HIPAA was written in 1996, when “your medical record” meant a paper file in a doctor’s office. Today, that record lives across electronic health systems, health information exchanges, prescription networks, and a growing field of consumer health apps that mostly aren’t covered by HIPAA at all.
What HIPAA actually covers
HIPAA’s Privacy Rule applies to covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates (vendors who handle protected health information on their behalf). If you’re using a fitness tracker, a period-tracking app, or a direct-to-consumer mental health platform that doesn’t bill insurance, HIPAA probably doesn’t cover them.
What HIPAA gives you
The Privacy Rule grants eight specific patient rights — including the right to access your records, the right to request an amendment, and the right to request restrictions on how your data is shared. Most patients don’t know about most of them, and most providers don’t make them easy to exercise.
What HIPAA doesn’t give you
HIPAA does not give you a right to deletion. Federal record-retention rules typically require providers to keep records for 6–10 years. HIPAA does not cover most consumer health apps. And HIPAA does not stop your data from being shared between covered entities through health information exchanges — that requires you to exercise your restriction rights affirmatively.
Full article coming soon. In the meantime, see /privacy-guide/hipaa-rights for the full breakdown.