HIPAA Privacy Rights

Source: Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. 104-191. Privacy Rule: 45 C.F.R. Part 160 and Part 164, Subparts A and E. Right of access: 45 C.F.R. § 164.524. Right to amend: 45 C.F.R. § 164.526. Enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

Last reviewed:

Written in plain language for general understanding. This is educational content, not legal advice. Based on federal statutes and official sources.

Federal Law

What is this right?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects your medical information from being shared without your permission. It applies to health plans, doctors, hospitals, clinics, pharmacies, and other healthcare providers that send claims electronically — these are called covered entities.

Under HIPAA, covered entities generally cannot share your medical records, test results, diagnoses, or treatment information with your employer, family members, or anyone else without your written authorization. (Exceptions exist for treatment, payment, and healthcare operations — for example, your doctor can share your records with a specialist treating you without asking you to sign a form.) You also have the right to access your own medical records, request corrections to mistakes, and get an accounting of who has seen your information. When you request your records, the provider must respond within 30 days.

When does it apply?

This right applies when:

  • A doctor, hospital, clinic, pharmacy, or health plan has your medical information
  • You want to see or get a copy of your medical records
  • You believe your medical information was shared without your permission
  • You want to correct a mistake in your medical records
  • A healthcare provider or insurer asks you to sign a privacy form (Notice of Privacy Practices)

Common misconceptions:

  • “HIPAA protects all my health information everywhere” — Not true. HIPAA only applies to covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates. It does not cover your employer, your school, fitness apps, or social media posts about your health.
  • “My doctor can never share my information” — Doctors can share information without your permission for treatment, payment, and healthcare operations. They can also share it when required by law, such as reporting certain diseases to public health agencies.
  • “My employer can look at my medical records” — Your employer is generally not a covered entity under HIPAA. However, if your employer runs a self-insured health plan, the plan itself must follow HIPAA rules.

What should you do?

Step 1: Request your medical records in writing. You have the right to access your records under 45 C.F.R. § 164.524. Submit a written request to the provider's medical records department. The provider must respond within 30 days (one 30-day extension is allowed if they give you a written reason).

Step 2: If you find an error, submit a written request to amend your records under 45 C.F.R. § 164.526. The provider must respond within 60 days. If they deny the correction, they must explain why, and you can add a statement of disagreement to your file.

Step 3: Review the Notice of Privacy Practices every provider gives you. This document explains how they use and share your information. You have the right to ask for extra restrictions on how your information is shared.

Step 4: If you believe your HIPAA rights have been violated, file a complaint with the HHS Office for Civil Rights at hhs.gov/hipaa/filing-a-complaint or call 1-800-368-1019. You must file within 180 days of the violation.

Step 5: If you pay for a service in full out of pocket, you can ask the provider not to share information about that visit with your health insurer under 45 C.F.R. § 164.522(a).

What should you NOT do?

Don't assume HIPAA covers everything. HIPAA does not apply to health apps, wearable devices, genetic testing companies (like 23andMe), or employers. If you share health information on social media or with a non-covered entity, HIPAA does not protect it.

Don't ignore the Notice of Privacy Practices. Read this document when you receive it. It tells you exactly how the provider will use your information and what your rights are.

Don't sign blanket authorization forms without reading them. Some forms authorize providers to share your information broadly. You have the right to limit what is shared, with whom, and for how long. You can also revoke an authorization in writing at any time.

Don't wait too long to file a complaint. HIPAA complaints must be filed with HHS within 180 days of when you discovered the violation. The deadline can be extended for good cause, but it is better to file promptly.

District of Columbia Law
DC

How District of Columbia differs from federal law

The District of Columbia has additional health privacy protections that supplement federal HIPAA:

  • DC Code § 44-801 et seq. (Health Care and Community Residence Facility, Hospice and Home Care Licensure Act): Establishes patient rights including the right to confidentiality of medical records and the right to access your own records at all licensed D.C. healthcare facilities.
  • DC Mental Health Information Act (DC Code § 7-1201.01 et seq.): Provides heightened confidentiality protections for mental health records. Requires specific written consent for disclosure of mental health information, with narrow exceptions for emergencies.
  • DC Data Breach Notification Law (DC Code § 28-3851 et seq.): Requires entities that hold personal health information to notify D.C. residents of data breaches. Covers entities beyond HIPAA's scope.
  • DC Human Rights Act health data protections: The DC Human Rights Act (DC Code § 2-1401.01 et seq.) prohibits discrimination based on health status, which includes protections against misuse of medical information in employment and public accommodations.

Additional Steps in District of Columbia

File a complaint with the DC Department of Health at dchealth.dc.gov or call (202) 442-5955. For data breach issues, contact the DC Attorney General's Office at oag.dc.gov. Contact the Legal Aid Society of the District of Columbia at legalaiddc.org for free assistance.

Relevant Law: DC Code § 44-801 et seq. (patient rights), DC Code § 7-1201.01 et seq. (Mental Health Information Act), DC Code § 28-3851 et seq. (data breach notification), DC Code § 2-1401.01 (Human Rights Act)

More in Healthcare Rights

Informed ConsentInformed consent means your doctor must explain a treatment, procedure, or test to you in plain language before you agre...Read more →Medical Billing RightsThe No Surprises Act, which took effect on January 1, 2022, protects you from unexpected medical bills when you receive ...Read more →Disability Rights in HealthcareFederal law requires healthcare providers to give people with disabilities equal access to medical care. Under Title III...Read more →

Related Topics

Family LawChild Custody BasicsWorkers' RightsOvertime Pay
← Browse all Healthcare Rights

Legal Resources

We may earn a commission if you use these services — at no extra cost to you. This supports our mission to make legal information free for everyone.

LawDepotCreate healthcare directives, power of attorney for health care, and medical consent forms. Ready in minutes.Create Health DocumentsLegalZoomDraft a living will, healthcare proxy, or advance directive with attorney support available.Get Started

You came here to know your rights — help someone else know theirs.

Support This Mission