.

The Minimum Necessary Standard

One of HIPAA's most practical provisions requires covered entities to limit PHI access to the minimum necessary for the task at hand. A hospital billing clerk doesn't need access to psychiatric notes to process an insurance claim for a knee replacement. A pharmacy doesn't need a patient's complete surgical history to fill a prescription.

• Routine disclosures must be limited by policy to specific data elements
• Non-routine requests require individual review
• The standard does not apply to treatment—providers can share full records with other treating providers
• It also doesn't apply to disclosures the patient authorizes

Breach Notification Requirements

The Breach Notification Rule (added by the HITECH Act of 2009) mandates specific responses when PHI is compromised.

• Covered entities must notify affected individuals within 60 days of discovering the breach
• Breaches affecting 500+ individuals require notification to HHS and prominent media outlets in the affected state
• Breaches affecting fewer than 500 individuals are logged and reported annually to HHS
• Business associates must notify the covered entity within 60 days (or sooner per contract)
• HHS publishes breaches affecting 500+ individuals on its "Wall of Shame" portal—formally the Breach Portal

The 60-day clock starts when the breach is discovered, not when it occurred. Organizations sometimes discover breaches months or years after the initial compromise, which means the notification can follow long after data was exposed.

Penalties and Enforcement

HHS enforces HIPAA through its Office for Civil Rights (OCR). Penalties operate on a tiered structure based on the level of culpability.

The largest HIPAA settlement to date was $16 million, paid by Anthem Inc. in 2018 after a breach exposed 78.8 million records. Criminal penalties—including imprisonment up to 10 years—apply to individuals who knowingly obtain or disclose PHI in violation of the law.

Patient Rights Under HIPAA

Patients hold specific rights that covered entities must honor. These include the right to access their own medical records within 30 days of request, the right to request corrections to inaccurate records, the right to an accounting of disclosures made in the past six years, and the right to request restrictions on how their PHI is used. Covered entities can charge reasonable cost-based fees for copies but cannot withhold records due to unpaid medical bills. Understanding these rights transforms patients from passive subjects of data collection into active participants in how their health information moves through the system.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Healthcare privacy law is complex and jurisdiction-specific. Consult a qualified attorney for guidance on your specific situation.