Your Complete Guide to Health Data Privacy Rights

Master HIPAA, understand your rights, and take control of your health information with our comprehensive privacy guide

Your 8 Fundamental HIPAA Rights

HIPAA gives you specific rights over your health information. Here's what you need to know about each one.

Right to Access

Request and receive copies of your medical records within 30 days. Includes lab results, imaging, and provider notes.

Up to $30 fee allowed for copies

Right to Amend

Request corrections to inaccurate or incomplete information in your medical records.

Provider has 60 days to respond

Right to Restrict

Limit how your health information is used or disclosed for treatment, payment, or operations.

Some restrictions may not be honored

Right to Alternative Communication

Request that providers communicate with you at alternative locations or through specific methods.

Must be reasonable request

Right to an Accounting

Get a list of disclosures of your health information made by your provider in the past 6 years.

First accounting is free annually

Right to Notification

Be notified if your health information has been breached or improperly accessed.

Notification within 60 days of discovery

Right to Complain

File complaints about privacy violations with your provider or the Department of Health and Human Services.

No retaliation allowed for complaints

Right to Privacy Notice

Receive a written notice describing how your health information may be used and shared.

Must be provided at first service

Evolution of Health Privacy Laws

Understanding how health privacy protections have developed over time

HIPAA Enacted

1996
View legislation

Health Insurance Portability and Accountability Act establishes national health privacy standards

HIPAA Privacy Rule

2003
View legislation

First national standards for protecting health information take effect

HITECH Act

2009
View legislation

Strengthens HIPAA with breach notification requirements and increased penalties

21st Century Cures Act

2016
View legislation

Promotes health information interoperability and prevents information blocking

HIPAA Updates

2020
View legislation

Enhanced enforcement and guidance for telehealth and remote care privacy

Federal vs. State Authority Over Your Health Data

Understanding how federal HIPAA laws interact with state privacy protections to give you the strongest possible rights

HIPAA as the Foundation

HIPAA provides a uniform foundation of patient privacy rights across the U.S., but it's designed as a floor, not a ceiling. States can enact laws that provide equal or greater protection.

Core federal rights apply everywhere - access, amendment, restriction, and breach notification

Where States Enhance Rights

Many states have strengthened privacy protections beyond HIPAA requirements, particularly for sensitive data like HIV/AIDS, mental health, and reproductive health information.

Consent requirements (CA, MN)
Faster breach notification
Individual lawsuit rights

You Get the Best Protection

When federal and state laws differ, you benefit from whichever law is more protective. The stronger rule always applies to give you maximum privacy rights.

Example: If federal law allows 30 days for records but your state requires 15 days, you get them in 15 days

Key Areas Where State Laws Often Provide Enhanced Protection

Consent Requirements

HIPAA doesn't require patient consent for treatment, payment, or operations disclosures, but some states do:

  • • California requires consent for certain TPO disclosures
  • • Minnesota has strict consent requirements
  • • This gives patients the right to withhold consent

Minor Rights

Under HIPAA, parents are usually a minor's representative, but states may allow minors to control certain records:

  • • Oregon allows minors to consent to reproductive health
  • • Many states protect minor mental health records
  • • Teens may keep information confidential from parents

Sensitive Data Protection

Nearly all states have stronger protections for particularly sensitive health information:

  • • HIV/AIDS information requires patient consent
  • • Mental health records often need court orders
  • • Substance abuse treatment records are highly protected

Enforcement Rights

Some states provide additional enforcement options beyond federal HIPAA complaints:

  • • California allows individual lawsuits for violations
  • • Tennessee provides private right of action
  • • State attorneys general may have additional powers

Detailed State-by-State Comparison

See exactly what additional privacy rights and protections your state provides beyond HIPAA, including faster access timelines, stricter consent requirements, and enhanced enforcement options.

View State-by-State Rights Comparison

Comprehensive Legal Framework

Multiple layers of federal and state laws protect your health data privacy with significant penalties for violations.

