HIPAA for Consumers

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules are the main Federal laws that protect your health information. The Privacy Rule gives you rights with respect to your health information. The Privacy Rule also sets limits on how your health information can be used and shared with others. The Security Rule sets rules for how your health information must be kept secure with administrative, technical, and physical safeguards.

On this page

Protecting the Privacy and Security of Your Health Information

The privacy and security of patient health information is a top priority for patients and their families, health care providers and professionals, and the government. Federal laws require many of the key persons and organizations that handle health information to have policies and security safeguards in place to protect your health information — whether it is stored on paper or electronically.

You may have additional protections and health information rights under your State’s laws. There are also Federal laws that protect specific types of health information, such as information related to Federally funded alcohol and substance abuse treatment.

Your Health Information Rights

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule provides you with health information privacy rights. These rights are important for you to know. You can exercise these rights, ask questions about them, and file a complaint if you think your rights are being denied or your health information isn’t being protected.

Learn More

Accessing Your Health Information

You have the right to receive copies of your health information from your doctor and from other providers, such as physical therapists and social workers. If your health care provider keeps your records electronically, you have a right to receive them in either electronic or paper form.

Your Privacy Rights

If you believe your health information privacy has been violated, the U.S. Department of Health and Human Services has a division, the Office for Civil Rights, to educate you about your privacy rights, enforce the rules, and help you file a complaint.

Learn More

Your Health Information Security

Health care providers and other key persons and organizations that handle your health information must protect it with passwords, encryption, and other technical safeguards. These are designed to make sure that only the right people have access to your information.

Patient Access Information for Individuals: Get it, Check it, Use it!

Your health records hold important information about doctor’s visits, tests, treatments, and more. This guide will teach you how to request a copy of your records, find and fix mistakes, and manage your information.

View Guide

Resources and Tools for Consumers

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules are the main Federal laws that protect your health information. You may have additional protections and health information rights under your State’s laws. There are also Federal laws that protect specific types of health information, such as information related to Federally funded alcohol and substance abuse treatment.

What You Can Do To Protect Your Health Information

Health care professionals and the federal government take your health information privacy seriously. You should too.

Learn More

What Patients Need to Know about EHRs

ONC brochure that providers can use to give patients more information about Electronic Health Records (EHRs).

Download Brochure Learn More

How to File a Complaint

OCR web page instructing patients in how to file a complaint if they believe any of their privacy rights or any of the HIPAA Rules have been violated.

Learn More

Protecting Your Privacy and Identity

Federal Trade Commission (FTC) web page to help consumers protect their personal information and identity.

Learn More

Health IT: How to Keep Your Health Information Private and Secure

ONC fact sheet instructing patients on how to secure their health information.

Download PDF

Video – Your Health Information, Your Rights

OCR video providing patients with insight into their health information rights under HIPAA.

Watch Video

Videos – OCR Series of Patient Videos

OCR series of videos that explains to patients their rights and responsibilities under HIPAA.

Watch Videos

Your Health Information Privacy

The HIPAA Privacy Rule establishes federal protections for your health information by placing some limits on how it may be used and shared. You play an important role in controlling who has access to your health information in many situations.

What Information is Protected by the HIPAA Privacy Rule?

Privacy protections apply to your “individually identifiable health information,” which means:

  • Information that relates to the individual’s past, present, or future physical or mental health or condition; to the provision of health care to an individual; or to past, present, or future payment for the provision of health care to the individual
  • Information that identifies the individual, or for which there is a reasonable basis to believe it can be used to identify the individual

Who Has To Follow the HIPAA Privacy Rule Regarding the Use and Sharing of My Health Information?

Most doctors, nurses, pharmacies, hospitals, clinics, nursing homes, and many other health care providers.

  • Health insurance companies, Health Maintenance Organizations (HMOs), most employer group health plans.
  • Certain government programs that pay for health care, such as Medicare and Medicaid.

If a provider, insurer, or government program has arrangements with business associates (third parties) that involve sharing health information, these third parties must also follow most of the restrictions in the HIPAA Privacy Rule. The HIPAA Rules require the business associate to agree in writing to appropriately safeguard your health information.

