Does HIPAA Cover Medical Records? What’s Protected, What Isn’t, and Who Must Comply

HIPAA Coverage of Medical Records

Yes—HIPAA covers medical records when they qualify as protected health information created or received by a covered entity or its business associate. That protection applies to records in any medium: paper charts, electronic health records (EHRs), images, audio, video, and even spoken information tied to an identifiable person.

HIPAA protection is broad but not absolute. It does not apply to information that cannot identify an individual, and certain categories of records are outside the rule’s scope. In practice, “medical records” are covered when they are part of health care operations, treatment, or payment activities of a covered entity.

• Not covered: de-identified data, education records governed by FERPA, employment records held by an employer, most files kept by life insurers or workers’ compensation carriers, and data in consumer apps or wearables unless those apps act for a covered entity.
• Time limit after death: information ceases to be PHI 50 years after an individual’s death.

Protected Health Information Components

Protected health information (PHI) is any individually identifiable health information related to a person’s health status, care, or payment for care. PHI becomes identifiable when it includes one or more direct identifiers. Below are the standard identifiers used for HIPAA de-identification analysis:

• Names
• Geographic data smaller than a state
• All elements of dates (except year) related to an individual
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers (e.g., fingerprints, voiceprints)
• Full-face photos and comparable images
• Any other unique identifying number, characteristic, or code

A “limited data set” removes many direct identifiers but still counts as PHI and can be shared only under a data use agreement. By contrast, data that are properly de-identified are not PHI. Many records that make up a patient’s “designated record set” (for example, medical and billing records used to make decisions about you) are PHI.

Rights to Access PHI

You have a right to access, inspect, or obtain a copy of your PHI in the designated record set. Providers and health plans generally must respond within 30 days (with one 30-day extension when needed) and must provide the information in the form and format you request if readily producible, including electronic formats for ePHI.

You may direct a copy to a third party of your choosing. Fees must be reasonable and cost-based (for labor, supplies, and postage) and may not be used to discourage you from obtaining your records. Access cannot be denied because of unpaid bills for services.

Exceptions to Access Rights

HIPAA permits denial of access in limited situations. Common exceptions include:

• Psychotherapy notes kept separately by a mental health professional.
• Information compiled for use in civil, criminal, or administrative actions or proceedings.
• Research records while a study is in progress if you agreed to temporary suspension of access.
• Records obtained from someone other than a health care provider under a promise of confidentiality if access would reveal the source.
• Certain correctional institution scenarios where access would jeopardize health, safety, security, or rehabilitation.
• Situations where a licensed professional determines that access is reasonably likely to endanger life or physical safety of you or another person.

Some denials must be reviewable by another licensed professional on request; others are not reviewable (for example, psychotherapy notes).

Covered Entities Definition

A covered entity is one of three types of organizations subject to HIPAA: health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with standard transactions (such as claims, eligibility checks, or referrals).

• Health plans: insurers, HMOs, Medicare, Medicaid, employer group health plans, and certain government programs.
• Health care providers: physicians, clinics, hospitals, pharmacies, laboratories, dentists, therapists—if they conduct covered electronic transactions.
• Health care clearinghouses: organizations that translate or process nonstandard health information into standard formats and vice versa.

Merely being a “provider” does not automatically make an organization a covered entity; the trigger is participating in standard electronic transactions.

Business Associates Role

A business associate is any person or company that performs services for or on behalf of a covered entity and needs PHI to do so. Typical examples include EHR vendors, billing companies, cloud storage providers, telehealth platforms, practice management firms, claims processors, legal or consulting firms accessing PHI, and analytics vendors.

Covered entities must have a business associate agreement (BAA) with each business associate. BAAs define permitted uses and disclosures, require safeguards, mandate breach reporting, and flow down obligations to subcontractors. Business associates are directly liable for compliance with applicable HIPAA provisions, including the Security Rule and parts of the Privacy and Breach Notification Rules.

Compliance Requirements for PHI Protection

To protect PHI, covered entities and business associates must implement a coordinated program that addresses policy, people, technology, and facilities. Three safeguard categories anchor the HIPAA Security Rule, and the Privacy and Breach Notification Rules add further obligations.

• Administrative safeguards: risk analysis and risk management; workforce training and sanctions; security officer roles; policies and procedures; vendor oversight; contingency and incident response planning.
• Physical safeguards: facility access controls; workstation and device security; media reuse and disposal; visitor management and environmental protections.
• Technical safeguards: unique user IDs and role-based access; multi-factor authentication where appropriate; encryption at rest and in transit; audit logs and monitoring; integrity controls and secure transmission.

Core Privacy Rule practices include the minimum necessary standard, authorization for uses beyond treatment, payment, and health care operations, timely access to the designated record set, and a clear Notice of Privacy Practices. Breach Notification requires prompt assessment and notification to affected individuals (and, in some cases, regulators and media). Maintain documentation and retention, regularly test safeguards, and update BAAs as systems and vendors change.

Bottom line: HIPAA does cover medical records when they are PHI handled by a covered entity or business associate. Understanding what counts as PHI, who is regulated, your access rights, and the required administrative safeguards, physical safeguards, and technical safeguards helps you protect data and comply with the law.

FAQs

What types of medical records are protected under HIPAA?

Any records that are part of your designated record set—such as clinical notes, test results, images, care plans, and billing files—are protected when they include identifiers and are held by a covered entity or its business associate. Paper, electronic, and verbal PHI are all covered.

Who qualifies as a covered entity under HIPAA?

Covered entities include health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions (for example, submitting electronic claims). Providers that never conduct those transactions electronically may fall outside HIPAA.

What are the rights of individuals to access their PHI?

You can inspect or get copies of PHI in your designated record set within 30 days (with one possible 30-day extension). You may request a specific form and format, receive electronic copies of ePHI, direct records to a third party, and pay only reasonable, cost-based fees.

What penalties exist for non-compliance with HIPAA?

Penalties range from corrective action plans and civil monetary penalties (tiered by culpability and capped annually) to criminal penalties for certain wrongful disclosures. Regulators may also require monitoring and impose settlements that include significant remediation.