Does HIPAA Protect My Health Information?
It requires Massachusetts providers have compliance procedures in place
By Doug Mentes, Esq. | Last updated on January 26, 2023Use these links to jump to different sections:
- What Is Protected Health Information?
- What Uses and Disclosures of Protected Health Information Are Permitted?
- Obligations for Providers and Plans

What Is Protected Health Information?
All individually identifiable health information held by a health care providers, pharmacies or other covered entities is protected health information. This includes any information or health date that identifies an individual, or for which there is a reasonable basis to believe it can be used to identify an individual. This information includes demographic information related to:- The individual’s past, present or future physical or mental health condition
- Providing health care services to the individual
- Past, present or future payment for the provision of health care to the individual
What Uses and Disclosures of Protected Health Information Are Permitted?
Health plans and providers can use or disclose an individual’s protected health information in two situations:- When authorized in writing by the individual (or the individual’s agent or parent)
- As permitted by the Privacy Rule
- In communication with the individual
- Treatment, payment, medical information and health care operations
- Uses or disclosure where there is an opportunity for the individual to agree or object to the disclosure. For example, notifying family members of a health condition
- Incident to a permitted use if information was limited to minimum necessary
- Public interest and benefit activities, typically required by law
- Limited data set, meaning direct identifiers of the individual—and their relatives—have been removed for the purposes of research, public health or health care operations
Obligations for Providers and Plans
When using or disclosing protected health information, providers and plans must limit their use to only the minimum necessary. This means a provider or plan must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose. Providers and plans must develop and implement policies and procedures to reasonably limit uses and disclosures to the minimum necessary. Entities must provide patients with notice of their patient privacy practices—which is typically provided at, or prior to, the first visit. Entities must make a good faith effort to obtain a written patient authorization of the notice of privacy practices. The notice must also make the patient aware that any violations of use or disclosure of their protected health information can be reported to the U.S. Department of Health and Human Services (HHS). HHS, responsible for HIPAA enforcement, can levy fines and criminal penalties on entities with HIPAA violations. If you believe an entity has not provided adequate privacy protections of your health records, you should reach out to an experienced Massachusetts health care attorney who can provide you information about your individual rights and HIPAA regulations. For more information on this area of law, see our overview of health care law.What do I do next?
Enter your location below to get connected with a qualified attorney today.Attorney directory searches
Helpful links
Find top lawyers with confidence
The Super Lawyers patented selection process is peer influenced and research driven, selecting the top 5% of attorneys to the Super Lawyers lists each year. We know lawyers and make it easy to connect with them.
Find a lawyer near you