HIPAA Explained for Patients: Your Rights and the Gaps in the Law

Picture this: you download a period-tracking app after a recommendation from a friend, enter your cycle dates, note some symptoms, and move on with your day. Somewhere in the back of your mind sits a quiet assumption that has been reinforced by decades of public health messaging: your medical information is protected. HIPAA covers it. The government has your back. That assumption, as reasonable as it feels, is almost certainly wrong in this scenario. The Health Insurance Portability and Accountability Act of 1996 does not apply to that app. It does not apply to the fitness tracker on your wrist, the wellness platform your employer is nudging you toward, or the direct-to-consumer genetic testing kit sitting on your kitchen counter. Understanding exactly where HIPAA's protections begin and, more critically, where they end, is one of the most consequential things a healthcare consumer can do in the current data environment.

HIPAA was signed into law by President Clinton at a time when electronic health records were in their infancy and the concept of a smartphone app tracking your ovulation cycle was pure science fiction. Congress had two primary goals: to make health insurance portable for workers moving between jobs, and to establish a federal floor of privacy protections for health information as the industry transitioned from paper to digital systems. The Privacy Rule that emerged from those intentions was groundbreaking for its time. It created enforceable rights, established penalties for violations, and gave patients a formal relationship with their health data. What it could not do was anticipate an ecosystem in which the most intimate health details of millions of people would flow through commercial apps and platforms that sit entirely outside its reach.

This article is your guide to navigating that landscape. We will walk through what HIPAA was actually designed to do, who it covers, the six concrete rights it grants you, the well-worn pathways through which your data moves without your explicit consent, and the growing body of state legislation that is beginning to fill some of the most dangerous gaps. We will also give you practical steps you can take today to assert more control over your health information regardless of whether HIPAA technically applies.

What HIPAA Was Designed to Do

The Privacy Rule, which HHS finalized in 2000 and which took effect in 2003, established the first comprehensive federal standards for protecting individually identifiable health information. The rule created a category called Protected Health Information, universally abbreviated as PHI, which covers any information held by a covered entity that relates to your past, present, or future physical or mental health condition, the provision of healthcare to you, or the payment for that care. Crucially, PHI is not limited to your diagnosis. It includes your name when linked to a medical record, your address, your social security number, dates of service, and even device identifiers. The scope is intentionally broad within the universe of covered entities.

The Privacy Rule was complemented by the Security Rule, which came into effect in 2005 and established specific administrative, physical, and technical safeguards for electronic PHI. Together, these rules created a framework in which your doctor, your hospital, and your insurance company must treat your health information with a baseline level of care. Violations carry civil monetary penalties ranging from $137 to over $2 million per violation category per year, depending on the level of culpability. Criminal penalties exist for deliberate misuse. The Office for Civil Rights within the Department of Health and Human Services handles enforcement, and its complaint portal has processed hundreds of thousands of complaints since the rules took effect.

The 2009 HITECH Act strengthened HIPAA significantly, extending its requirements to business associates, establishing a federal breach notification requirement, and increasing penalties. If your hospital suffers a breach affecting 500 or more patients in a state, it must notify affected individuals, HHS, and, if the breach is large enough, prominent media outlets. This public notification requirement, more than almost any other provision, has driven accountability in the covered entity world. The epidemic of health data breaches that has unfolded over the past decade has been tracked largely because of these notification obligations.

Who HIPAA Covers and the Critical Gap

Here is where the law's most consequential limitation lives. HIPAA applies to covered entities and their business associates. Covered entities are healthcare providers who transmit health information electronically in connection with certain transactions (this includes essentially every hospital, clinic, pharmacy, and physician practice in the country), health plans, and healthcare clearinghouses. Business associates are the vendors and service providers that handle PHI on behalf of covered entities, from billing companies to cloud storage providers to consultants.

Notice what is not on that list. A company that develops a period-tracking app has no relationship with a covered entity in the ordinary course of its business. It is not your healthcare provider. It is not your health insurer. It collects deeply intimate health information about you, but it does so entirely outside the HIPAA framework. The same is true of consumer wearables that track your heart rate, sleep, and activity. It is true of mental wellness apps that record your mood logs and therapeutic journal entries. It is true of employer-sponsored wellness programs, which sit in a legally murky space where the employer, not a covered health plan, often controls the data. It is true of direct-to-consumer genetic testing services: when you mail your saliva to a genetic testing company and receive ancestry and health risk information in return, that data is not protected by HIPAA.