What Are Some of the Ways That My Health Care Information May Be Used and Shared?

To make sure that your health information privacy is protected without interfering with your health care, the HIPAA Privacy Rule allows your information to be used and shared in the following ways:

  • For your treatment and care coordination. For example, your doctors can see what tests you have had and their results, so tests do not have to be repeated
  • With doctors and hospitals that provide you care, to provide payment for their services
  • To make sure doctors and other health care professionals give good care
  • For protection of the public’s health, such as to report when the flu is in your area

Your health care provider or health plan does not have to ask you whether they can use or share your health information for these purposes.

Can I Control Who Sees or Uses My Health Information?

In many circumstances other than those discussed above, you have the right to control who sees or uses your health information. Some examples are:

  • In general, your health information cannot be given to your employer, used or shared for things like sales calls or advertising, or used or shared for many other purposes unless you give your permission by signing an authorization form. This authorization form must tell you who will get your information and what your information will be used for. This is a different form than the document that your provider may ask you to sign on your first visit that tells you how they may use and share your health information and how you can exercise your rights.
  • Providers generally may not share private notes about mental health counseling sessions unless you give them permission to do so.
  • You can ask your provider or health insurer not to share your health information with certain people, groups, or companies. For example, if you go to a clinic, you could ask the doctor not to share your medical record with other doctors or nurses in the clinic. However, the clinic does not always have to agree to do what you ask. In some cases, for instance, your doctor may need to share your information to ensure proper treatment and coordination of care between doctors in the clinic.

Learn more about the collection, use, and disclosure limitation on your health information.

Do I Have the Ability To Control How Information Related To Behavioral Health Treatment Is Used and Shared?

There are Federal laws other than HIPAA that protect information related to alcohol and substance abuse treatment that is received at Federally-supported treatment centers. For information and guidance about the confidentiality of behavioral health information and the HIPAA Privacy Rule, please see 42 CFR Part 2 and the Substance Abuse and Mental Health Services Administration (SAMHSA).

What Do I Need To Understand About the HIPAA Notice I Get From My Doctor and Health Insurance Company?

Most of your health care providers and your health insurance company must give you a Notice that tells you how they may legally use and share your health information and how you can exercise your health information privacy rights. The provider or health insurance company cannot use or disclose information in a way that is not consistent with its notice.

For more information about the Notice, see the HHS Office for Civil Rights information about the Notice.

To learn more about your rights and how your health information may be used and shared, please visit the U.S. Department of Health and Humans Services, Guidance on the collection, use, and disclosure limitation on your health information [PDF – 173.4 KB].

What Else Can I Do to Protect My Health Information?

HIPAA protects your health information when it is held by most health care providers, health insurers, and other organizations operating on behalf of your health care provider or health plan.

However, it’s also important to protect health information that you control. If you store health information on your personal computer or mobile device, exchange emails about it, or participate in health-related online communities, here are a few things you should know:

  • While the HIPAA Privacy and Security Rules are in place to protect and secure your health information when it is held by your health care provider (such as your doctor or hospital) or health insurance company, those laws do not apply if you share your health information with an organization that is not covered by HIPAA. For example, if you post that information online yourself — such as on a message board about a health condition, it is not protected by HIPAA. Never post anything online that you don’t want made public.
  • Your doctor uses tools to protect and secure your health information at his or her office. You can do the same at home. If you have health information stored on your home computer or mobile device — or if you discuss your health information over email — simple tools like passwords can help keep your health information secure if your computer is lost or stolen.
  • There are medical identity thieves that could try to use your personal and health insurance information to get medical treatment, prescription drugs, or surgery. The best way to protect yourself against this possibility is to make sure you verify the source before sharing your personal or medical information. Safeguard your medical and health insurance information and shred any insurance forms, prescriptions, or physician statements. For more information about medical identity theft, visit the Federal Trade Commission (FTC) website to learn how to protect yourself.
  • If you store your health information online, you should be sure to read the website’s privacy policy and terms of service. For practical additional tips to help you protect and secure your health information online, visit: OnGuardOnline.gov.

Learn more about the collection, use, and disclosure limitation on your health information.