Federal Laws

HIPAA Privacy Rule

Establishes national standards for protecting individually identifiable health information held by covered entities

Maximum Penalty: Up to $1.5M per incident

HIPAA Security Rule

Sets standards for protecting electronic health information through administrative, physical, and technical safeguards

Maximum Penalty: Up to $1.5M per incident

HITECH Act

Strengthens HIPAA enforcement, requires breach notifications, and extends privacy protections to business associates

Maximum Penalty: Up to $1.5M per incident

21st Century Cures Act

Prohibits information blocking and promotes patient access to their health information

Maximum Penalty: Up to $1M per violation

State Privacy Laws

California CCPA/CPRA

Provides comprehensive privacy rights for California residents, including health data

Maximum Penalty: Up to $7,500 per violation

Illinois BIPA

Regulates collection and use of biometric information including health-related biometrics

Maximum Penalty: $1,000-$5,000 per violation

Texas Medical Privacy Act

Provides additional protections for mental health and HIV-related information

Maximum Penalty: Criminal and civil penalties

New York SHIELD Act

Expands data breach notification requirements including health information

Maximum Penalty: Up to $5,000 per violation

How to Exercise Your Rights

Step-by-step guides for the most common privacy rights requests

Requesting Medical Records

  1. 1
    Submit written request to medical records department
  2. 2
    Include specific dates and types of records needed
  3. 3
    Provide valid photo ID or authorization
  4. 4
    Pay applicable fees (up to $30 for copies)
  5. 5
    Receive records within 30 days

Filing a Privacy Complaint

  1. 1
    Document the privacy violation with dates and details
  2. 2
    File complaint with covered entity's privacy officer
  3. 3
    If unresolved, file with HHS Office for Civil Rights
  4. 4
    Include supporting documentation
  5. 5
    Follow up on complaint status

Restricting Information Sharing

  1. 1
    Submit written request specifying restrictions
  2. 2
    Be specific about what information to restrict
  3. 3
    Understand that some restrictions may be denied
  4. 4
    Get written confirmation of accepted restrictions
  5. 5
    Monitor compliance with restrictions

Learning from Real HIPAA Violations

Landmark cases and what they teach us about protecting health information. For breaches reported now, see our live tracker.

Change Healthcare

2024

Violation:

Largest healthcare data breach in U.S. history affecting ~190 million individuals

Penalty:

Costs exceeding $2.87 billion

Key Lesson:

Critical importance of MFA on remote access systems

Anthem Inc. (Elevance Health)

2015

Violation:

Major data breach affecting 78.8 million individuals across multiple brands

Penalty:

$16M HHS + $115M class action + $39.5M state settlement

Key Lesson:

Phishing vulnerability and lack of encryption

Premera Blue Cross

2014

Violation:

Data breach exposed 10.4 million members' personal and medical information

Penalty:

$6.85 million penalty

Key Lesson:

Failure to conduct risk assessments

Get Help and Support

Resources and contacts for privacy violations, questions, and advocacy

File a HIPAA Complaint

Report privacy violations to the Office for Civil Rights

Patient Advocate Foundation

Free assistance with healthcare access and insurance issues

Healthcare.gov Privacy Office

Privacy questions about marketplace plans and data

Ready to Automate Your Privacy Protection?

Stop doing privacy requests manually. HealthConsent automates your entire privacy protection strategy across 7M+ healthcare entities.

Automated HIPAA Restrictions

We automatically submit restriction requests to every doctor, hospital, and insurer in your area

Complete Data Broker Removal

Comprehensive opt-outs from health data brokers with annual resubmission and monitoring

HIE Network Deletions

Remove your data from Health Information Exchanges that share between providers nationwide

Join thousands of Americans who've automated their health data privacy with HealthConsent. We handle all the complex paperwork, follow-ups, and monitoring so you don't have to.