This guidance remains in effect only to the extent that it is consistent with the court’s order in Ciox Health, LLC v. Azar, No. 18-cv-0040 (D.D.C. January 23, 2020), which may be found at https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51. More information about the order is available at https://www.hhs.gov/hipaa/court-order-right-of-access/index.html. Any provision within this guidance that has been vacated by the Ciox Health decision is rescinded.
Most of us believe that our medical and other health information is private and should be protected, and we want to know who has this information. The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals' protected health information, whether electronic, written, or oral. The Security Rule is a Federal law that requires security for health information in electronic form.
HIPAA Right of Access Videos
OCR has teamed up with the HHS Office of the National Coordinator for Health IT to create Your Health Information, Your Rights!, a series of three short, educational videos (in English and option for Spanish captions) to help you understand your right under HIPAA to access and receive a copy of your health information.
HIPAA Right of Access Infographic
OCR has teamed up with the HHS Office of the National Coordinator for Health IT to create this one-page fact sheet, with illustrations, that provides an overall summary of your rights under HIPAA:
HIPAA General Fact Sheets
Who Must Follow These Laws
We call the entities that must follow the HIPAA regulations "covered entities."
Covered entities include:
In addition, business associates of covered entities must follow parts of the HIPAA regulations.
Often, contractors, subcontractors, and other outside persons and companies that are not employees of a covered entity will need to have access to your health information when providing services to the covered entity. We call these entities “business associates.” Examples of business associates include:
Covered entities must have contracts in place with their business associates, ensuring that they use and disclose your health information properly and safeguard it appropriately. Business associates must also have similar contracts with subcontractors. Business associates (including subcontractors) must follow the use and disclosure provisions of their contracts and the Privacy Rule, and the safeguard requirements of the Security Rule.
Who Is Not Required to Follow These Laws
Many organizations that have health information about you do not have to follow these laws.
Examples of organizations that do not have to follow the Privacy and Security Rules include:
What Information Is Protected
How This Information Is Protected
What Rights Does the Privacy Rule Give Me over My Health Information?
Health insurers and providers who are covered entities must comply with your right to:
You should get to know these important rights, which help you protect your health information.
You can ask your provider or health insurer questions about your rights.
Learn more about your health information privacy rights.
Who Can Look at and Receive Your Health Information
The Privacy Rule sets rules and limits on who can look at and receive your health information
To make sure that your health information is protected in a way that does not interfere with your health care, your information can be used and shared:
Your health information cannot be used or shared without your written permission unless this law allows it. For example, without your authorization, your provider generally cannot:
(1) In this Act—
s 4: Am 2003 No 13, Sch 1.13; 2004 No 114, Sch 2.8; 2005 No 10, Sch 2.5  ; 2006 No 2, Sch 5.4; 2006 No 94, Sch 3.15; 2009 No 61, Sch 4.4  ; 2010 No 19, Sch 3.45  ; 2010 No 34, Sch 2.26  ; 2010 No 96, Sch 3 ; 2011 No 62, Schs 1.9, 3.13 ; 2012 No 39, Sch 1.2 ; 2012 No 42, Sch 1.13  ; 2012 No 95, Sch 2.16; 2013 No 39, Sch 2.2; 2013 No 95, Sch 2.75 ; 2016 No 61, Sch 6.24  ; 2017 No 50, Sch 5.17; 2017 No 65, Sch 2.12; 2018 No 28, Sch 1.13; 2018 No 70, Sch 4.48; 2019 No 7, Sch 1.5; 2019 No 25, Sch 5.23; 2021 No 32, Sch 1.4.