Updated: 26 February, 2025

HIPAA: Frequently Asked Questions

Whether you are new to the concept or you have years of experience managing HIPAA compliance at different organizations, we all have questions sometimes. On this page you will find answers regarding HIPAA patient rights and the particular situations in which these are superseded. If you have more technical questions about HIPAA, check out our blog post on HIPAA for healthcare institutions. There we cover things like who must comply with HIPAA, what is a covered entity, which records are covered by HIPAA and what standards are required from providers.

• Why was HIPAA created?

  • HIPAA is a federal law in the US Healthcare system designed to standardize electronic healthcare transacts and increase the number of Americans with health insurance coverage. It requires institutions to put into place the appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. Moreover, the Act includes provisions aimed at combating fraud and abuse in health insurance and healthcare delivery.

• Why is HIPAA important?

  • HIPAA ensures that covered entities and business associates protect patients’ privacy and keep sensitive health data secure. Additionally, HIPAA promotes accountability by requiring organizations to notify patients of any data breaches and by enforcing penalties for non-compliance. This framework helps protect against identity theft, insurance fraud, and unauthorized data sharing, while enabling patients to take an active role in managing their healthcare. 

• What does HIPAA stand for?

  • HIPAA stands for Health Insurance Portability and Accountability Act of 1996. It primarily aims to protect the privacy and security of individuals’ health information, while also ensuring health insurance portability and reducing healthcare fraud. It prohibits group health plans from denying coverage to individuals with specific diseases and preexisting conditions, and from setting lifetime coverage limits. 

• Who created HIPAA?

  • HIPPA was created by Donna Shalala and her team at the Department of Health and Human Services (HHS). President Bill Clinton signed HIPAA into law on August 21, 1996. The Act evolved from earlier legislative efforts, including:
    • The “Health Insurance Reform Act” proposed by Senators Ted Kennedy and Nancy Kassebaum.
    • The “Health Coverage Availability and Affordability Act” introduced by Representative Bill Archer, which became the companion bill that was ultimately adopted by Congress.

• Where does HIPAA apply?

  • HIPAA applies to all states in the United States, as it is a federal legislation administered at the national level by the Department of Health and Human Services (HHS). It applies to everyone in the US, both citizens or residents. While HIPAA can theoretically apply outside the U.S., there are some practical limitations. Enforcement in foreign jurisdictions may be challenging or impossible.

• Are HIPAA laws different in each state?

  • No, HIPAA applies equally across all states. However, state laws can supersede HIPAA when they provide greater privacy protections or rights for individuals than HIPAA does. This principle applies in California, Colorado, Connecticut, Nevada, Virginia, Utah, New Hampshire, Vermont and New York. Read more about HIPAA preemption here.

• Does HIPAA apply in the EU?

  • HIPAA does not have direct extraterritorial application in the EU. However, EU health tech firms must comply with HIPAA if they process or store the medical data of any U.S. citizen, as HIPAA protects the data of U.S. citizens no matter where they are in the world. This means that if an EU company handles the data of even one U.S. citizen, it must comply with HIPAA regulations. HIPAA also applies to cloud service providers (CSPs) that store electronic PHI (ePHI) on servers outside the United States, provided they have a business associate agreement (BAA) with a covered entity or business associate.

• Who enforces HIPAA?

  • HIPAA is enforced by multiple federal agencies and entities, with the primary responsibility falling on the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). However, enforcement is not limited to a single agency.
    • The OCR is the main enforcer of HIPAA’s Privacy and Security Rules. It investigates complaints, conducts audits, and issues penalties for violations.
    • Centers for Medicare and Medicaid Services (CMS) is responsible for enforcing the Administrative Requirements of HIPAA
    • If a HIPAA violation involves criminal activity, the Department of Justice (DOJ) may get involved. They also enforce Section 1177 of the Administrative Simplification provisions.
    • Federal Trade Commission (FTC) has some authority to enforce HIPAA as authorized by the HITECH Act.
    • State Attorneys General have the power to enforce HIPAA within their respective states. This authority was granted by the 2009 HITECH Act amendment to HIPAA.

