Your Health Information Privacy

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule establishes federal protections for your health information by placing some limits on how it may be used and shared. You play an important role in controlling who has access to your health information in many situations.

On this page

What information is protected by the HIPAA Privacy Rule?

Privacy protections apply to your “individually identifiable health information,” which means:

  • Information that relates to the individual’s past, present, or future physical or mental health or condition; to the provision of health care to an individual; or to past, present, or future payment for the provision of health care to the individual
  • Information that identifies the individual, or for which there is a reasonable basis to believe it can be used to identify the individual

Who has to follow the HIPAA Privacy Rule regarding the use and sharing of my health information?

Most doctors, nurses, pharmacies, hospitals, clinics, nursing homes, and many other health care providers.

  • Health insurance companies, Health Maintenance Organizations (HMOs), most employer group health plans.
  • Certain government programs that pay for health care, such as Medicare and Medicaid.

If a provider, insurer, or government program has arrangements with business associates (third parties) that involve sharing health information, these third parties must also follow most of the restrictions in the HIPAA Privacy Rule. The HIPAA Rules require the business associate to agree in writing to appropriately safeguard your health information.

What are some of the ways that my health care information may be used and shared?

To make sure that your health information privacy is protected without interfering with your health care, the HIPAA Privacy Rule allows your information to be used and shared in the following ways:

  • For your treatment and care coordination. For example, your doctors can see what tests you have had and their results, so tests do not have to be repeated
  • With doctors and hospitals that provide you care, to provide payment for their services
  • To make sure doctors and other health care professionals give good care
  • For protection of the public’s health, such as to report when the flu is in your area

Your health care provider or health plan does not have to ask you whether they can use or share your health information for these purposes.

Can I control who sees or uses my health information?

In many circumstances other than those discussed above, you have the right to control who sees or uses your health information. Some examples are:

  • In general, your health information cannot be given to your employer, used or shared for things like sales calls or advertising, or used or shared for many other purposes unless you give your permission by signing an authorization form. This authorization form must tell you who will get your information and what your information will be used for. This is a different form than the document that your provider may ask you to sign on your first visit that tells you how they may use and share your health information and how you can exercise your rights.
  • Providers generally may not share private notes about mental health counseling sessions unless you give them permission to do so.
  • You can ask your provider or health insurer not to share your health information with certain people, groups, or companies. For example, if you go to a clinic, you could ask the doctor not to share your medical record with other doctors or nurses in the clinic. However, the clinic does not always have to agree to do what you ask. In some cases, for instance, your doctor may need to share your information to ensure proper treatment and coordination of care between doctors in the clinic.

Learn more about the collection, use, and disclosure limitation on your health information.

There are Federal laws other than HIPAA that protect information related to alcohol and substance abuse treatment that is received at Federally-supported treatment centers. For information and guidance about the confidentiality of behavioral health information and the HIPAA Privacy Rule, please see 42 CFR Part 2 and the Substance Abuse and Mental Health Services Administration (SAMHSA).

What do I need to understand about the HIPAA notice I get from my doctor and health insurance company?

Most of your health care providers and your health insurance company must give you a Notice that tells you how they may legally use and share your health information and how you can exercise your health information privacy rights. The provider or health insurance company cannot use or disclose information in a way that is not consistent with its notice.

For more information about the Notice, see the HHS Office for Civil Rights information about the Notice.

To learn more about your rights and how your health information may be used and shared, please visit the U.S. Department of Health and Humans Services, Guidance on the collection, use, and disclosure limitation on your health information [PDF – 173.4 KB].

What else can I do to protect my health information?

HIPAA protects your health information when it is held by most health care providers, health insurers, and other organizations operating on behalf of your health care provider or health plan.

However, it’s also important to protect health information that you control. If you store health information on your personal computer or mobile device, exchange emails about it, or participate in health-related online communities, here are a few things you should know:

  • While the HIPAA Privacy and Security Rules are in place to protect and secure your health information when it is held by your health care provider (such as your doctor or hospital) or health insurance company, those laws do not apply if you share your health information with an organization that is not covered by HIPAA. For example, if you post that information online yourself — such as on a message board about a health condition, it is not protected by HIPAA. Never post anything online that you don’t want made public.
  • Your doctor uses tools to protect and secure your health information at his or her office. You can do the same at home. If you have health information stored on your home computer or mobile device — or if you discuss your health information over email — simple tools like passwords can help keep your health information secure if your computer is lost or stolen.
  • There are medical identity thieves that could try to use your personal and health insurance information to get medical treatment, prescription drugs, or surgery. The best way to protect yourself against this possibility is to make sure you verify the source before sharing your personal or medical information. Safeguard your medical and health insurance information and shred any insurance forms, prescriptions, or physician statements. For more information about medical identity theft, visit the Federal Trade Commission (FTC) website to learn how to protect yourself.
  • If you store your health information online, you should be sure to read the website’s privacy policy and terms of service. For practical additional tips to help you protect and secure your health information online, visit: OnGuardOnline.gov.