When does hipaa privacy rights apply?

HIPAA applies when:A doctor, hospital, clinic, pharmacy, or health plan has your medical information.You want to see or get a copy of your records.You believe your information was shared without permission.You want to correct an error in your records.A provider or insurer asks you to sign a Notice of Privacy Practices.Three myths:"HIPAA covers all my health info everywhere." No. HIPAA reaches covered entities and their business associates — and that is it. Your employer, your school, fitness apps, genetic testing companies (23andMe), and social media posts are all outside the law's reach."My doctor can never share without my permission." Treatment, payment, and healthcare operations are explicit exceptions. Your doctor can talk to your specialist without a signed release. Public health reporting (certain diseases, gunshot wounds) is also generally required by state law."My employer can read my medical records." Generally no — your employer is not a covered entity. The exception: if your employer runs a self-insured health plan, the plan itself has HIPAA obligations, but it should be walled off from HR decision-making.

You're reading the Massachusetts version.Change state →

Choose your state

HIPAA Privacy Rights in Massachusetts

Q: What should I do if a doctor or hospital shared my medical records without my consent?

Step 1: Request your records in writing. Under 45 C.F.R. § 164.524, the provider has 30 days to respond, with one 30-day extension allowed if they give you a written reason. Most providers now offer patient portals that meet the requirement.Step 2: Found an error? Request an amendment. 45 C.F.R. § 164.526 — the provider has 60 days. If they refuse, they must explain why, and you have the right to add a statement of disagreement to the file that travels with the record going forward.Step 3: Read the Notice of Privacy Practices. It tells you exactly how the provider will use and share your information. You have the right to ask for additional restrictions, though the provider is not always required to agree.Step 4: File complaints with HHS OCR within 180 days. Online at hhs.gov/hipaa/filing-a-complaint or by phone at 1-800-368-1019. The 180-day deadline runs from when you discovered the violation, with limited extensions for good cause.Step 5: Self-pay rights. Under 45 C.F.R. § 164.522(a), if you pay for a service in full out of pocket, you can require the provider not to share information about that specific visit with your health insurer. Useful for sensitive care you want to keep off your insurance record.

Q: What should you NOT do about hipaa privacy rights?

Don't assume HIPAA covers everything called "health." Health apps, wearables, genetic testing services, and most online symptom tools sit outside HIPAA. The data you share with them is governed by the company's privacy policy and your state's consumer privacy law (if any).Don't toss the Notice of Privacy Practices. It is not legal noise — it tells you exactly what the provider will do with your data and what rights you can exercise.Don't sign blanket authorizations without reading. A "share with anyone you deem appropriate, for any reason, indefinitely" form is not the same as a targeted release. You can limit scope, recipients, and duration, and you can revoke any authorization in writing at any time.Don't miss the 180-day complaint window. HHS OCR can extend it for cause, but the default is hard. File as soon as you know about the violation.

By Ahmed Alsaedi, Founding Editor

Source: Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. 104-191. Privacy Rule: 45 C.F.R. Part 160 and Part 164, Subparts A and E. Right of access: 45 C.F.R. § 164.524. Right to amend: 45 C.F.R. § 164.526. Enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

About this article

Reviewed by the Commoner Law Editorial Team. Sourced from primary statutes (U.S. Code, CFR, state compiled statutes) and official government agency guidance. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards

Massachusetts Law

How Massachusetts differs from federal law

Massachusetts supplements federal HIPAA with strong state health privacy protections:

HIPAA applies to covered entities operating in Massachusetts
MA has additional protections under MGL c. 111, § 70E (Patients' Bill of Rights) granting patients the right to confidential treatment of medical records
MA law provides specific confidentiality protections for mental health records (MGL c. 123, § 36), HIV/AIDS status, and substance abuse treatment records
Patients have a right to access and copy their medical records — providers must respond within 30 days
MA law limits the cost of medical record copies
MA has a comprehensive data breach notification law (MGL c. 93H) requiring notification when health data is compromised
Insurance companies must comply with both HIPAA and MA-specific privacy requirements

Additional Steps in Massachusetts

File HIPAA complaints with the U.S. HHS Office for Civil Rights at hhs.gov/ocr or 1-800-368-1019. For state-specific violations, contact the MA Attorney General's office at (617) 727-8400 or the MA Board of Registration in Medicine at (781) 876-8200.

Relevant Law: HIPAA, 45 C.F.R. Parts 160 and 164. MGL c. 111, § 70E (Patients' Bill of Rights). MGL c. 123, § 36 (mental health records). MGL c. 93H (data breach notification).

Federal baseline: HIPAA Privacy Rights nationwide

What is this right?

HIPAA — passed in 1996 — was originally about insurance portability when changing jobs. The medical privacy rules everyone associates with the name came in the Privacy Rule, finalized in 2003 after years of HHS rulemaking. The basic deal: your doctor, hospital, insurer, and pharmacy cannot share your medical records, diagnoses, or test results with your employer, family, or anyone else without your written permission. You have the right to see your own records and to request corrections, with the provider required to respond within 30 days.