• What happens if HIPAA is violated?

  • If the OCR discovers a case of noncompliance, it will typically require the facility to work through a deadline-driven corrective action plan to bring the facility up to HIPAA compliance standards. Violations are often subject to monetary penalties. These penalties are tiered based on the severity of the violation and the facility’s knowledge of the noncompliance. Fines can be substantial; for example, the largest fine ever paid in a HIPAA settlement was $5.55 million after Advocate Health System suffered 3 data breaches that compromised the privacy of 4 million patients. Additionally, covered entities and business associates may face civil lawsuits from affected individuals. 

• What patient rights do I have under HIPAA?

  • You have the right to several important rights regarding your health information:

1. 1. 1. 1. Right to Access
         2. Right to Amend
         3. Right to Receive Notice of Privacy Practices
         4. Right to Request Restrictions
         5. Right to Confidential Communications
         6. Right an Accounting Disclosure
         7. Right to File a Compaint
         8. Right to Opt Out of Marketing Communications
         9. Right to Portability

In HIPAA, what does the right to access mean?

• • Patients can request to see and obtain copies of their health records and other protected health information (PHI) maintained by covered entities or their business associates. These include medical records, billing records, insurance information, lab results, medical images, wellness program files, and clinical case notes. This access can be granted in person as digital copies or through electronic means, such as a patient portal.  The right to access is crucial as it promotes transparency and enables patients to verify the accuracy of their health information as well as make informed decisions about their health.

• In HIPAA, what does the right to amend in HIPAA mean?

  • Patients have the right to request corrections to their health information if they believe it is inaccurate or incomplete. This applies to both medical and billing records, as well as records related to payments and enrollment to health plans. Requests must generally be made in writing, and individuals may be required to provide a reason supporting their request. Healthcare providers must consider these requests and inform patients of their decision. Covered entities must act on amendment requests within 60 days of receipt. A single 30-day extension is allowed if the entity provides written notice explaining the delay.  We should clarify that covered entities are not required to create new information but only to amend existing inaccuracies in designated record sets. 

• In HIPAA, what does the right to receive a notice of privacy practices mean?

  • Patients must be provided with a notice that explains how their PHI may be used and shared, as well as their rights concerning that information. This right requires covered entities to provide patients with a clear, accessible document outlining their privacy practices. The Notice of Privacy Practices (NPP) must include:
    • A prominent header stating its purpose
    • Descriptions of permitted uses and disclosures of PHI
    • Individual rights regarding their PHI
    • The covered entity’s legal duties to protect PHI
    • Contact information for complaints and further information

• In HIPAA, what does the right to request restrictions mean?

  • Patients can ask for restrictions on certain uses and disclosures of their PHI, such as limiting who can see their information, although providers are not obligated to agree to all requests. Individuals can request restrictions on the use and disclosure of PHI for treatment, payment, and healthcare operations; the disclosure of PHI to family members or others involved in their care and the disclosure of services paid out-of-pocket in full to health plans. In order to request restrictions, requests must be submitted in writing to the covered entity. Covered entities must consider all requests, even if made verbally, and respond to request within a reasonable timeframe. When evaluating restriction requests, covered entities may consider the potential impact on treatment and care coordination.

• In HIPAA, what does the right to confidential communications mean?

  • Patients can request that communications regarding their health information be conducted in a specific manner or at a specific location, ensuring greater privacy. Individuals can request alternative methods of communication (e.g., email, phone, mail) or alternative locations for receiving PHI. This applies to to all types of PHI, not just sensitive information. Some examples of accommodations are using alternative phone numbers or addresses or refraining from leaving messages on answering machines. Covered entities may require that requests be made in writing, but individuals are not required to provide an explanation for their request.

• In HIPAA, what does the right to accounting of disclosures mean?

