Is Your Medical History Protected by HIPAA? What’s Covered, What Isn’t, and Your Rights

HIPAA Privacy Rule Protections

The HIPAA Privacy Rule sets a national baseline for how your medical history—called Protected Health Information (PHI)—may be used and disclosed. It governs who can see your information, when they can share it, and what rights you have to control it.

Core protections you can expect

• Clear boundaries on uses and disclosures: treatment, payment, and health care operations are permitted; most other uses require your Individual Authorization.
• Minimum necessary: when a use is not for treatment, only the least amount of PHI needed should be shared.
• Transparency: you receive a Notice of Privacy Practices that explains how your PHI may be used.
• Security and breach response: entities must safeguard electronic PHI and notify you if a breach compromises it.
• Public interest limits: Public Health Exceptions and other narrow allowances exist, but they are purpose‑bound and time‑limited.

Together, these safeguards are designed to protect your privacy while allowing essential care coordination, quality improvement, and safety reporting.

Covered Entities and Their Responsibilities

HIPAA applies to Covered Entities—health care providers that transmit standard transactions, health plans, and health care clearinghouses—and to their Business Associates that handle PHI on their behalf. Subcontractors that receive PHI from a Business Associate are also bound by HIPAA through written agreements.

Responsibilities you can expect

• Limit access to PHI using the minimum necessary standard and role‑based controls.
• Train workforce members, designate a privacy official, and maintain written policies.
• Provide timely access to records, process amendments, and track certain disclosures.
• Implement administrative, physical, and technical safeguards for electronic PHI.
• Investigate incidents and issue breach notifications when required.

Who is not covered (common surprises)

• Most life insurers, employers (employment records), schools and school nurses subject to FERPA, and many consumer health apps or wearable vendors that are not acting for a Covered Entity.
• Personal health records you keep yourself, unless a Covered Entity or its Business Associate operates the tool.

If an organization is not a Covered Entity or Business Associate, HIPAA likely does not apply—even though other privacy or consumer protection laws might.

Scope of Protected Health Information

PHI is individually identifiable health information held or transmitted by a Covered Entity or Business Associate, in any form. Your diagnoses, medications, lab results, claims data, care plans, and medical history—including family medical history recorded in your chart—are PHI.

The 18 identifiers that make data identifiable

Data are considered identifiable when linked to any of these elements:

• Names.
• Geographic details smaller than a state (street address, city, ZIP—limited exceptions for the first three digits).
• All elements of dates (except year) related to an individual; ages over 89 grouped as 90+.
• Telephone numbers and fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers and health plan beneficiary numbers.
• Account numbers and certificate or license numbers.
• Vehicle identifiers and license plates.
• Device identifiers and serial numbers.
• Web URLs and IP addresses.
• Biometric identifiers (e.g., fingerprints, voiceprints).
• Full‑face photos and comparable images.
• Any other unique identifying number, characteristic, or code.

De‑identification and limited data

Data that are de‑identified via expert determination or by removing the identifiers above are not PHI. Limited data sets, which exclude most direct identifiers but keep some elements like dates or city, can be used for specific purposes under a data use agreement.

Individual Rights Under HIPAA

HIPAA grants you powerful rights to see, control, and correct your medical history. Understanding these rights helps you use the law effectively.

Right of access and copies

You may inspect or obtain a copy of your PHI in the designated record set, including billing records. You can request electronic formats and have records sent to a third party you designate. Covered Entities generally must respond within 30 days (with one 30‑day extension if needed) and may charge only reasonable, cost‑based fees.

Right to request amendments

If something is inaccurate or incomplete, you can request an amendment. The provider must act within 60 days (with one 30‑day extension) and either make the change or give a written denial explaining why. If denied, you can add a statement of disagreement that becomes part of your record.

Right to request restrictions and confidential communications

You may ask a provider or plan to limit certain uses or disclosures. While most restrictions are optional for the entity, providers must honor your request not to disclose a self‑paid service to your health plan if you paid in full out of pocket. You can also request communications at an alternate address or channel for safety or privacy.

Accounting of disclosures

You can receive an accounting of certain non‑routine disclosures made in the past six years, excluding most treatment, payment, and operations disclosures. This helps you see where your PHI has gone.

Individual Authorization and revocation

Uses or disclosures outside treatment, payment, health care operations, and specific exceptions require your written Individual Authorization. You may revoke authorization at any time in writing, except to the extent action has already been taken in reliance on it.

Discrimination Protections

HIPAA and related laws provide Discrimination Protections. Health plans may not use genetic information for underwriting, and employers cannot use your medical history obtained through a group health plan to make employment decisions. Additional federal and state civil rights laws further restrict discriminatory uses of health information.

