Which of the following government acts protects medical records and personal health information?

This guidance remains in effect only to the extent that it is consistent with the court’s order in Ciox Health, LLC v. Azar, No. 18-cv-0040 (D.D.C. January 23, 2020), which may be found at https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51. More information about the order is available at https://www.hhs.gov/hipaa/court-order-right-of-access/index.html. Any provision within this guidance that has been vacated by the Ciox Health decision is rescinded.

Most of us believe that our medical and other health information is private and should be protected, and we want to know who has this information. The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals' protected health information, whether electronic, written, or oral. The Security Rule is a Federal law that requires security for health information in electronic form.

HIPAA Right of Access Videos

OCR has teamed up with the HHS Office of the National Coordinator for Health IT to create Your Health Information, Your Rights!, a series of three short, educational videos (in English and option for Spanish captions) to help you understand your right under HIPAA to access and receive a copy of your health information.

HIPAA Right of Access Infographic

OCR has teamed up with the HHS Office of the National Coordinator for Health IT to create this one-page fact sheet, with illustrations, that provides an overall summary of your rights under HIPAA:

  • Your Health Information, Your Rights!

HIPAA General Fact Sheets

Who Must Follow These Laws

We call the entities that must follow the HIPAA regulations "covered entities."

Covered entities include:

  • Health Plans, including health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
  • Most Health Care Providers—those that conduct certain business electronically, such as electronically billing your health insurance—including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
  • Health Care Clearinghouses—entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

In addition, business associates of covered entities must follow parts of the HIPAA regulations.

Often, contractors, subcontractors, and other outside persons and companies that are not employees of a covered entity will need to have access to your health information when providing services to the covered entity. We call these entities “business associates.” Examples of business associates include:

  • Companies that help your doctors get paid for providing health care, including billing companies and companies that process your health care claims
  • Companies that help administer health plans
  • People like outside lawyers, accountants, and IT specialists
  • Companies that store or destroy medical records

Covered entities must have contracts in place with their business associates, ensuring that they use and disclose your health information properly and safeguard it appropriately. Business associates must also have similar contracts with subcontractors. Business associates (including subcontractors) must follow the use and disclosure provisions of their contracts and the Privacy Rule, and the safeguard requirements of the Security Rule.

Who Is Not Required to Follow These Laws

Many organizations that have health information about you do not have to follow these laws.

Examples of organizations that do not have to follow the Privacy and Security Rules include:

  • Life insurers
  • Employers
  • Workers compensation carriers
  • Most schools and school districts
  • Many state agencies like child protective service agencies
  • Most law enforcement agencies
  • Many municipal offices

What Information Is Protected 

  • Information your doctors, nurses, and other health care providers put in your medical record
  • Conversations your doctor has about your care or treatment with nurses and others
  • Information about you in your health insurer’s computer system
  • Billing information about you at your clinic
  • Most other health information about you held by those who must follow these laws

How This Information Is Protected

  • Covered entities must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly.
  • Covered entities must reasonably limit uses and disclosures to the minimum necessary to accomplish their intended purpose.
  • Covered entities must have procedures in place to limit who can view and access your health information as well as implement training programs for employees about how to protect your health information.
  • Business associates also must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly.

What Rights Does the Privacy Rule Give Me over My Health Information?

Health insurers and providers who are covered entities must comply with your right to: 

  • Ask to see and get a copy of your health records
  • Have corrections added to your health information
  • Receive a notice that tells you how your health information may be used and shared
  • Decide if you want to give your permission before your health information can be used or shared for certain purposes, such as for marketing
  • Request that a covered entity restrict how it uses or discloses your health information
  • Get a report on when and why your health information was shared for certain purposes
  • If you believe your rights are being denied or your health information isn’t being protected, you can

You should get to know these important rights, which help you protect your health information.

You can ask your provider or health insurer questions about your rights.

Learn more about your health information privacy rights.

Who Can Look at and Receive Your Health Information

The Privacy Rule sets rules and limits on who can look at and receive your health information

To make sure that your health information is protected in a way that does not interfere with your health care, your information can be used and shared:

  • For your treatment and care coordination
  • To pay doctors and hospitals for your health care and to help run their businesses
  • With your family, relatives, friends, or others you identify who are involved with your health care or your health care bills, unless you object
  • To make sure doctors give good care and nursing homes are clean and safe
  • To protect the public's health, such as by reporting when the flu is in your area
  • To make required reports to the police, such as reporting gunshot wounds

Your health information cannot be used or shared without your written permission unless this law allows it. For example, without your authorization, your provider generally cannot:

  • Give your information to your employer
  • Use or share your information for marketing or advertising purposes or sell your information

(1)  In this Act—

authorised representative has the meaning given by section 8.