  • Patients have the right to request a report detailing when and why their PHI was disclosed, except for certain routine disclosures. Individuals can request an accounting of disclosures for the six years prior to their request. Covered entities must provide the accounting within 60 days of receiving the request. The accounting must include date of disclosure, name and address (if known) of the entity or person who received the PHI, brief description of the PHI disclosed and the purpose of the disclosure. Certain disclosures are exempt from the accounting requirement, including disclosure for treatment, payment, and healthcare operations; disclosures to the individual about their own PHI or request made with the individual’s authorization.

• In HIPAA, What does the right to portability in HIPAA mean?

  • The right to portability in HIPAA primarily refers to two key aspects: health insurance portability and health information portability. The original intent of HIPAA’s portability provision was to allow patients to maintain health insurance coverage when changing jobs by restricting new healthcare plans from denying coverage based on preexisting conditions. HIPAA also facilitates the secure flow of health information across the healthcare ecosystem. At an individual’s request, covered entities must transmit health information directly to designated third parties. The law encourages the use of health IT to improve the portability of digital health information, including features like view, download, and transmit (VDT) capabilities.

• Where are HIPAA violations reported?

  • HIPAA violations can be reported through multiple channels, depending on the nature of the violation and the reporter’s role. The main avenues for reporting HIPAA violations are internal reporting, through a privacy officer or supervisor, and external reporting through the Office for Civil Rights (OCR).  If you believe your HIPAA patient rights have been violated, they can file a complaint:
    • via the Online Complaints Portal
    • via email at [email protected]
    • via the toll-free number 1-800-368-1019

• 

  Can I access my medical record at any time?

  • Yes, HIPAA grants patients the right to request and obtain copies of their PHI held by healthcare providers, healthcare plans and other covered entities. You can request your records in various formats, including paper or electronic formats, as long as the requested format is readily producible. Providers may charge a fee for copying your records, but this fee must be limited to the actual cost incurred for labor, supplies and postage.  

• How long does a provider have to respond to my request for records?

  • Healthcare providers are required to provide access to your medical records within 30 calendar days of your request. If they cannot meet this timeline, providers may take a one-time 30-day extension, but they must inform you of the delay and provide a reason. Providers must act on requests to amend protected health information within 60 days of receiving the request. If unable to act within 60 days, they may once again request a one-time 30 day extension as long as they provide written notice explaining the delay and expected completion date.

• How can I correct my medical records?

  • You can request corrections to your health information if you believe it is inaccurate or incomplete. This could include incorrect personal details, diagnoses, or treatment information. Address your request to the appropriate department of the healthcare organization that maintains the records in question. Providers must respond to these requests as long as they are presented through the proper channels. Maintain a copy of your request and follow up if necessary. Keep in mind that corrections should not erase or remove original entries; instead, amendments should be documented as addendums that clarify or correct previous entries.

• Do I need to give consent for my information to be shared?

  • Under HIPAA, you do not always need to give consent for your protected health information (PHI) to be shared. HIPAA permits healthcare providers to share your PHI for treatment purposes without requiring your explicit consent. This includes sharing information with other healthcare providers involved in your care, coordinating treatment, or referring you to specialists. PHI can also be shared without authorization for healthcare operations such as quality assessment, case management, and conducting training programs. However, when PHI is shared without consent, the  “minimum necessary” standard applies, meaning that only the information necessary to achieve the intended purpose should be disclosed. 

• What happens if my data is shared without my consent?

  • You have the right to file a complaint with the Office for Civil Rights (OCR) if you believe your PHI has been shared without your consent. Consider consulting with an attorney who specializes in healthcare law if you believe your patient rights have been violated. Healthcare organizations can face substantial fines for HIPAA violations depending on the severity and nature of the breach. In cases of willful neglect or intentional violations, criminal charges may be filed against individuals involved. 

• Can my family or friends inquire about my health status?