Researchers at the Future of Privacy Forum and academic institutions including the University of California, San Francisco have documented this gap extensively. A 2019 study published in JAMA Internal Medicine by Dr. Quinn Grundy and colleagues analyzed 24 leading health apps and found that the vast majority shared user data with third parties, including advertising networks and data brokers, in ways that most users would not anticipate. The researchers noted that HIPAA simply did not govern these disclosures because the apps in question were not covered entities. The study's findings were consistent with a broader body of literature showing that the commercial health app ecosystem operates with minimal federal privacy oversight.

Understanding who legally owns your medical records is closely connected to understanding who can share them. Within the covered entity world, HIPAA creates clear ownership and access rules. Outside it, those rules largely do not exist at the federal level, and you are operating under the terms of a privacy policy you almost certainly have not read in full.

Your Six Rights Under HIPAA

Within the domain where HIPAA does apply, it grants you six distinct rights that are enforceable and that many patients either do not know about or do not exercise. Understanding these rights is foundational to being an active participant in your own care and data governance.

1. The Right of Access

You have the right to inspect and obtain a copy of your Protected Health Information held in a designated record set by a covered entity. A designated record set includes your medical records, billing records, and any other records used to make decisions about you. The covered entity has 30 days to respond to your request, with a possible 30-day extension if they notify you of the delay and the reason. They may charge a reasonable, cost-based fee for the copy, but they cannot deny you access because of an unpaid bill. Importantly, a 2021 HHS rule significantly strengthened this right by requiring that when patients request their records in electronic form, covered entities must deliver them electronically in the format requested. This right is the gateway to everything else: if you cannot see your records, you cannot verify their accuracy, correct errors, or make fully informed decisions about your care. The practical mechanics of exercising this right are detailed in our guide on how to get your medical records.

2. The Right to Amend

If you believe that information in your designated record set is incorrect or incomplete, you have the right to request an amendment. The covered entity has 60 days to respond, again with one possible 30-day extension. They can deny your request if, for example, the record was not created by them or if they believe the information is accurate and complete. If they deny it, you have the right to submit a written statement of disagreement, which they must attach to your record going forward. This right matters enormously in practice: errors in medical records are more common than most people realize, and a misrecorded diagnosis or allergy can have downstream consequences ranging from inconvenient to dangerous.

3. The Right to an Accounting of Disclosures

You have the right to receive a list of the disclosures a covered entity has made of your PHI over the previous six years, with certain exceptions. Notably, disclosures for treatment, payment, and healthcare operations are excluded from this accounting, which limits its practical utility considerably. The accounting does capture disclosures made for public health activities, research, law enforcement, and certain other purposes. For most patients in routine care relationships, this right is exercised infrequently, but it becomes significant if you suspect your information has been shared inappropriately.

4. The Right to Request Restrictions

You have the right to request that a covered entity restrict the use or disclosure of your PHI beyond what HIPAA requires. In most cases, the covered entity is not obligated to agree to your request. There is one critical exception: if you pay out of pocket in full for a service and ask that the information about that service not be shared with your health plan for payment purposes, the covered entity must agree to that restriction. This provision has particular significance for patients who want to keep certain sensitive services, including mental health treatment or reproductive healthcare, off their insurance records.

5. The Right to Request Confidential Communications

You have the right to request that a covered entity communicate with you about your health information by alternative means or at alternative locations. A healthcare provider must accommodate reasonable requests. You might, for example, ask that appointment reminders be sent only to a specific phone number rather than a home address, or that billing information be mailed to a work address. This right is particularly valuable for patients in situations where standard communications could compromise their safety or privacy.

6. The Right to File a Complaint

If you believe a covered entity or business associate has violated your rights under HIPAA, you have the right to file a complaint with the HHS Office for Civil Rights or with the covered entity itself. You must file with OCR within 180 days of the date you knew or should have known about the violation, though OCR has discretion to waive this deadline. Critically, a covered entity cannot retaliate against you for filing a complaint or for exercising any of your HIPAA rights. Retaliation is itself a separate HIPAA violation.

