What Is Health Insurance Portability and Accountability Act?
HIPAA is the federal framework for protecting Protected Health Information (PHI) held by healthcare providers, health plans, and healthcare clearinghouses (collectively, 'covered entities') and their 'business associates.' The three pillars — the Privacy Rule, the Security Rule, and the Breach Notification Rule — govern PHI across use, disclosure, safeguarding, and incident reporting. Critically, HIPAA's scope is narrower than most consumers assume. Health-adjacent data held by non-covered entities — fitness apps, period trackers, mental-health apps, pharmacy loyalty programs used outside a provider relationship, and most data brokers — is typically NOT subject to HIPAA. This gap is why the FTC, not HHS, has pursued recent enforcement against companies like BetterHelp (2023) and GoodRx (2023) for sharing consumer health data with advertisers.
At a glance
- Full name
- Health Insurance Portability and Accountability Act
- Short code
- HIPAA
- Enacted
- 1996
- Last major update
- Privacy Rule 2003; Security Rule 2005; HITECH 2009; Omnibus Rule 2013
- Jurisdiction
- United States (federal)
- Private right of action
- No
- Primary enforcer
- HHS Office for Civil Rights (OCR); state Attorneys General (granted authority by HITECH 2009)
- Statutory citation
- 42 U.S.C. § 1320d; implementing regulations at 45 CFR Parts 160-164
Scope — who HIPAA covers
Protected data
Consumer rights & protections
Right to a Notice of Privacy Practices describing how a covered entity uses and discloses PHI
Right of access — obtain a copy of your medical records (usually within 30 days; one 30-day extension allowed)
Right to amend — request corrections to inaccurate PHI
Right to an accounting of disclosures for purposes other than treatment, payment, or healthcare operations (going back 6 years)
Right to request restrictions on uses and disclosures (covered entity must agree if disclosure would be to a health plan for services paid out-of-pocket in full)
Right to confidential communications (alternative addresses / phone numbers for receiving PHI)
Right to file a complaint with HHS Office for Civil Rights
Notable features
HIPAA's coverage gap is the single most important feature for consumers to understand: a health-adjacent company is NOT HIPAA-covered unless it is a healthcare provider, plan, clearinghouse, or business associate. Consumer-facing health apps (period trackers, mental health apps, wearables data not flowing through a provider) are outside HIPAA. This has driven a parallel enforcement regime via the FTC Health Breach Notification Rule (HBNR) and FTC Act §5 enforcement — which is now often stronger than HIPAA for these gap companies.
Enforcement & penalties
Enforcing agency: HHS Office for Civil Rights (OCR); state Attorneys General (granted authority by HITECH 2009)
Penalties: Civil penalties are tiered by culpability (HITECH 2009 structure): Tier 1 (unknowing) $137-$68,928 per violation; Tier 2 (reasonable cause) $1,379-$68,928; Tier 3 (willful neglect, corrected) $13,785-$68,928; Tier 4 (willful neglect, not corrected) $68,928-$2,067,813 per violation. Annual cap per identical provision: $2,067,813 (2024 adjusted). Criminal penalties up to $250,000 and 10 years imprisonment for knowing violations with intent to sell, transfer, or use PHI for commercial advantage.
Private right of action: HIPAA itself has no private right of action — consumers cannot sue a covered entity directly for a HIPAA violation. Remedies flow through complaints to HHS OCR or state AG actions. However, some state courts have recognized HIPAA as evidence of a duty of care in state common-law claims (negligence, breach of fiduciary duty), and many state privacy laws separately cover health data.
Landmark enforcement cases
HHS OCR v. Anthem
2018Anthem paid $16 million to HHS — the largest HIPAA settlement on record — following a 2015 cyberattack that compromised PHI of nearly 79 million people. The settlement included ongoing compliance monitoring.
Official source →FTC v. BetterHelp
2023BetterHelp paid $7.8M for sharing consumers' mental health data with Facebook, Snapchat, Pinterest, and Criteo for advertising — the first major FTC enforcement of consumer-health privacy against a non-HIPAA-covered entity, using FTC Act §5 and the Health Breach Notification Rule.
Official source →Relevance to data brokers
Most data brokers are NOT HIPAA-covered — even those trafficking in health-adjacent data like pharmacy loyalty programs, wellness app exports, or lifestyle indicators. This is a major reason a federal comprehensive privacy law is frequently proposed. Brokers in the health-adjacent space are primarily governed by FTC Act §5 and the FTC Health Breach Notification Rule, plus state laws like Washington's My Health My Data Act (which has much broader scope than HIPAA).
Exercise your rights
Remove your data from 300+ brokers for $5
OfflistMe drafts opt-out emails citing HIPAA and other applicable laws. Citations included. You send from your own inbox. No account, no ID upload.
Start for $5 →FAQ
Does HIPAA cover fitness trackers, period-tracking apps, or mental-health apps?+
Generally no. These apps are not covered entities or business associates unless they flow data to a healthcare provider or health plan. The FTC Health Breach Notification Rule (16 CFR Part 318) and FTC Act §5 are the primary federal tools for these companies, alongside state laws like Washington's My Health My Data Act.
Can I get a copy of my medical records under HIPAA?+
Yes. Under 45 CFR § 164.524, you have a right of access to your designated record set held by a covered entity. The covered entity must respond within 30 days (one 30-day extension is permitted with notice). Reasonable cost-based fees may apply for copies but not for viewing.
What is the difference between HIPAA and the FTC Health Breach Notification Rule?+
HIPAA applies to covered entities and business associates; the FTC Health Breach Notification Rule (HBNR) applies to 'vendors of personal health records' not otherwise covered by HIPAA — filling the gap for consumer health apps. After a 2024 update, HBNR now applies more clearly to health apps and requires notification of breaches to affected consumers, the FTC, and (for large breaches) the media.
Can I sue my doctor under HIPAA?+
HIPAA has no private right of action, so not directly. However, you can file a complaint with HHS OCR (which may investigate and fine the provider) and, in most states, can pursue common-law claims (negligence, breach of confidentiality) that use HIPAA as evidence of the standard of care. Some states have separate private rights of action for medical privacy.
Official sources & citations
Other federal privacy laws
Federal privacy law is sectoral — each statute covers a specific data type or industry. Here are the other federal regimes to know alongside HIPAA: