Note:  This is a rapidly shifting legal space, so please be aware that this information may not be current.

Background

Many laws regulate the privacy of medical information. However, they tend to prioritize facilitating the flow of information within the healthcare industry over ensuring individual privacy. Also, these laws usually apply only to personal medical information (sometimes called “protected health information”) in the hands of specific types of entities, like a doctor or other health care provider. Thus, for instance, medical privacy laws usually don’t apply to information you give to a social network, search engine, web forum, etc. Read on for more details.

Federal Law

The Health Insurance Portability and Accountability Act (HIPAA) outlines the core set of federal medical privacy regulations. HIPAA does four things:

  •  Creates a structure for the disclosure of personal health information;

  • Establishes an individuals’ rights in their own health information;

  • Sets out security standards for maintaining and transmitting patient information electronically;

  • Requires a common format and data structure for the electronic exchange of health information.

HIPAA only regulates the health industry. Specifically, the law applies to "covered entities" --health care providers, health plans (health insurer or HMO), and health care clearinghouses. It also applies to “business associates” (BA) if they handle protected health information (PHI) on behalf of a covered entity. We’ll call both “providers” here.

Your rights under HIPAA

HIPAA’s so-called Privacy Rule, authorizes broad, unconsented disclosures of personal health data for treatment, payment, and routine health care operations. However, it requires written consent for the disclosure of “sensitive” information, like outpatient psychotherapy notes. It also requires consent prior to the use of your health information for any kind of marketing other than prescription drug reminders.

You have the right to be notified what your rights are concerning your own medical information. You also have the right to access and receive copies of your records, request corrections, and be notified of data breaches. You also have the right to learn who your provider has shared your information with if they did so for purposes other than treatment, payment, and health care operations.

Exceptions to HIPAA

HIPAA contains numerous exemptions that permit the disclosure of your medical information without your consent or even your knowledge.

For example:

  • The written consent requirement (for mental health and substance abuse treatment information) does not apply to private facilities.

  • Providers don’t need to consent to disclose medical information for many permitted and mandatory public health reporting purposes, like disease monitoring, child abuse, or domestic violence. However, they may need to “de-identify” it. Data are considered de-identified if either (1) an experienced expert determines that the risk that certain information could be used to identify an individual is "very small" and documents and justifies the determination, or (2) the data do not include specified identifiers which could be used alone or in combination with other information to identify the subject. Even if these identifiers are removed, however, information will be considered identifiable if the provider knows that the identity of the person may still be determined.

  • Providers don’t need consent to disclose medical information in response to a subpoena or other litigation. 

  • There are exceptions for law enforcement access to health information requested by subpoena or court order.

  • Disclosures are permitted for specialized government functions, including national security and intelligence operations.

  • Providers can disclose medical information to an employer who pays for employees’ health coverage, but it must be strictly segregated from all other employee records.

  • Prohibitions to selling your information may not apply in situations involving public health, research, or the sale, transfer, merger or consolidation of the covered entity that has the data.

  • Providers may disclose incarcerated peoples’ non-prison health information to a prison where they are incarcerated.

  • Providers may disclose personal health information if you apply for a public benefit or for worker’s compensation. 

Other Federal Laws

Stricter federal regulations—known as "Part 2" —apply to the disclosure and use of alcohol and drug abuse patient records maintained in connection with the performance of any federally assisted alcohol and drug abuse program.

GINA (the Genetic Information Non-discrimination Act) prohibits genetic discrimination in health and life insurance and employment, but not cover long-term care or auto insurance with health benefits. HIPAA covers genetic information as well. Learn more about genetic information privacy.

California-Specific Laws

Californians enjoy stronger legal protections and more ways to hold providers accountable for violating their medical privacy accountable.

California’s medical privacy laws, primarily the Confidentiality of Medical Information Act (CMIA), the data breach sections of the Civil Code, and sections of the Health and Safety Code, provide HIPAA-like protections, although the terminology is different.

But California law also requires authorization for disclosure of data about STDs (although positive AIDS tests must be reported), substance abuse treatment, and outpatient psychotherapy notes. California’s medical privacy laws also apply to more entities, including vendors of an individual's personal health record (PHR). And, California law allows individuals to sue for violations, such as a data breach. Under federal law, only an attorney general may do so.

Other California laws include:

  • The Insurance Information and Privacy Protection Act (IPPA), which prohibits unauthorized disclosure of personal information, including medical records, collected through  insurance applications and claims resolution. Insurers must give you a notice of privacy practices that tells you with whom your information may be shared and your rights to restrict sharing that information.

  • The Information Practices Act (IPA) , which limits state agencies’ collection, maintenance, and distribution of personal information, including medical information. The IPA also gives individuals the right to review personal information held in state agency records, find out who has accessed it, and request changes to inaccurate or irrelevant information.

  • The Online Privacy Protection Act applies to websites that collect personally identifiable information of any kind, including medical information. "Protection" is a misnomer here, since the act's primary requirement is that the websites "conspicuously" post a privacy policy that notifies users what data the site collects and with whom it shares data. Read more.

For more on federal and California laws concerning the privacy of medical information see the CalOHII (California Office of Health Information Integrity) overview regarding State and Federal Health Laws Relating to Records, Privacy, Security and Patient Right to Access.

Help defend your right to privacy.
Help defend your right to privacy. DONATE TO EFF