TPO: Where Your Data Flows Without Your Consent

One of the most consequential and least understood provisions of HIPAA is the treatment, payment, and healthcare operations exception, commonly abbreviated as TPO. Under this provision, covered entities can use and disclose your Protected Health Information for TPO purposes without obtaining your authorization. This is not a loophole or an oversight: it is an intentional design choice that reflects a practical reality. Healthcare cannot function if every lab result, every prescription, and every insurance claim requires your explicit prior consent. The information needs to move.

Treatment disclosures allow your primary care physician to send your records to a specialist, your hospital to share your medical history with the emergency physician treating you, and your pharmacy to coordinate with your prescriber. Payment disclosures allow your healthcare provider to submit claims to your insurer, including diagnosis codes and procedure details that the insurer needs to process the claim. Healthcare operations disclosures allow your covered entity to conduct quality improvement activities, train staff, review the competency of care providers, and perform other administrative functions that keep the organization running.

The TPO provision is broad, and its breadth means that a significant volume of your health information circulates within and between healthcare organizations without your knowledge or active consent. This is largely unavoidable in a complex healthcare system, but it is worth understanding. When you sign a Notice of Privacy Practices at a new provider's office, you are not consenting to TPO disclosures; HIPAA does not require your consent for them. You are simply acknowledging that you received the notice. The Notice of Privacy Practices, required to be provided to patients at first service, is a document that explains how the covered entity uses and discloses your PHI, your rights under HIPAA, and how to exercise them. Reading it carefully is one of the more useful things you can do as a healthcare consumer, even though almost no one does.

Fitness Apps, Genetic Tests, and the Unprotected Zone

Return for a moment to the period-tracking app you downloaded at the beginning of this article. That app almost certainly collected detailed information about your menstrual cycle, potentially including symptom notes, sexual activity, mood data, and fertility intentions. Research by the Electronic Frontier Foundation and privacy advocacy groups including the nonprofit Patient Privacy Rights has shown that many such apps share data with advertising networks, data brokers, and in some cases, third-party developers. None of this activity is subject to HIPAA. The app's obligations are defined by its own privacy policy and by applicable state consumer protection laws, and the variability in those policies is enormous.

The Federal Trade Commission has addressed some of the most egregious behavior in this space under its authority to prohibit unfair or deceptive trade practices under Section 5 of the FTC Act. In 2023, the FTC took action against fertility app Premom for sharing sensitive health data with third parties in ways that contradicted its own privacy policy representations. The same year, it finalized an order against BetterHelp, a mental health platform, for sharing user mental health information with Facebook and Snapchat for advertising purposes. These cases signal that the FTC is willing to act when companies make materially false representations about their privacy practices. However, the FTC's authority does not create affirmative privacy rights equivalent to HIPAA; it primarily polices deception after the fact.

Genetic testing data occupies a particularly sensitive category. Companies like 23andMe built their consumer business on the proposition that individuals could learn about their ancestry and health risks from a simple saliva sample. The genetic information generated by these tests is among the most personal data that can exist about a human being: it is immutable, it reveals information about your biological relatives who never consented to be tested, and it can predict future health conditions with varying degrees of accuracy. In 2023, 23andMe suffered a credential-stuffing attack that exposed the ancestry and genetic data of approximately 6.9 million users. The company filed for bankruptcy in 2024, raising acute questions about what happens to that data under new ownership. None of it was covered by HIPAA.

State Laws Filling the Gaps: The Washington Model

In the absence of comprehensive federal consumer health privacy legislation, states have begun filling the gaps with varying degrees of ambition and effectiveness. The most significant development in recent years has been Washington State's My Health My Data Act, signed into law in April 2023 and taking effect for large businesses in March 2024. The law is notable for extending health data protections explicitly to entities that are not HIPAA covered entities, including consumer health apps, fitness tracking platforms, and other companies that collect consumer health data.

