What Do HIPAA Laws Protect? Your Medical Privacy and Personal Health Information (PHI)

HIPAA sets a national baseline for how your Protected Health Information (PHI) can be used, shared, and secured. It answers a practical question: What do HIPAA laws protect? In short, your medical privacy and the confidentiality, integrity, and availability of your health records.

Three core rules work together: the HIPAA Privacy Rule, the Security Rule, and the Breach Notification Rule. Together they guide covered entities and their business associates on when PHI may be used or disclosed and how electronic PHI (ePHI) must be safeguarded.

HIPAA Privacy Rule Protections

What the Privacy Rule covers

The HIPAA Privacy Rule protects PHI—any individually identifiable health information related to your past, present, or future health, care, or payment. PHI can exist in paper, electronic, or verbal form and is protected when handled by covered entities or their business associates.

• Identifiers commonly include name, address, dates, phone/email, Social Security and medical record numbers.
• Clinical details (diagnoses, labs, imaging), claims, and billing data are PHI when linked to an individual.
• De-identified data is not PHI; see De-Identification Standards below.

Permitted uses and disclosures without authorization

Covered entities may use or disclose PHI without your authorization for treatment, payment, and health care operations. Other limited disclosures are allowed—such as certain public health activities, health oversight, judicial and law enforcement purposes, research under strict conditions, and to avert serious threats to health or safety.

Disclosures otherwise require your written authorization. Marketing, most sale-of-PHI arrangements, and many non-routine uses need explicit, revocable authorization that specifies scope and expiration.

Minimum necessary standard

When using or sharing PHI, organizations must limit it to the minimum necessary to accomplish the purpose. Role-based access, need-to-know practices, and data segmentation help enforce this standard across routine workflows.

Special categories and notices

Psychotherapy notes receive heightened protection and usually require separate authorization. You must receive a Notice of Privacy Practices explaining how your PHI may be used, your rights, and whom to contact with questions or complaints.

HIPAA is a federal floor. If a state law offers stronger privacy protection, the stricter rule typically applies.

Security Rule Safeguards

Scope and approach

The Security Rule protects electronic PHI. It is risk-based and scalable, allowing organizations to tailor safeguards to their size, complexity, and risks—while still meeting core security objectives.

Administrative safeguards

• Risk analysis and ongoing risk management to address threats and vulnerabilities to ePHI.
• Security and privacy officials, workforce training, and sanctions for violations.
• Contingency planning (backups, disaster recovery, emergency operations) to maintain availability.
• Business Associate management and written agreements governing ePHI.

Physical safeguards

• Facility access controls, visitor procedures, and environmental protections.
• Workstation use and security standards to prevent viewing by unauthorized persons.
• Device and media controls, including secure disposal and reuse procedures.

Technical safeguards

• Access controls (unique IDs, automatic logoff), authentication, and role-based permissions.
• Audit controls to record system activity and support investigations.
• Integrity protections to prevent improper alteration or destruction of ePHI.
• Transmission security; encryption is generally “addressable” but strongly expected where reasonable.

“Required” vs. “addressable” specifications

Required specifications must be implemented as written. Addressable specifications must be implemented if reasonable and appropriate; if not, entities must document equivalent measures that achieve the same protection.

Breach Notification Requirements

What counts as a breach

A breach is an impermissible use or disclosure that compromises the security or privacy of PHI. Organizations must perform a risk assessment considering the nature of the data, who received it, whether it was actually viewed, and mitigation steps to determine if there is a low probability of compromise.

Who must be notified and when

• Individuals: notify without unreasonable delay and no later than 60 calendar days after discovery.
• HHS: report breaches affecting 500 or more individuals without unreasonable delay; smaller incidents are logged and reported annually.
• Media: for breaches affecting 500 or more residents of a state or jurisdiction, notify prominent media outlets.
• Business Associates: must notify the covered entity promptly with all available details.

Content of the notice

Notices must describe what happened, the types of PHI involved, steps individuals should take, what the organization is doing to mitigate harm and prevent recurrence, and how to contact the organization for assistance.

Consequences for noncompliance

Enforcement includes tiered civil monetary penalties and, for certain wrongful disclosures, criminal penalties. The Breach Notification Rule works alongside the HIPAA Privacy Rule and Security Rule to drive accountability.

Individual Rights Under HIPAA

Right of access

You can inspect or receive a copy of your PHI in a designated record set, typically within 30 days (with one 30-day extension if necessary). You may request electronic copies and direct a copy to a third party. Only reasonable, cost-based fees may be charged for labor, supplies, and postage.

