Updated: 19 February, 2025

HIPAA: Frequently Asked Questions

Whether you are new to the concept or you have years of experience managing HIPAA compliance at different organizations, we all have questions sometimes. On this page you will find answers regarding HIPAA patient rights and the particular situations in which these are superseded. If you have more technical questions about HIPAA, check out our blog post on HIPAA for healthcare institutions. There we cover things like who must comply with HIPAA, what is a covered entity, which records are covered by HIPAA and what standards are required from providers.

• Why was HIPAA created?

  • HIPAA is a federal law in the US Healthcare system designed to standardize electronic healthcare transacts and increase the number of Americans with health insurance coverage.

• Why is HIPAA important?

  • HIPAA ensures that covered entities and business associates protect patients’ privacy and keep sensitive health data secure. Additionally, HIPAA promotes accountability by requiring organizations to notify patients of any data breaches and by enforcing penalties for non-compliance. This framework helps protect against identity theft, insurance fraud, and unauthorized data sharing, while enabling patients to take an active role in managing their healthcare. 

• What does HIPAA stand for?

  • HIPAA stands for Health Insurance Portability and Accountability Act of 1996.

• Who created HIPAA?

  • HIPPA was created by Donna Shalala and her team at the Department of Health and Human Services (HHS). President Bill Clinton signed HIPAA into law on August 21, 1996.

• Where does HIPAA apply?

  • HIPAA applies to all states in the United States, as it is a federal legislation administered at the national level by the Department of Health and Human Services (HHS). It applies to everyone in the US, both citizens or residents.

• Are HIPAA laws different in each state?

  • No, HIPAA applies equally across all states. However, state laws can supersede HIPAA when they provide greater privacy protections or rights for individuals than HIPAA does. This principle applies in California, Colorado, Connecticut, Nevada, Virginia, Utah, New Hampshire, Vermont and New York. Read more about HIPAA preemption here.

• Does HIPAA apply in the EU?

  • HIPAA does not have direct extraterritorial application in the EU. However, EU health tech firms must comply with HIPAA if they process or store the medical data of any U.S. citizen, as HIPAA protects the data of U.S. citizens no matter where they are in the world. This means that if an EU company handles the data of even one U.S. citizen, it must comply with HIPAA regulations.

• Who enforces HIPAA?

  • HIPAA is mainly enforced by the Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS). If a HIPAA violation involves criminal activity, the Department of Justice (DOJ) may get involved.

• What happens if HIPAA is violated?

  • If the OCR discovers a case of noncompliance, it will typically require the facility to work through a deadline-driven corrective action plan to bring the facility up to HIPAA compliance standards. Violations are often subject to monetary penalties. These penalties are tiered based on the severity of the violation and the facility’s knowledge of the noncompliance. Fines can be substantial; for example, the largest fine ever paid in a HIPAA settlement was $5.55 million after Advocate Health System suffered 3 data breaches that compromised the privacy of 4 million patients. Additionally, covered entities and business associates may face civil lawsuits from affected individuals. 

• What patient rights do I have under HIPAA?

  • You have the right to several important rights regarding your health information:

1. 1. 1. 1. Right to Access
         2. Right to Amend
         3. Right to Receive Notice of Privacy Practices
         4. Right to Request Restrictions
         5. Right to Confidential Communications
         6. Right an Accounting Disclosure
         7. Right to File a Compaint
         8. Right to Opt Out of Marketing Communications
         9. Right to Portability

In HIPAA, what does the right to access mean?

• • Patients can request to see and obtain copies of their health records and other protected health information (PHI) maintained by healthcare providers. This access can be granted in person or through electronic means, such as a patient portal.

• In HIPAA, what does the right to amend in HIPAA mean?

  • Patients have the right to request corrections to their health information if they believe it is inaccurate or incomplete. Healthcare providers must consider these requests and inform patients of their decision.

• In HIPAA, what does the right to receive a notice of privacy practices mean?

  • Patients must be provided with a notice that explains how their PHI may be used and shared, as well as their rights concerning that information.

• In HIPAA, what does the right to request restrictions mean?

  • Patients can ask for restrictions on certain uses and disclosures of their PHI, such as limiting who can see their information, although providers are not obligated to agree to all requests.

• In HIPAA, what does the right to confidential communications mean?

  • Patients can request that communications regarding their health information be conducted in a specific manner or at a specific location, ensuring greater privacy.

• In HIPAA, what does the right to accounting of disclosures mean?

  • Patients have the right to request a report detailing when and why their PHI was disclosed, except for certain routine disclosures.

• In HIPAA, What does the right to portability in HIPAA mean?

  • HIPAA allows patients to maintain health insurance coverage when changing jobs by restricting new healthcare plans from denying coverage based on preexisting conditions. It also holds the previous health provider accountable for safety transferring patient data to the new provider.

• Where are HIPAA violations reported?

  • If you believe your HIPAA patient rights have been violated, they can file a complaint with the healthcare provider or the U.S. Department of Health and Human Services (HHS). 

• 

  Can I access my medical record at any time?

  • Yes, HIPAA grants patients the right to request and obtain copies of their PHI held by healthcare providers, healthcare plans and other covered entities. You can request your records in various formats, including paper or electronic formats, as long as the requested format is readily producible. Providers may charge a fee for copying your records, but this fee must be limited to the actual cost incurred for labor, supplies and postage.  

• How long does a provider have to respond to my request for records?

  • Healthcare providers are required to provide access to or amend your medical records within 30 calendar days of your request. If they cannot meet this timeline, they must inform you of the delay and provide a reason. 

