HIPAA Privacy Rights
Written in plain language for general understanding. This is educational content, not legal advice. Based on federal statutes and official sources.
What is this right?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects your medical information from being shared without your permission. It applies to health plans, doctors, hospitals, clinics, pharmacies, and other healthcare providers that send claims electronically — these are called covered entities.
Under HIPAA, covered entities generally cannot share your medical records, test results, diagnoses, or treatment information with your employer, family members, or anyone else without your written authorization. (Exceptions exist for treatment, payment, and healthcare operations — for example, your doctor can share your records with a specialist treating you without asking you to sign a form.) You also have the right to access your own medical records, request corrections to mistakes, and get an accounting of who has seen your information. When you request your records, the provider must respond within 30 days.
When does it apply?
This right applies when:
- A doctor, hospital, clinic, pharmacy, or health plan has your medical information
- You want to see or get a copy of your medical records
- You believe your medical information was shared without your permission
- You want to correct a mistake in your medical records
- A healthcare provider or insurer asks you to sign a privacy form (Notice of Privacy Practices)
Common misconceptions:
- “HIPAA protects all my health information everywhere” — Not true. HIPAA only applies to covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates. It does not cover your employer, your school, fitness apps, or social media posts about your health.
- “My doctor can never share my information” — Doctors can share information without your permission for treatment, payment, and healthcare operations. They can also share it when required by law, such as reporting certain diseases to public health agencies.
- “My employer can look at my medical records” — Your employer is generally not a covered entity under HIPAA. However, if your employer runs a self-insured health plan, the plan itself must follow HIPAA rules.
What should you do?
Step 1: Request your medical records in writing. You have the right to access your records under 45 C.F.R. § 164.524. Submit a written request to the provider's medical records department. The provider must respond within 30 days (one 30-day extension is allowed if they give you a written reason).
Step 2: If you find an error, submit a written request to amend your records under 45 C.F.R. § 164.526. The provider must respond within 60 days. If they deny the correction, they must explain why, and you can add a statement of disagreement to your file.
Step 3: Review the Notice of Privacy Practices every provider gives you. This document explains how they use and share your information. You have the right to ask for extra restrictions on how your information is shared.
Step 4: If you believe your HIPAA rights have been violated, file a complaint with the HHS Office for Civil Rights at hhs.gov/hipaa/filing-a-complaint or call 1-800-368-1019. You must file within 180 days of the violation.
Step 5: If you pay for a service in full out of pocket, you can ask the provider not to share information about that visit with your health insurer under 45 C.F.R. § 164.522(a).
What should you NOT do?
Don't assume HIPAA covers everything. HIPAA does not apply to health apps, wearable devices, genetic testing companies (like 23andMe), or employers. If you share health information on social media or with a non-covered entity, HIPAA does not protect it.
Don't ignore the Notice of Privacy Practices. Read this document when you receive it. It tells you exactly how the provider will use your information and what your rights are.
Don't sign blanket authorization forms without reading them. Some forms authorize providers to share your information broadly. You have the right to limit what is shared, with whom, and for how long. You can also revoke an authorization in writing at any time.
Don't wait too long to file a complaint. HIPAA complaints must be filed with HHS within 180 days of when you discovered the violation. The deadline can be extended for good cause, but it is better to file promptly.
How Nevada differs from federal law
Nevada follows federal HIPAA with strong additional state privacy protections:
- HIPAA applies to all covered entities in Nevada
- You have the right to access, inspect, and obtain copies of your medical records
- Providers must respond to records requests within 30 days
- Nevada has enacted comprehensive health data privacy laws — SB 370 (2019) requires data brokers to comply with consumer opt-out requests
- Nevada provides additional protections for genetic information and HIV/AIDS records
Additional Steps in Nevada
File HIPAA complaints with HHS Office for Civil Rights at hhs.gov/hipaa/filing-a-complaint. Nevada Attorney General: (702) 486-3132.
Relevant Law: HIPAA, 42 U.S.C. § 1320d et seq. Nev. Rev. Stat. § 629 (health records). SB 370 (2019).
Legal Resources
We may earn a commission if you use these services — at no extra cost to you. This supports our mission to make legal information free for everyone.