Commonwealth agency means an entity referred to in paragraph (a)–(h) of the definition of agency in the Privacy Act 1988 of the Commonwealth.

Commonwealth Privacy Commissioner means the Office of the Privacy Commissioner established by the Privacy Act 1988 of the Commonwealth.

exercise a function includes perform a duty.

function includes a power, authority or duty.

generally available publication means a publication (whether in paper or electronic form) that is generally available to members of the public, but does not include any publication or document declared by the regulations not to be a generally available publication for the purposes of this Act.

genetic information means health information of a type described in section 6 (d).

genetic relative means a person who is related to an individual by blood, for example, a sibling, parent or descendant of the individual.

guidelines means guidelines issued by the Privacy Commissioner as referred to in section 64.

health care means any care, treatment, advice, service or goods provided in respect of the physical or mental health of a person.

health information has the meaning given by section 6.

health privacy code of practice or code means a privacy code of practice relating to health information made under Part 5.

Health Privacy Principle or HPP means a clause of Schedule 1. A reference in this Act to a Health Privacy Principle by number is a reference to the clause of Schedule 1 with that number.

health service includes the following services, whether provided as public or private services—

(a)  medical, hospital, nursing and midwifery services,

(c)  mental health services,

(d)  pharmaceutical services,

(f)  community health services,

(g)  health education services,

(h)  welfare services necessary to implement any services referred to in paragraphs (a)–(g),

(i)  services provided in connection with Aboriginal and Torres Strait Islander health practices and medical radiation practices,

(j)  Chinese medicine, chiropractic, occupational therapy, optometry, osteopathy, physiotherapy, podiatry and psychology services,

(j1)  optical dispensing, dietitian, massage therapy, naturopathy, acupuncture, speech therapy, audiology and audiometry services,

(k)  services provided in other alternative health care fields in the course of providing health care,

(l)  a service prescribed by the regulations as a health service for the purposes of this Act.

health service provider means an organisation that provides a health service but does not include—

(a)  a health service provider, or a class of health service providers, that is prescribed by the regulations as an exempt health service provider—

(i)  for the purposes of this Act generally, or

(ii)  for the purposes of specified provisions of this Act, or

(iii)  for the purposes of specified Health Privacy Principles or health privacy codes of practice, or

(iv)  to the extent to which it is prescribed by the regulations as an exempt health service provider, or

(b)  an organisation that merely arranges for a health service to be provided to an individual by another organisation.

identifier means an identifier (which is usually, but need not be, a number), not being an identifier that consists only of the individual’s name, that is—

(a)  assigned to an individual in conjunction with or in relation to the individual’s health information by an organisation for the purpose of uniquely identifying that individual, whether or not it is subsequently used otherwise than in conjunction with or in relation to health information, or

(b)  adopted, used or disclosed in conjunction with or in relation to the individual’s health information by an organisation for the purpose of uniquely identifying that individual.

immediate family member of an individual means a person who is—

(a)  a parent, child or sibling of the individual, or

(b)  a spouse of the individual, or

(c)  a member of the individual’s household who is a relative of the individual, or

(d)  a person nominated to an organisation by the individual as a person to whom health information relating to the individual may be disclosed.

investigative agency means any of the following—

(a)  the Ombudsman’s Office,

(b)  the Independent Commission Against Corruption,

(b1)  the Inspector of the Independent Commission Against Corruption,

(c)  the Law Enforcement Conduct Commission,

(d)  the Inspector of the Law Enforcement Conduct Commission and any staff of the Inspector,

(e)  the Community Services Commission,

(f)  the Health Care Complaints Commission,

(g)  the office of Legal Services Commissioner,

(g1)  the Ageing and Disability Commissioner,

(g2)  the Children’s Guardian,

(h)  a person or body prescribed by the regulations for the purposes of this definition.

law enforcement agency means any of the following—

(a)  the NSW Police Force, or the police force of another State or a Territory,

(b)  the New South Wales Crime Commission,

(c)  the Australian Federal Police,

(d)  the Australian Crime Commission,

(e)  the Director of Public Prosecutions of New South Wales, of another State or a Territory or of the Commonwealth,