Narrow exceptions let providers share information for treatment, payment, and healthcare operations — your doctor can send records to a specialist who is treating you without a signed release. Outside those exceptions, unauthorized disclosures can be reported to the HHS Office for Civil Rights. Penalties scale up to $1.5 million per violation category per year for willful neglect, and the OCR has used them — Anthem paid $16 million in 2018 over a single breach.

When does it apply?

HIPAA applies when:

A doctor, hospital, clinic, pharmacy, or health plan has your medical information.
You want to see or get a copy of your records.
You believe your information was shared without permission.
You want to correct an error in your records.
A provider or insurer asks you to sign a Notice of Privacy Practices.

Three myths:

"HIPAA covers all my health info everywhere." No. HIPAA reaches covered entities and their business associates — and that is it. Your employer, your school, fitness apps, genetic testing companies (23andMe), and social media posts are all outside the law's reach.
"My doctor can never share without my permission." Treatment, payment, and healthcare operations are explicit exceptions. Your doctor can talk to your specialist without a signed release. Public health reporting (certain diseases, gunshot wounds) is also generally required by state law.
"My employer can read my medical records." Generally no — your employer is not a covered entity. The exception: if your employer runs a self-insured health plan, the plan itself has HIPAA obligations, but it should be walled off from HR decision-making.

What to Do If Your Medical Information Was Shared Without Permission

Step 1: Request your records in writing. Under 45 C.F.R. § 164.524, the provider has 30 days to respond, with one 30-day extension allowed if they give you a written reason. Most providers now offer patient portals that meet the requirement.

Step 2: Found an error? Request an amendment. 45 C.F.R. § 164.526 — the provider has 60 days. If they refuse, they must explain why, and you have the right to add a statement of disagreement to the file that travels with the record going forward.

Step 3: Read the Notice of Privacy Practices. It tells you exactly how the provider will use and share your information. You have the right to ask for additional restrictions, though the provider is not always required to agree.

Step 4: File complaints with HHS OCR within 180 days. Online at hhs.gov/hipaa/filing-a-complaint or by phone at 1-800-368-1019. The 180-day deadline runs from when you discovered the violation, with limited extensions for good cause.

Step 5: Self-pay rights. Under 45 C.F.R. § 164.522(a), if you pay for a service in full out of pocket, you can require the provider not to share information about that specific visit with your health insurer. Useful for sensitive care you want to keep off your insurance record.

What should you NOT do?

Don't assume HIPAA covers everything called "health." Health apps, wearables, genetic testing services, and most online symptom tools sit outside HIPAA. The data you share with them is governed by the company's privacy policy and your state's consumer privacy law (if any).

Don't toss the Notice of Privacy Practices. It is not legal noise — it tells you exactly what the provider will do with your data and what rights you can exercise.

Don't sign blanket authorizations without reading. A "share with anyone you deem appropriate, for any reason, indefinitely" form is not the same as a targeted release. You can limit scope, recipients, and duration, and you can revoke any authorization in writing at any time.

Don't miss the 180-day complaint window. HHS OCR can extend it for cause, but the default is hard. File as soon as you know about the violation.

You shouldn't have to hire a lawyer to assert your rights.

Answer a few questions. We generate a personalized letter citing your state's exact statutes, deadlines, and penalties — ready to print and send in minutes.

Lawyers charge $350+. Your letter: $19.

HIPAA Complaint$19 Medical Bill Dispute$19 ADA Accommodation$19 Insurance Appeal$19

See all 5 letter types →

HIPAA Privacy Rights in other states

Same topic, different jurisdiction. Pick the one that applies to you.

Legal Resources

We may earn a commission if you use these services — at no extra cost to you. This supports our mission to make legal information free for everyone.

LegalZoomDraft a living will, healthcare proxy, or advance directive with attorney support available.Get Started →

Every reference below links to its primary source — the statute book, regulator, or court — and carries a verification date. See our citation methodology for how this works.

Massachusetts

StatuteMGL c. 111, § 70E — Massachusetts Patients' Bill of Rights (health privacy)
StatuteMGL c. 123, § 36 — Massachusetts mental health record confidentiality
Regulation45 C.F.R. Parts 160 and 164 — HIPAA Privacy and Security Rules
45 C.F.R. Parts 160/164 (HIPAA) enforced by HHS Office for Civil Rights.

Federal

RegulationHIPAA Privacy Rule, 45 C.F.R. Part 164
Federal privacy standard for protected health information held by covered entities.
Regulation45 C.F.R. § 164.524 (right of access)
Patients' right to inspect and obtain copies of their medical records within 30 days.
StatuteHITECH Act, 42 U.S.C. § 17932 (breach notification)
Requires notice to affected individuals and HHS when unsecured PHI is breached.
Agency guidanceHHS OCR — HIPAA Complaint Portal
Federal HIPAA complaint-filing portal with 180-day deadline from discovery.