Right to request an amendment

If you believe information is inaccurate or incomplete, you may request an amendment. If denied, you can submit a statement of disagreement that must be appended to future disclosures of the disputed record.

Right to an accounting of disclosures

You can request an accounting of certain disclosures made in the past six years, excluding most disclosures for treatment, payment, and health care operations.

Rights to restrictions and confidential communications

You may request restrictions on certain uses and disclosures. If you pay a provider out of pocket in full, the provider must honor your request not to disclose that service information to your health plan. You can also request alternate means or locations for communications.

Notice and complaints

You are entitled to a Notice of Privacy Practices and may file complaints with the organization’s privacy office or with federal authorities without fear of retaliation.

Covered Entities and Their Responsibilities

Who is covered

Covered entities include health plans, most health care providers that conduct standard electronic transactions, and health care clearinghouses. Business associates—vendors that create, receive, maintain, or transmit PHI for a covered entity—are also directly regulated.

Core responsibilities

• Adopt policies and procedures, designate privacy and security officials, and train the workforce.
• Apply the minimum necessary standard and enforce role-based access controls.
• Execute Business Associate Agreements that define permissible uses and require breach reporting.
• Document decisions and retain required records for at least six years.

Accountability and penalties

Violations can trigger investigations, corrective action plans, civil monetary penalties, and—where appropriate—criminal penalties. Strong governance and continuous risk management are essential for compliance.

Exclusions from HIPAA Coverage

Who is generally not covered

• Most consumer health apps, wearables, and websites that operate outside a provider/plan relationship.
• Employers in their role as employers, life insurers, and workers’ compensation carriers.
• Most schools and school districts (student health records are typically covered by FERPA, not HIPAA).
• Law enforcement agencies and many state/local agencies not acting as covered entities.

Information that is not PHI

• De-identified data meeting HIPAA De-Identification Standards.
• Education records and certain treatment records covered by FERPA.
• Employment records held by a covered entity in its role as employer.

Practical implications

Because HIPAA does not cover every organization that touches health-related data, ask who is handling your information and in what capacity. Separate privacy laws and policies may still apply even when HIPAA does not.

De-Identified Health Information Protections

De-Identification Standards

De-identified information is not PHI and may be used or shared without HIPAA restrictions. De-identification can be achieved via two methods: Safe Harbor and Expert Determination.

• Safe Harbor: remove 18 specific identifiers (for you and relatives/household members) and have no actual knowledge that remaining data can identify you.
• Expert Determination: a qualified expert applies statistical or scientific principles to ensure very small re-identification risk and documents the methodology.

Limited data sets and data use agreements

A limited data set is PHI with most direct identifiers removed but may retain dates and some geography. It can be used for research, public health, or health care operations under a Data Use Agreement that restricts re-identification and onward disclosure.

Managing residual risk

Even de-identified data can carry re-identification risk when combined with other datasets. Sound governance—data minimization, aggregation, and ongoing risk reviews—helps maintain privacy over time.

Key takeaways

• The HIPAA Privacy Rule governs when PHI can be used or disclosed and embeds the minimum necessary principle.
• The Security Rule requires administrative, physical, and technical safeguards to protect ePHI.
• The Breach Notification Rule mandates timely notices to individuals, regulators, and sometimes the media.
• You have strong rights: access, amendment, accounting, restrictions, and confidential communications.
• Covered entities and business associates face civil and criminal penalties for noncompliance.
• HIPAA does not cover every health-related app or record; de-identified data is generally outside HIPAA.

FAQs.

What types of health information are protected under HIPAA?

HIPAA protects Protected Health Information (PHI)—any individually identifiable information about your health, care, or payment held or transmitted by a covered entity or business associate. PHI spans clinical data, billing and claims, and common identifiers such as names, dates, addresses, contact details, and medical record numbers.

How does HIPAA protect electronic health records?

The HIPAA Security Rule requires administrative, physical, and technical safeguards for electronic PHI. Organizations must conduct risk analyses, control access, monitor activity, protect integrity, secure transmissions (often with encryption), train staff, and maintain contingency plans to keep electronic health records confidential, accurate, and available.

What rights do individuals have under HIPAA?

You can access and obtain copies of your records, request amendments, receive an accounting of certain disclosures, ask for restrictions and confidential communications, and obtain a Notice of Privacy Practices. You may also file complaints without retaliation if you believe your privacy rights were violated.

When must breaches of health information be reported?

Covered entities must notify affected individuals without unreasonable delay and no later than 60 days after discovering a breach. Large breaches (500 or more individuals) must also be reported to federal authorities promptly and, in some cases, to the media; business associates must alert the covered entity with details to support these notifications.