Under the Washington law, consumer health data is defined broadly to include any personal information that identifies your past, present, or future physical or mental health status. This includes conditions, treatments, reproductive and sexual health information, genetic data, precise geolocation data when used to identify health-related behavior such as visits to a medical facility, and information from consumer devices like wearables. Covered entities under the law must obtain consent before collecting or sharing most categories of this data, provide consumers with the right to access and delete their data, and refrain from selling consumer health data without separate authorization.

One provision of the Washington law that has attracted particular attention is its prohibition on geofencing around healthcare facilities for advertising purposes. Advertisers have used geofencing technology to identify consumers who have visited locations like abortion clinics, addiction treatment centers, and mental health facilities and then target them with advertising. The Washington law makes this practice explicitly unlawful within the state. Nevada passed a similar law in 2023, and several other states have enacted or are considering legislation that extends health data protections beyond the HIPAA framework.

The broader consumer privacy laws passed by California, Colorado, Connecticut, Virginia, and other states also provide some additional protections for health-related data, though their scope and the strength of their health-specific provisions vary considerably. Researchers at the University of Washington's Tech Policy Lab and legal scholars including Professor Ryan Calo have argued that the Washington My Health My Data Act represents the most comprehensive state-level health privacy framework enacted to date, and that it may serve as a template for federal legislation. Congress has considered comprehensive health privacy bills in several recent sessions without enacting them, leaving the patchwork of state laws as the primary protection for consumer health data outside the HIPAA framework.

What You Can Do

Knowing your rights is only useful if you exercise them. For the data that falls within HIPAA's coverage, start by requesting a copy of your medical records from every provider relationship you have, including primary care, specialists, and any hospitals where you have received care. This establishes your baseline, lets you check for errors, and familiarizes you with the process. The access request process is described in detail in our guide on how to get your medical records. If you find errors, submit an amendment request in writing and keep a copy of every document exchanged.

For data that falls outside HIPAA's coverage, your primary tools are selective disclosure and careful reading of privacy policies before you share. When you download a health or wellness app, go directly to its privacy policy before entering any data and look specifically for three things: what categories of data are collected, whether data is shared with or sold to third parties, and what happens to your data if the company is acquired or goes bankrupt. If the privacy policy is vague on any of these points, that is itself informative. Look for apps that explicitly state they do not sell your data and that commit to deleting it upon request.

Consider the sensitivity of the data you are generating. Period-tracking data, mental health journaling, sexual health information, and genetic data are among the most sensitive categories that exist. Before sharing any of this information with a non-HIPAA-covered platform, ask whether the benefit you receive from the app justifies the privacy risk. For many health tracking purposes, a paper journal or a local app that does not transmit your data to a server offers comparable functionality with dramatically lower risk.

If you believe a HIPAA covered entity has violated your rights, file a complaint with the HHS Office for Civil Rights at hhs.gov/ocr. You can file online, by mail, or by fax. The process is free and you are legally protected from retaliation. OCR investigates complaints and has issued multi-million dollar settlements against covered entities for a wide range of violations, from failing to provide patients with access to their records to inadequate security safeguards that led to breaches. Your complaint, even if it does not result in a significant penalty in your individual case, contributes to enforcement patterns that shape covered entity behavior across the industry.

For data held by non-HIPAA entities, your remedies are more limited but not absent. If you live in Washington State, Nevada, or another state with a consumer health privacy law, you may have rights to access, correction, and deletion of your data from covered businesses. California residents can exercise similar rights under the California Consumer Privacy Act for a broad range of personal information. If a company has made false representations about its privacy practices, a complaint to the FTC at ftc.gov/complaint is appropriate and contributes to the agency's enforcement priorities. State attorneys general are also increasingly active in this space.

The broader lesson of HIPAA's story is that privacy law tends to lag significantly behind technology. The law was written for a world of electronic health records transmitted between providers and insurers, not for a world in which your phone tracks your heartbeat, predicts your cycle, logs your mood, and transmits all of it to servers operated by companies whose business model depends on data monetization. Closing that gap will require new federal legislation, more active enforcement at the state level, and a genuine shift in consumer expectations about what health data privacy should look like. In the meantime, your best protection is knowledge, and knowledge begins with understanding exactly what the law does and does not do on your behalf.