• How can I correct my medical records?

  • You can request corrections to your health information if you believe it is inaccurate or incomplete. This could include incorrect personal details, diagnoses, or treatment information. Address your request to the appropriate department of the healthcare organization that maintains the records in question. Providers must respond to these requests as long as they are presented through the proper channels. Maintain a copy of your request and follow up if necessary. Keep in mind that corrections should not erase or remove original entries; instead, amendments should be documented as addendums that clarify or correct previous entries.

• Do I need to give consent for my information to be shared?

  • Under HIPAA, you do not always need to give consent for your protected health information (PHI) to be shared. HIPAA permits healthcare providers to share your PHI for treatment purposes without requiring your explicit consent. This includes sharing information with other healthcare providers involved in your care, coordinating treatment, or referring you to specialists. PHI can also be shared without authorization for healthcare operations such as quality assessment, case management, and conducting training programs. However, when PHI is shared without consent, the  “minimum necessary” standard applies, meaning that only the information necessary to achieve the intended purpose should be disclosed. 

• What happens if my data is shared without my consent?

  • You have the right to file a complaint with the Office for Civil Rights (OCR) if you believe your PHI has been shared without your consent. Consider consulting with an attorney who specializes in healthcare law if you believe your patient rights have been violated. Healthcare organizations can face substantial fines for HIPAA violations depending on the severity and nature of the breach. In cases of willful neglect or intentional violations, criminal charges may be filed against individuals involved. 

• Can my family or friends inquire about my health status?

• • If you are present and capable of making healthcare decisions, healthcare providers must give you the opportunity to agree or object to sharing your health information with family members or friends involved in your care.
    • *** HIPAA does not require healthcare providers to verify the identity of someone calling to inquire about a patient’s condition, but they may establish their own rules for verification.
  • If you are not present or unable to give consent, providers may share relevant information with family members or friends if they believe it is in your best interest. The information shared must be directly relevant to the involvement of the family member or friend in your care or payment for healthcare. For example, a provider can inform a family member about your condition if they are actively involved in your treatment.

• When does HIPAA not apply?

  • There are exceptions to your patient rights under HIPAA. While HIPAA provides significant protections for your health information, certain circumstances allow for limitations or exceptions. Here are some key exceptions:

1. 1. 1. 1. Treatment, Payment, and Healthcare Operations: This means they can share information necessary for providing care, billing, and administrative functions without needing your explicit permission.
         2. Emergency Situations, Public Interest and Safety: HIPAA allows disclosures of PHI without patient consent in situations that serve public interest or safety. This may include reporting diseases to public health authorities and reporting child abuse or neglect.
         3. Legal Proceedings: Your PHI may be disclosed without consent in response to a court order or subpoena. This includes situations where you are involved in legal proceedings, such as malpractice claims.
         4. Stringent State Laws: In some instances, state laws may provide stronger privacy protections than HIPAA. In these cases, state laws take precedence over HIPAA regulations.
         5. De-identified Information: Data that has been de-identified (where all personal identifiers have been removed) is not considered PHI and is not subject to the same protections. In order for PHI to be considered de-identified under HIPAA, 18 unique identifiers must be removed to ensure individuals cannot be readily identified. These include:
            1. Names
            2. Geographic information (street addresses, cities, counties, precincts, the last 2 digits of zip codes)
            3. Dates (birth dates, admission and discharge dates, date of death, ages over 89 years old)
            4. Telephone numbers
            5. Fax numbers
            6. Email addresses
            7. Social Security Numbers
            8. Medical Record Numbers
            9. Health Plan Beneficiary Numbers
            10. Account numbers
            11. Certificate/License Numbers
            12. Vehicle Identifiers and Serial Numbers
            13. Device Identifiers and Serial Numbers
            14. Web Universal Resource Locators (URLs)
            15. Internet Protocol (IP) Address Numbers
            16. Biometric Identifiers (fingerprints and voiceprints)
            17. Full Face Photographic Images
            18. Any Other Unique Identifying Number, Characteristic or Code (social security numbers, passport numbers, etc.)

• Does HIPAA apply to all healthcare providers?

  • HIPAA does not apply to all healthcare providers; it specifically applies to “covered entities.” This includes healthcare providers (physicians, dentists, psychologists, hospitals, pharmacies, nursing homes and home health agencies); health plans like Medicare and Medicaid; and healthcare clearinghouses (Navicure, ZirMed, Availity, CureMD). Healthcare clearinghouses act  as an intermediary between healthcare providers and health plans, facilitating the processing of health information. Their primary function is to review and validate healthcare claims from providers before forwarding them to health plans for payment.

• How does HIPAA protect my data during emergencies?

  • During emergencies, HIPAA ensures there are safeguards in place to protect your data. For example, the HIPAA Privacy Rule is not suspended during emergencies. Meaning healthcare providers must still comply with its provisions, ensuring the protection of PHI, even in crisis situations. In declared emergencies, the Secretary of Health and Human Services (HHS) may modify certain HIPAA provisions. In these instances, the need to obtain a patient’s agreement to discuss their care with family members may be waived. Modifications made during these occasions are temporary and generally apply for up to 72 hours from the implementation of disaster protocols.

• Can I see the privacy practices of my provider?

1. • Yes, you can see the privacy practices of your healthcare provider. Under HIPAA, healthcare providers are required to provide patients with a Notice of Privacy Practices, which outlines how they may use and disclose your PHI and your patient rights regarding that information.