Laws That Protect Your Health Data
Your medical records are being shared with hundreds of entities. Here are the federal and state laws that give you the power to control who sees your health information—and what happens when those laws are broken.
Why These Laws Matter to You
Without these laws, your medical records could be:
- ❌ Shared with employers, insurers, or data brokers without your permission
- ❌ Sold to marketing companies who target you based on your diagnoses
- ❌ Used to deny you insurance, employment, or housing
- ❌ Kept from you when you need them for a second opinion
These laws exist to protect YOU. They give you control over your health information, require transparency from healthcare providers, and impose serious penalties when your privacy is violated.
Federal Laws: Your Baseline Rights Nationwide
These federal laws apply in all 50 states and set the minimum protections for your health data. Your state may have additional laws that provide even stronger protection.
HIPAA Privacy Rule
The foundation of U.S. health privacy law • Enacted 1996, Final Rule 2002
What This Means for YOU
HIPAA Privacy Rule gives you the 8 patient rights including the right to access your medical records, correct errors, limit who sees your data, and be notified if your information is breached. It requires doctors, hospitals, insurers, and pharmacies to protect your information and get your permission before sharing it for most purposes.
Who Must Follow This Law
- • Healthcare providers (doctors, hospitals, clinics)
- • Health plans (insurance companies, HMOs)
- • Healthcare clearinghouses (billing services)
- • Business associates (IT vendors, billing companies)
Penalties for Violations
Civil: $127 to $63,973 per violation, up to $1.92M/year per violation category
Criminal: Up to $250,000 fine + 10 years imprisonment for intentional violations
Your Key Rights Under HIPAA Privacy Rule
- Right to Access your records within 30 days
- Right to amend incorrect information
- Right to restrict certain disclosures
- Right to breach notification within 60 days
- Right to accounting of who accessed your data
- Right to file complaints with HHS OCR
HIPAA Security Rule
Protects your electronic health records from hackers • Final Rule 2003
What This Means for YOU
HIPAA Security Rule requires healthcare providers to protect your electronic health records from cyberattacks, data breaches, and unauthorized access. They must encrypt your data, control who can access it, audit access logs, and train employees on security. If they fail and your data is breached, they face serious penalties.
Administrative Safeguards
- • Risk assessments required
- • Employee training mandatory
- • Access management controls
Physical Safeguards
- • Secure facilities & equipment
- • Locked server rooms
- • Device disposal procedures
Technical Safeguards
- • Data encryption required
- • Audit logs maintained
- • Automatic logoff systems
Real Example: Anthem Inc. paid a record $16 million HIPAA settlement in 2018 after hackers breached 79 million patient records due to inadequate security. The Security Rule holds providers accountable when they don't protect your data.
HITECH Act (Breach Notification Rule)
Requires notification when your data is breached • Enacted 2009
What This Means for YOU
The HITECH Act strengthened HIPAA by requiring providers to notify you within 60 days if your health data is breached. You must be told what information was exposed, how the breach happened, and what steps are being taken. Large breaches (affecting 500+ people) must also be publicly reported to HHS's "Wall of Shame".
Breach Notification Timeline
- Within 60 days: You must be notified by mail
- Without delay: HHS must be notified (large breaches)
- Annual report: Small breaches reported yearly
- Media notification: Required for breaches affecting 500+ in a state
What Notification Must Include
- • What happened (description of breach)
- • What data was exposed (diagnoses, SSN, etc.)
- • What they're doing to investigate and prevent future breaches
- • What you should do to protect yourself
Many states have FASTER breach notification requirements than federal HITECH: Pennsylvania requires 72 hours, California requires 15 days. Learn which state laws are stronger than HITECH →
21st Century Cures Act (Information Blocking Rule)
Prevents blocking your access to electronic health records • Enacted 2016, Rules effective 2021
What This Means for YOU
The 21st Century Cures Act stops providers from "information blocking" - making it hard for you to get your health records electronically. Providers must now let you access your records through apps using standardized APIs, export your data easily, and can't charge fees that create barriers. Violations can result in penalties up to $1 million per violation.