• • If you are present and capable of making healthcare decisions, healthcare providers must give you the opportunity to agree or object to sharing your health information with family members or friends involved in your care.
    • *** HIPAA does not require healthcare providers to verify the identity of someone calling to inquire about a patient’s condition, but they may establish their own rules for verification.
  • If you are not present or unable to give consent, providers may share relevant information with family members or friends if they believe it is in your best interest. The information shared must be directly relevant to the involvement of the family member or friend in your care or payment for healthcare. For example, a provider can inform a family member about your condition if they are actively involved in your treatment.

• When does HIPAA not apply?

  • There are exceptions to your patient rights under HIPAA. While HIPAA provides significant protections for your health information, certain circumstances allow for limitations or exceptions. Here are some key exceptions:

1. 1. 1. 1. Treatment, Payment, and Healthcare Operations: This means they can share information necessary for providing care, billing, and administrative functions without needing your explicit permission.
         2. Emergency Situations, Public Interest and Safety: HIPAA allows disclosures of PHI without patient consent in situations that serve public interest or safety. This may include reporting diseases to public health authorities and reporting child abuse or neglect.
         3. Legal Proceedings: Your PHI may be disclosed without consent in response to a court order or subpoena. This includes situations where you are involved in legal proceedings, such as malpractice claims.
         4. Stringent State Laws: In some instances, state laws may provide stronger privacy protections than HIPAA. In these cases, state laws take precedence over HIPAA regulations.
         5. De-identified Information: Data that has been de-identified (where all personal identifiers have been removed) is not considered PHI and is not subject to the same protections. In order for PHI to be considered de-identified under HIPAA, 18 unique identifiers must be removed to ensure individuals cannot be readily identified. These include:
            1. Names
            2. Geographic information (street addresses, cities, counties, precincts, the last 2 digits of zip codes)
            3. Dates (birth dates, admission and discharge dates, date of death, ages over 89 years old)
            4. Telephone numbers
            5. Fax numbers
            6. Email addresses
            7. Social Security Numbers
            8. Medical Record Numbers
            9. Health Plan Beneficiary Numbers
            10. Account numbers
            11. Certificate/License Numbers
            12. Vehicle Identifiers and Serial Numbers
            13. Device Identifiers and Serial Numbers
            14. Web Universal Resource Locators (URLs)
            15. Internet Protocol (IP) Address Numbers
            16. Biometric Identifiers (fingerprints and voiceprints)
            17. Full Face Photographic Images
            18. Any Other Unique Identifying Number, Characteristic or Code (social security numbers, passport numbers, etc.)

• Does HIPAA apply to all healthcare providers?

  • HIPAA does not apply to all healthcare providers; it specifically applies to “covered entities.” This includes healthcare providers (physicians, dentists, psychologists, hospitals, pharmacies, nursing homes and home health agencies); health plans like Medicare and Medicaid; and healthcare clearinghouses (Navicure, ZirMed, Availity, CureMD). Healthcare clearinghouses act  as an intermediary between healthcare providers and health plans, facilitating the processing of health information. Their primary function is to review and validate healthcare claims from providers before forwarding them to health plans for payment.

• How does HIPAA protect my data during emergencies?

  • During emergencies, HIPAA ensures there are safeguards in place to protect your data. For example, the HIPAA Privacy Rule is not suspended during emergencies. Meaning healthcare providers must still comply with its provisions, ensuring the protection of PHI, even in crisis situations. In declared emergencies, the Secretary of Health and Human Services (HHS) may modify certain HIPAA provisions. In these instances, the need to obtain a patient’s agreement to discuss their care with family members may be waived. Modifications made during these occasions are temporary and generally apply for up to 72 hours from the implementation of disaster protocols.

• Can I see the privacy practices of my provider?

1. • Yes, you can see the privacy practices of your healthcare provider. Under HIPAA, healthcare providers are required to provide patients with a Notice of Privacy Practices, which outlines how they may use and disclose your PHI and your patient rights regarding that information.