Exceptions to Privacy Protections

HIPAA allows certain uses and disclosures without your authorization when necessary to protect public interests or ensure the health system functions safely.

Permitted uses and disclosures without authorization

• Treatment, payment, and health care operations (e.g., care coordination, quality improvement).
• Public Health Exceptions (e.g., reporting certain diseases, adverse events, or abuse/neglect to authorized agencies).
• Health Oversight Disclosures for audits, inspections, licensure, or investigations by oversight authorities.
• Judicial and law enforcement purposes under specific legal processes and limits.
• Research with Institutional Review Board or Privacy Board waivers and privacy safeguards.
• To avert a serious and imminent threat to health or safety, consistent with professional judgment.
• Organ and tissue donation, coroners/medical examiners, and funeral directors.
• Workers’ compensation and other disclosures required by law.
• Facility directories and disclosures to family or friends involved in your care when you agree, do not object, or when you are incapacitated and it is in your best interests.

Special categories and stricter rules

Psychotherapy notes kept separately require authorization for most uses. Substance use disorder treatment records may have added protections under other federal rules. De‑identified data can often be used more freely because it no longer contains PHI.

Accessing Your Medical Records

Step‑by‑step

1. Identify the records you need (e.g., visit notes, imaging, labs, billing) and the date range.
2. Ask where to send your request—often Health Information Management (HIM) or the patient portal.
3. Submit a written request specifying you want an electronic copy of the designated record set and your preferred format.
4. If you want records sent elsewhere, include a signed directive naming the third party and destination.
5. Verify your identity promptly; this is required before release.
6. Track the timeline: expect a response within 30 days or a written notice of one 30‑day extension.
7. Review fees: they must be reasonable and cost‑based; per‑page fees generally don’t apply to electronic copies.
8. If denied, request the denial in writing and ask whether the denial is reviewable; appeal where permitted or file a complaint with the entity’s privacy office.

Common pitfalls and how to respond

• If the entity insists on mail or fax only, remind them you may request an electronic copy.
• If the entity limits records to the portal, clarify that the portal is not the full designated record set.
• If sensitive services were self‑paid, reiterate your right to restrict disclosure to your health plan for that service.

Impact of State Laws on Medical Privacy

HIPAA establishes a federal floor. States may enact stricter medical privacy laws, and when a state rule is more protective, the Covered Entity must follow the stricter standard. This is common for mental health, HIV, genetic data, reproductive health, and minors’ consented services.

Examples of stricter protections you might see

• Additional consent requirements before disclosing behavioral health or HIV information.
• Special confidentiality for reproductive or sexual health services, sometimes with minor consent rules.
• Enhanced rights to direct communications away from a primary subscriber or parent for sensitive services.
• Broader consumer health data laws that may cover apps and websites outside HIPAA.

Conclusion

Your medical history is strongly protected under the HIPAA Privacy Rule, which defines PHI, limits uses, and gives you clear rights to access, amend, and control disclosures. Some disclosures are permitted without authorization for care, safety, or oversight, and state laws may add even stronger protections. Knowing the boundaries—and how to exercise your rights—helps you keep your health information private and useful for your care.

FAQs.

What types of medical history are protected by HIPAA?

Any individually identifiable health information maintained by a Covered Entity or its Business Associate is Protected Health Information (PHI). That includes diagnoses, medications, lab and imaging results, surgical histories, allergies, clinical notes, billing and claims data, care plans, and family medical history recorded in your chart. When such information is linked to identifiers, it is protected by the HIPAA Privacy Rule.

Can family medical history be disclosed without consent?

Family medical history contained in your record is your PHI. It may be used or disclosed without your authorization for treatment, payment, and health care operations, and in limited situations such as Public Health Exceptions or Health Oversight Disclosures. Other uses generally require your Individual Authorization. Information about a relative in their own record is protected in their file and cannot be disclosed without a valid basis.

What rights do individuals have to access and amend their medical records?

You have the right to obtain copies of your PHI, including electronic copies, and to have records sent to a third party you designate. Covered Entities must respond within set timelines and may charge only reasonable, cost‑based fees. You also have the right to request amendments to correct inaccuracies; if a request is denied, you can submit a statement of disagreement that becomes part of your record.

Are there exceptions to HIPAA protections for medical history?

Yes. HIPAA permits specific disclosures without authorization, including for treatment, payment, health care operations, certain public health reporting, health oversight activities, limited law enforcement and judicial purposes, research under safeguards, workers’ compensation, and to avert serious threats. Outside those purposes, most other uses require your authorization or must be de‑identified before sharing.