Does HIPAA Protect My Medical Records? A Simple Answer by Who’s Handling Them

Overview of HIPAA Privacy Protections

The short answer: your medical records are protected by HIPAA when they’re handled by a covered entity or its business associate. If a consumer app or wearable collects your data outside that system, HIPAA usually doesn’t apply, though other laws may.

HIPAA’s Privacy Rule governs when protected health information can be used or disclosed. The Security Rule sets standards for safeguarding electronic PHI. Together, they create a federal “floor” of privacy and security protections across healthcare.

• Covered: doctors, hospitals, clinics, pharmacies, health plans, healthcare clearinghouses, and vendors handling PHI for them.
• Not typically covered: employers (as employers), life insurers, many mobile health apps and wearables, most schools (FERPA applies), and direct-to-consumer services not working for a covered entity.

State privacy laws and consumer protection rules can add protections on top of HIPAA, but they don’t replace it for covered entities.

Definition of Protected Health Information

Protected health information (PHI) is individually identifiable health data created, received, maintained, or transmitted by a covered entity or business associate. It includes identifiers (like name, address, contact details) linked to health status, care provided, or payment for care.

PHI can exist in any form—paper charts, verbal conversations, electronic records, images, lab results, and billing files. De‑identified data (stripped of identifiers or certified by an expert) is not PHI. Limited data sets, which remove most direct identifiers but keep some elements like dates or ZIP codes, are still regulated and require data use agreements.

Some information is expressly excluded: education records under FERPA, employment records held by a covered entity in its role as employer, and health information about someone who has been deceased for more than 50 years.

Rights to Access and Correct Records

HIPAA gives you individual access rights to your records in designated record sets—the medical and billing records a provider or plan uses to make decisions about you. You can inspect or get copies, including electronic copies if the information is maintained electronically.

Covered entities generally must respond within 30 days, with one 30‑day extension if necessary. You can ask that a copy be sent to a third party you choose. Fees must be reasonable and cost‑based (e.g., copying and postage); retrieval or “search” fees aren’t allowed under HIPAA.

You also have the right to request an amendment if something is inaccurate or incomplete. Providers and plans must act within 60 days (with one 30‑day extension). If they deny the amendment, they must explain why and let you submit a statement of disagreement that travels with the record.

Administrative and Technical Safeguards

The Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect electronic PHI. Risk analysis and risk management are foundational—identify risks, implement controls, and review them regularly.

Administrative safeguards

• Assign security responsibility, conduct workforce training, and apply sanctions for violations.
• Adopt policies for access authorization, contingency planning, and the minimum necessary standard for routine uses and disclosures.
• Execute and manage business associate agreements to ensure vendors protect PHI.

Technical and physical safeguards

• Unique user IDs, role‑based access, automatic logoff, and audit logs to monitor activity.
• Integrity controls to prevent improper alteration, and transmission security for data in motion.
• Encryption is an addressable safeguard: if reasonable and appropriate, use it; if not, document why and implement an effective alternative.
• Facility access controls, secure workstations, device/media disposal, and reliable backups and disaster recovery.

When breaches occur, HIPAA’s breach notification rules require prompt assessment and notifications to affected individuals, regulators, and in some cases the media.

Limits of HIPAA Coverage

HIPAA does not cover every health‑related organization or dataset. Its protections hinge on who holds the information and why. If a fitness app, employer, or life insurer collects data independently of a covered entity, HIPAA typically doesn’t apply.

• Permitted disclosures without authorization include certain public health activities, health oversight, law enforcement with proper legal process, and to prevent serious threats to health or safety.
• De‑identified information isn’t PHI and can be used or shared outside HIPAA’s restrictions.
• State laws that are more protective of privacy can apply in addition to HIPAA; covered entities must follow both where applicable.

Understanding these limits helps you evaluate when “Does HIPAA protect my medical records?” is a yes, and when other laws—or only a company’s privacy policy—are in play.

Responsibilities of Covered Entities

Covered entities must provide a Notice of Privacy Practices explaining how they use and disclose PHI, your individual access rights, and how to file complaints. They must implement policies, train staff, and document compliance.

• Apply the minimum necessary rule for routine uses/disclosures, and use role‑based access.
• Maintain and monitor security controls under the Security Rule, and manage vendors through business associate agreements.
• Provide timely access and amendment responses, and an accounting of certain disclosures upon request.
• Investigate incidents and issue breach notifications when required.

Health plans and providers also must periodically review risks, test contingency plans, and update procedures as technology and workflows change.

Role of Business Associates

Business associates are vendors or partners that create, receive, maintain, or transmit PHI for a covered entity—think cloud hosts, billing companies, EHR providers, and analytics firms. They are directly liable under HIPAA for safeguarding PHI and complying with the Security Rule.

Business associate agreements define the vendor’s permitted uses and disclosures, required safeguards, breach reporting duties, subcontractor obligations, and termination rights. Subcontractors who handle PHI are also bound by these protections through cascading agreements.

Conclusion

HIPAA protects your medical records when handled by covered entities and their business associates, setting rules for privacy, security, and individual access rights. Outside that ecosystem—such as many consumer apps—HIPAA usually doesn’t apply, so you should review other applicable laws and the company’s privacy practices.

FAQs.

What types of medical records are protected by HIPAA?

Any individually identifiable health information held by a covered entity or its business associate is protected, including medical and billing records, test results, care plans, images, insurance information, and electronic messages about your care. De‑identified data isn’t PHI, and some categories like FERPA education records and employer‑held employment records are excluded.

Who qualifies as a covered entity under HIPAA?

Covered entities are health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in standard transactions (such as billing). Their vendors that handle PHI are business associates and must comply through business associate agreements.

How can individuals request access to their medical records?

Submit a written or electronic request to the provider or health plan that maintains your designated record set. You can request paper or electronic copies, ask that records be sent to a third party, and expect a response within 30 days (with one possible 30‑day extension). Fees must be reasonable and cost‑based; retrieval fees aren’t permitted under HIPAA.

Are all health-related organizations required to follow HIPAA rules?

No. HIPAA applies to covered entities and their business associates. Many health‑related organizations—like standalone wellness apps, device makers, employers, or life insurers—aren’t covered unless they’re working for a covered entity with PHI. Other federal or state laws may still protect your data in those contexts.