Laws That Protect Your Health Data

Your medical records are being shared with hundreds of entities. Here are the federal and state laws that give you the power to control who sees your health information—and what happens when those laws are broken.

Why These Laws Matter to You

Without these laws, your medical records could be:

  • Shared with employers, insurers, or data brokers without your permission
  • Sold to marketing companies who target you based on your diagnoses
  • Used to deny you insurance, employment, or housing
  • Kept from you when you need them for a second opinion

These laws exist to protect YOU. They give you control over your health information, require transparency from healthcare providers, and impose serious penalties when your privacy is violated.

Federal Laws: Your Baseline Rights Nationwide

These federal laws apply in all 50 states and set the minimum protections for your health data. Your state may have additional laws that provide even stronger protection.

HIPAA Privacy Rule

The foundation of U.S. health privacy law • Enacted 1996, Final Rule 2002

Federal Law

What This Means for YOU

HIPAA Privacy Rule gives you the 8 patient rights including the right to access your medical records, correct errors, limit who sees your data, and be notified if your information is breached. It requires doctors, hospitals, insurers, and pharmacies to protect your information and get your permission before sharing it for most purposes.

Who Must Follow This Law

  • • Healthcare providers (doctors, hospitals, clinics)
  • • Health plans (insurance companies, HMOs)
  • • Healthcare clearinghouses (billing services)
  • • Business associates (IT vendors, billing companies)

Penalties for Violations

Civil: $127 to $63,973 per violation, up to $1.92M/year per violation category

Criminal: Up to $250,000 fine + 10 years imprisonment for intentional violations

Your Key Rights Under HIPAA Privacy Rule

  • Right to Access your records within 30 days
  • Right to amend incorrect information
  • Right to restrict certain disclosures
  • Right to breach notification within 60 days
  • Right to accounting of who accessed your data
  • Right to file complaints with HHS OCR

HIPAA Security Rule

Protects your electronic health records from hackers • Final Rule 2003

Federal Law

What This Means for YOU

HIPAA Security Rule requires healthcare providers to protect your electronic health records from cyberattacks, data breaches, and unauthorized access. They must encrypt your data, control who can access it, audit access logs, and train employees on security. If they fail and your data is breached, they face serious penalties.

Administrative Safeguards

  • • Risk assessments required
  • • Employee training mandatory
  • • Access management controls

Physical Safeguards

  • • Secure facilities & equipment
  • • Locked server rooms
  • • Device disposal procedures

Technical Safeguards

  • • Data encryption required
  • • Audit logs maintained
  • • Automatic logoff systems

Real Example: Anthem Inc. paid a record $16 million HIPAA settlement in 2018 after hackers breached 79 million patient records due to inadequate security. The Security Rule holds providers accountable when they don't protect your data.

HITECH Act (Breach Notification Rule)

Requires notification when your data is breached • Enacted 2009

Federal Law

What This Means for YOU

The HITECH Act strengthened HIPAA by requiring providers to notify you within 60 days if your health data is breached. You must be told what information was exposed, how the breach happened, and what steps are being taken. Large breaches (affecting 500+ people) must also be publicly reported to HHS's "Wall of Shame".

Breach Notification Timeline

  • Within 60 days: You must be notified by mail
  • Without delay: HHS must be notified (large breaches)
  • Annual report: Small breaches reported yearly
  • Media notification: Required for breaches affecting 500+ in a state

What Notification Must Include

  • What happened (description of breach)
  • What data was exposed (diagnoses, SSN, etc.)
  • What they're doing to investigate and prevent future breaches
  • What you should do to protect yourself

Many states have FASTER breach notification requirements than federal HITECH: Pennsylvania requires 72 hours, California requires 15 days. Learn which state laws are stronger than HITECH →

21st Century Cures Act (Information Blocking Rule)

Prevents blocking your access to electronic health records • Enacted 2016, Rules effective 2021

Federal Law

What This Means for YOU

The 21st Century Cures Act stops providers from "information blocking" - making it hard for you to get your health records electronically. Providers must now let you access your records through apps using standardized APIs, export your data easily, and can't charge fees that create barriers. Violations can result in penalties up to $1 million per violation.

What "Information Blocking" Means (Now Illegal)

Practices that are NOW illegal:

  • ❌ Charging excessive fees for electronic records
  • ❌ Requiring in-person visits to get your data
  • ❌ Using proprietary formats you can't open
  • ❌ Delaying access beyond reasonable timeframes

What providers MUST do:

  • ✅ Provide electronic access through patient portals
  • ✅ Support third-party health apps (with your consent)
  • ✅ Use standardized APIs (FHIR format)
  • ✅ Export data in machine-readable formats

Real Impact: You can now use health apps like Apple Health, MyChart, or health tracking apps to automatically sync your medical records from multiple providers. Providers can't refuse or make it difficult—it's your right under federal law.

State Laws: Extra Protection Beyond Federal HIPAA

Many states have enacted their own health privacy laws that provide stronger protections than federal HIPAA. When a state law is more protective, it overrides HIPAA and healthcare providers must follow the stricter standard.

Key Principle: Under federal HIPAA regulations (45 CFR § 160.203), when a state law provides more stringent protection than HIPAA, the state law prevails. This means you may have stronger rights than the federal baseline. Learn more about when state laws override HIPAA →

Who Enforces These Laws (And What Happens When They're Broken)

Federal Enforcement

HHS Office for Civil Rights (OCR)

Enforces HIPAA, investigates complaints, conducts audits, and imposes penalties.

Contact: 800-368-1019 (toll-free)

Federal Trade Commission (FTC)

Enforces health privacy for non-HIPAA entities like health apps, wearables, and wellness companies.

FTC Health Breach Rule

Department of Justice (DOJ)

Prosecutes criminal HIPAA violations (up to 10 years imprisonment for intentional violations).

State Enforcement

State Attorneys General

Enforce state privacy laws, investigate breaches, and can prosecute HIPAA violations affecting their residents.

Examples: California AG, Pennsylvania AG, New York AG

State Health Departments

Oversee healthcare facility compliance, license providers, and enforce state health privacy regulations.

Private Right to Sue

Some states like California (CMIA) allow you to sue providers directly for privacy violations. HIPAA doesn't allow this—you can only file government complaints.

Real Enforcement Actions: What Happens When Laws Are Broken

Anthem Inc. (2015)

79 million records breached

$16 million settlement

Premera Blue Cross (2015)

10.4 million records breached

$6.85 million penalty

Memorial Healthcare (2017)

Unsecured server accessible online

$5.5 million settlement

What You Can Do to Protect Your Rights

Now that you understand the laws protecting you, here's how to exercise your rights and ensure your health data stays private:

1. Access Your Records

Request copies of your medical records from every provider. You have 30 days under HIPAA (15 days in some states).

How to Request →

2. File Restrictions

Limit who can see your health data. Request restrictions on disclosures to insurers, employers, or other parties.

View Your Rights →

3. Report Violations

If your privacy is violated, file complaints with HHS OCR, your state AG, and document everything for potential legal action.

File Complaint
Automate Your Privacy Protection →

HealthConsent® exercises all your rights automatically under federal HIPAA + your state's laws