Does HIPAA Protect My Health Information?

By Doug Mentes, Esq. | Last updated on April 28, 2025

A major reason for the 1996 enactment of the Health Insurance Portability and Accountability Act (HIPAA) was to protect patient health information (PHI) and medical records from being used or disclosed improperly according to HIPAA privacy rules. Part of federal HIPAA law is the Privacy Rule, which defines and limits the circumstances in which an individual’s protected health information may be used or disclosed by health providers and health plans.

What Is Protected Health Information?

All individually identifiable health information held by health care providers, pharmacies, or other covered entities is protected health information. This includes any information or health data that identifies an individual or for which there is a reasonable basis to believe it can be used to identify an individual. This information includes demographic information related to:

  • The individual’s past, present, or future physical or mental health condition
  • Providing health care services to the individual
  • Past, present, or future payment for the provision of health care to the individual

Individually identifiable personal health information includes many common identifiers, such as: name, address, patient records, birth date and social security number. There are no restrictions on the use or disclosure of health information that has been de-identified. To de-identify health information, individually identifiable information must be removed until it is not possible to identify the individual.

Find top Health Care lawyers easily

Connect with a qualified attorney today.

Find a lawyer today

What Uses and Disclosures of Protected Health Information Are Permitted?

Health plans and providers can use or disclose an individual’s protected health information in two situations:

  • When authorized in writing by the individual (or the individual’s agent or parent)
  • As permitted by the Privacy Rule

Under the Privacy Rule, health plans, insurance companies and health providers are permitted to use and disclose protected health information, without the individual’s written authorization, only in the following situations:

  • In communication with the individual
  • Treatment, payment, medical information and health care operations
  • Uses or disclosure where there is an opportunity for the individual to agree or object to the disclosure. For example, notifying family members of a health condition
  • Incident to a permitted use if information was limited to minimum necessary
  • Public interest and benefit activities, typically required by law
  • Limited data set, meaning direct identifiers of the individual—and their relatives—have been removed for the purposes of research, public health or health care operations

If a health plan or provider wants to use or disclose an individual’s protected health information for any other use, it must obtain the individual’s written authorization. A plan or provider cannot condition treatment on obtaining authorization. Authorizations must be in plain language, and include specific information about the information to be disclosed for HIPAA compliance. It must also describe when it expires, and provide a right to revoke the authorization in writing.

Obligations for Providers and Plans

When using or disclosing protected health information, providers and plans must limit their use to only the minimum necessary. This means a provider or plan must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose. Providers and plans must develop and implement policies and procedures to reasonably limit uses and disclosures to the minimum necessary.

Entities must provide patients with notice of their patient privacy practices—which is typically provided at, or prior to, the first visit. Entities must make a good faith effort to obtain a written patient authorization of the notice of privacy practices.

The notice must also make the patient aware that any violations of use or disclosure of their protected health information can be reported to the U.S. Department of Health and Human Services (HHS). HHS, responsible for HIPAA enforcement, can levy fines and criminal penalties on entities with HIPAA violations.

If you believe an entity has not provided adequate privacy protections for your health records, you should reach out to an experienced healthcare attorney who can provide you with information about your individual rights and HIPAA regulations.

For more information on this area of law, see our overview of health care law.

Was this helpful?

What do I do next?

Enter your location below to get connected with a qualified attorney today.
Popular attorney searches: Employee Benefits Insurance Coverage
0 suggestions available Use up and down arrow keys to navigate. Touch device users, explore by touch or with swipe gestures.

At Super Lawyers, we know legal issues can be stressful and confusing. We are committed to providing you with reliable legal information in a way that is easy to understand. Our legal resources pages are created by experienced attorney writers and writers that specialize in legal content in consultation with the top attorneys that make our Super Lawyers lists. We strive to present information in a neutral and unbiased way, so that you can make informed decisions based on your legal circumstances.

0 suggestions available Use up and down arrow keys to navigate. Touch device users, explore by touch or with swipe gestures.

Find top lawyers with confidence

The Super Lawyers patented selection process is peer influenced and research driven, selecting the top 5% of attorneys to the Super Lawyers lists each year. We know lawyers and make it easy to connect with them.

Find a lawyer near you