What "Information Blocking" Means (Now Illegal)
Practices that are NOW illegal:
- ❌ Charging excessive fees for electronic records
- ❌ Requiring in-person visits to get your data
- ❌ Using proprietary formats you can't open
- ❌ Delaying access beyond reasonable timeframes
What providers MUST do:
- ✅ Provide electronic access through patient portals
- ✅ Support third-party health apps (with your consent)
- ✅ Use standardized APIs (FHIR format)
- ✅ Export data in machine-readable formats
Real Impact: You can now use health apps like Apple Health, MyChart, or health tracking apps to automatically sync your medical records from multiple providers. Providers can't refuse or make it difficult—it's your right under federal law.
State Laws: Extra Protection Beyond Federal HIPAA
Many states have enacted their own health privacy laws that provide stronger protections than federal HIPAA. When a state law is more protective, it overrides HIPAA and healthcare providers must follow the stricter standard.
States with Stronger-Than-HIPAA Protections
Click each state to see how their laws override federal HIPAA
California
CMIA
✓ 15-day access, private lawsuits
Washington
MHMD Act
✓ Health apps covered
Illinois
GIPA
✓ Genetic privacy
Colorado
CPA
✓ Data deletion rights
Connecticut
CTDPA
✓ Sensitive data opt-in
Pennsylvania
UTPCPL
✓ 72-hour breach notice
Texas
TMPA
✓ Medical identity theft
New York
SHIELD Act
✓ HIV/AIDS enhanced
Massachusetts
201 CMR 17
✓ Strict security
Key Principle: Under federal HIPAA regulations (45 CFR § 160.203), when a state law provides more stringent protection than HIPAA, the state law prevails. This means you may have stronger rights than the federal baseline. Learn more about when state laws override HIPAA →
Who Enforces These Laws (And What Happens When They're Broken)
Federal Enforcement
HHS Office for Civil Rights (OCR)
Enforces HIPAA, investigates complaints, conducts audits, and imposes penalties.
Contact: 800-368-1019 (toll-free)
Federal Trade Commission (FTC)
Enforces health privacy for non-HIPAA entities like health apps, wearables, and wellness companies.
FTC Health Breach RuleDepartment of Justice (DOJ)
Prosecutes criminal HIPAA violations (up to 10 years imprisonment for intentional violations).
State Enforcement
State Attorneys General
Enforce state privacy laws, investigate breaches, and can prosecute HIPAA violations affecting their residents.
Examples: California AG, Pennsylvania AG, New York AG
State Health Departments
Oversee healthcare facility compliance, license providers, and enforce state health privacy regulations.
Private Right to Sue
Some states like California (CMIA) allow you to sue providers directly for privacy violations. HIPAA doesn't allow this—you can only file government complaints.
Real Enforcement Actions: What Happens When Laws Are Broken
Anthem Inc. (2015)
79 million records breached
$16 million settlement
Premera Blue Cross (2015)
10.4 million records breached
$6.85 million penalty
Memorial Healthcare (2017)
Unsecured server accessible online
$5.5 million settlement
What You Can Do to Protect Your Rights
Now that you understand the laws protecting you, here's how to exercise your rights and ensure your health data stays private:
1. Access Your Records
Request copies of your medical records from every provider. You have 30 days under HIPAA (15 days in some states).
How to Request →2. File Restrictions
Limit who can see your health data. Request restrictions on disclosures to insurers, employers, or other parties.
View Your Rights →3. Report Violations
If your privacy is violated, file complaints with HHS OCR, your state AG, and document everything for potential legal action.
File ComplaintHealthConsent® exercises all your rights automatically under federal HIPAA + your state's laws
Live tracker
Recent healthcare data breaches
Real incidents from the 2026 HHS OCR portal. Each entry names the provider, the data exposed, and the steps to take if you received a notification letter.