(f)  the Department of Corrective Services,

(g)  the Department of Juvenile Justice,

(h)  a person or body prescribed by the regulations for the purposes of this definition.

local government authority means a council, a county council or a joint organisation within the meaning of the Local Government Act 1993.

news activity means—

(a)  the gathering of news for the purposes of dissemination to the public or any section of the public, or

(b)  the preparation or compiling of articles or programs of or concerning news, observations on news or current affairs for the purpose of dissemination to the public or any section of the public, or

(c)  the dissemination to the public or any section of the public of any article or program of or concerning news, observations on news or current affairs.

news medium means any organisation whose business, or whose principal business, consists of a news activity.

organisation means a public sector agency or a private sector person.

personal information has the meaning given by section 5.

PPIP Act means the Privacy and Personal Information Protection Act 1998.

Privacy Commissioner means the Privacy Commissioner appointed under the PPIP Act.

private sector person means any of the following that is not a public sector agency—

(d)  a trust or any other unincorporated association or body,

but does not include a small business operator within the meaning of the Privacy Act 1988 of the Commonwealth, or an agency within the meaning of that Act.

public sector agency means any of the following—

(a)  a government department or the Teaching Service,

(b)  a statutory body representing the Crown,

(d)  an auditable entity within the meaning of the Government Sector Audit Act 1983 or any other entity within the meaning of that Act (or entity of a kind) prescribed by the regulations, but excluding an entity (or entity of a kind) prescribed by the regulations,

(e)  the NSW Police Force,

(e1)  Service NSW Division of the Government Service,

(f)  a local government authority,

(g)  a person or body that—

(i)  provides data services (being services relating to the collection, processing, disclosure or use of personal information or that provide for access to such information) for or on behalf of a body referred to in paragraphs (a)–(f), or that receives funding from any such body in connection with providing data services, and

(ii)  is prescribed by the regulations for the purposes of this definition,

but does not include a State owned corporation.

public sector official means any of the following—

(a)  a person appointed by the Governor, or a Minister, to a statutory office,

(c)  a person employed in the Government Service, the Teaching Service, the NSW Health Service or the NSW Police Force,

(d)  a local government councillor or a person employed by a local government authority,

(e)  a person who is an officer of the Legislative Council or Legislative Assembly or who is employed by (or who is under the control of) the President of the Legislative Council or the Speaker of the Legislative Assembly, or both,

(f)  a person who is employed or engaged by—

(i)  a public sector agency, or

(ii)  a person referred to in paragraphs (a)–(e),

(g)  a person who acts for or on behalf of, or in the place of, or as deputy or delegate of, a public sector agency or person referred to in paragraphs (a)–(e).

related body corporate, in relation to an organisation that is a body corporate, has the same meaning as in the Corporations Act 2001 of the Commonwealth.

relative of an individual means a grandparent, grandchild, uncle, aunt, nephew or niece of the individual.

sibling of an individual includes a half-brother, half-sister, adoptive brother, adoptive sister, step-brother or step-sister of the individual.

spouse means—

(a)  the person to whom a person is legally married (including the husband or wife of a person), or

but where more than one person would so qualify as a spouse, means only the last person so to qualify.

staff of the Inspector of the Independent Commission Against Corruption means—

(b)  any consultants engaged under section 57E (3) of that Act.

State record has the same meaning as in the State Records Act 1998.

Tribunal means the Civil and Administrative Tribunal.

s 4: Am 2003 No 13, Sch 1.13; 2004 No 114, Sch 2.8; 2005 No 10, Sch 2.5 [1] [2]; 2006 No 2, Sch 5.4; 2006 No 94, Sch 3.15; 2009 No 61, Sch 4.4 [1] [2]; 2010 No 19, Sch 3.45 [1] [2]; 2010 No 34, Sch 2.26 [1] [2]; 2010 No 96, Sch 3 [1]; 2011 No 62, Schs 1.9, 3.13 [1]; 2012 No 39, Sch 1.2 [1]; 2012 No 42, Sch 1.13 [1] [2]; 2012 No 95, Sch 2.16; 2013 No 39, Sch 2.2; 2013 No 95, Sch 2.75 [1]; 2016 No 61, Sch 6.24 [1] [2]; 2017 No 50, Sch 5.17; 2017 No 65, Sch 2.12; 2018 No 28, Sch 1.13; 2018 No 70, Sch 4.48; 2019 No 7, Sch 1.5; 2019 No 25, Sch 5.23[1]; 2021 No 32, Sch 1.4[1].