Your Complete Guide to Health Data Privacy Rights
Master HIPAA, understand your rights, and take control of your health information with our comprehensive privacy guide
Your 8 Fundamental HIPAA Rights
HIPAA gives you specific rights over your health information. Here's what you need to know about each one.
Right to Access
Request and receive copies of your medical records within 30 days. Includes lab results, imaging, and provider notes.
Right to Amend
Request corrections to inaccurate or incomplete information in your medical records.
Right to Restrict
Limit how your health information is used or disclosed for treatment, payment, or operations.
Right to Alternative Communication
Request that providers communicate with you at alternative locations or through specific methods.
Right to an Accounting
Get a list of disclosures of your health information made by your provider in the past 6 years.
Right to Notification
Be notified if your health information has been breached or improperly accessed.
Right to Complain
File complaints about privacy violations with your provider or the Department of Health and Human Services.
Right to Privacy Notice
Receive a written notice describing how your health information may be used and shared.
Evolution of Health Privacy Laws
Understanding how health privacy protections have developed over time
HIPAA Enacted
Health Insurance Portability and Accountability Act establishes national health privacy standards
HIPAA Privacy Rule
First national standards for protecting health information take effect
HITECH Act
Strengthens HIPAA with breach notification requirements and increased penalties
21st Century Cures Act
Promotes health information interoperability and prevents information blocking
HIPAA Updates
Enhanced enforcement and guidance for telehealth and remote care privacy
Federal vs. State Authority Over Your Health Data
Understanding how federal HIPAA laws interact with state privacy protections to give you the strongest possible rights
HIPAA as the Foundation
HIPAA provides a uniform foundation of patient privacy rights across the U.S., but it's designed as a floor, not a ceiling. States can enact laws that provide equal or greater protection.
Core federal rights apply everywhere - access, amendment, restriction, and breach notification
Where States Enhance Rights
Many states have strengthened privacy protections beyond HIPAA requirements, particularly for sensitive data like HIV/AIDS, mental health, and reproductive health information.
You Get the Best Protection
When federal and state laws differ, you benefit from whichever law is more protective. The stronger rule always applies to give you maximum privacy rights.
Example: If federal law allows 30 days for records but your state requires 15 days, you get them in 15 days
Key Areas Where State Laws Often Provide Enhanced Protection
Consent Requirements
HIPAA doesn't require patient consent for treatment, payment, or operations disclosures, but some states do:
- • California requires consent for certain TPO disclosures
- • Minnesota has strict consent requirements
- • This gives patients the right to withhold consent
Minor Rights
Under HIPAA, parents are usually a minor's representative, but states may allow minors to control certain records:
- • Oregon allows minors to consent to reproductive health
- • Many states protect minor mental health records
- • Teens may keep information confidential from parents
Sensitive Data Protection
Nearly all states have stronger protections for particularly sensitive health information:
- • HIV/AIDS information requires patient consent
- • Mental health records often need court orders
- • Substance abuse treatment records are highly protected
Enforcement Rights
Some states provide additional enforcement options beyond federal HIPAA complaints:
- • California allows individual lawsuits for violations
- • Tennessee provides private right of action
- • State attorneys general may have additional powers
Detailed State-by-State Comparison
See exactly what additional privacy rights and protections your state provides beyond HIPAA, including faster access timelines, stricter consent requirements, and enhanced enforcement options.
View State-by-State Rights ComparisonComprehensive Legal Framework
Multiple layers of federal and state laws protect your health data privacy with significant penalties for violations.
Federal Laws
HIPAA Privacy Rule
Establishes national standards for protecting individually identifiable health information held by covered entities
HIPAA Security Rule
Sets standards for protecting electronic health information through administrative, physical, and technical safeguards
HITECH Act
Strengthens HIPAA enforcement, requires breach notifications, and extends privacy protections to business associates
21st Century Cures Act
Prohibits information blocking and promotes patient access to their health information
State Privacy Laws
California CCPA/CPRA
Provides comprehensive privacy rights for California residents, including health data
Illinois BIPA
Regulates collection and use of biometric information including health-related biometrics
Texas Medical Privacy Act
Provides additional protections for mental health and HIV-related information
New York SHIELD Act
Expands data breach notification requirements including health information
How to Exercise Your Rights
Step-by-step guides for the most common privacy rights requests
Requesting Medical Records
- 1Submit written request to medical records department
- 2Include specific dates and types of records needed
- 3Provide valid photo ID or authorization
- 4Pay applicable fees (up to $30 for copies)
- 5Receive records within 30 days
Filing a Privacy Complaint
- 1Document the privacy violation with dates and details
- 2File complaint with covered entity's privacy officer
- 3If unresolved, file with HHS Office for Civil Rights
- 4Include supporting documentation
- 5Follow up on complaint status
Restricting Information Sharing
- 1Submit written request specifying restrictions
- 2Be specific about what information to restrict
- 3Understand that some restrictions may be denied
- 4Get written confirmation of accepted restrictions
- 5Monitor compliance with restrictions
Learning from Real HIPAA Violations
Landmark cases and what they teach us about protecting health information. For breaches reported now, see our live tracker.
Change Healthcare
2024Violation:
Largest healthcare data breach in U.S. history affecting ~190 million individuals
Penalty:
Costs exceeding $2.87 billion
Key Lesson:
Critical importance of MFA on remote access systems
Anthem Inc. (Elevance Health)
2015Violation:
Major data breach affecting 78.8 million individuals across multiple brands
Penalty:
$16M HHS + $115M class action + $39.5M state settlement
Key Lesson:
Phishing vulnerability and lack of encryption
Premera Blue Cross
2014Violation:
Data breach exposed 10.4 million members' personal and medical information
Penalty:
$6.85 million penalty
Key Lesson:
Failure to conduct risk assessments
Get Help and Support
Resources and contacts for privacy violations, questions, and advocacy
File a HIPAA Complaint
Report privacy violations to the Office for Civil Rights
Patient Advocate Foundation
Free assistance with healthcare access and insurance issues
Healthcare.gov Privacy Office
Privacy questions about marketplace plans and data
Ready to Automate Your Privacy Protection?
Stop doing privacy requests manually. HealthConsent automates your entire privacy protection strategy across 7M+ healthcare entities.
Automated HIPAA Restrictions
We automatically submit restriction requests to every doctor, hospital, and insurer in your area
Complete Data Broker Removal
Comprehensive opt-outs from health data brokers with annual resubmission and monitoring
HIE Network Deletions
Remove your data from Health Information Exchanges that share between providers nationwide
Join thousands of Americans who've automated their health data privacy with HealthConsent. We handle all the complex paperwork, follow-ups, and monitoring so you don't have to.
Live tracker
Recent healthcare data breaches
Real incidents from the 2026 HHS OCR portal. Each entry names the provider, the data exposed, and the steps to take if you received a notification letter.