Patient Privacy and Confidentiality Rights Explained

Medical records contain some of the most sensitive information a person generates in a lifetime — diagnoses, medications, mental health history, reproductive choices. Federal and state law have built a layered framework to protect that information, anchored primarily by HIPAA but extending well beyond it. This page maps the legal definition of patient privacy rights, how those protections operate in practice, the situations where they most commonly arise, and the specific conditions under which a provider may — or must — override them.

Definition and scope

The Health Insurance Portability and Accountability Act of 1996 — known universally as HIPAA — established the baseline privacy standard for individually identifiable health information in the United States (HHS HIPAA Privacy Rule, 45 CFR Part 164). Under the Privacy Rule, any information that relates to a patient's past, present, or future physical or mental health condition, the provision of care, or payment for care — and that could be used to identify the individual — qualifies as Protected Health Information (PHI).

Covered entities under HIPAA include health plans, healthcare clearinghouses, and most healthcare providers. Business associates — contractors and vendors who handle PHI on behalf of those entities — carry obligations of their own under the 2013 Omnibus Rule. The law does not cover every entity that holds health data; a fitness app that stores workout and heart-rate data, for instance, falls outside HIPAA unless it transmits data directly to a covered entity.

Confidentiality is a narrower concept nested inside privacy. Privacy is the patient's right to control who accesses their information. Confidentiality is the provider's corresponding duty not to disclose it without authorization. The distinction matters legally: a breach of confidentiality by a physician may trigger state tort liability even where no HIPAA violation occurred, because most states maintain independent common-law or statutory duties of medical confidentiality that predate the federal statute by decades.

For a broader look at how these rights fit within the full landscape of patient protections, the overview at nationalpatientrightsauthority.com provides useful context.

How it works

HIPAA permits covered entities to use and disclose PHI without patient authorization for three baseline purposes: treatment, payment, and healthcare operations. Everything else generally requires either a written patient authorization or a specific statutory exception.

When a patient signs an authorization, it must meet six minimum elements under 45 CFR §164.508:

  1. A description of the PHI to be used or disclosed
  2. The name or class of persons authorized to make the disclosure
  3. The recipient of the information
  4. A stated purpose for the disclosure
  5. An expiration date or event
  6. The patient's signature and date

Patients also hold a standing set of rights over their records independent of authorization. Under 45 CFR §164.524, patients have the right to inspect and obtain a copy of their PHI held by a covered entity — a right closely related to what is detailed on the right to access medical records page. Covered entities must respond to access requests within 30 days, with one 30-day extension permitted if they provide written notice of the delay.

The HHS Office for Civil Rights (OCR) enforces HIPAA. Civil penalties range from $100 to $50,000 per violation, with an annual cap of $1.9 million per violation category (HHS OCR HIPAA Enforcement). Criminal penalties, pursued through the Department of Justice, apply when PHI is knowingly obtained or disclosed improperly.

Common scenarios

Sharing records with family members. HIPAA does not automatically permit disclosure to a spouse, parent, or adult child unless the patient has granted authorization or is incapacitated. A provider may exercise professional judgment to share information with a family member involved in a patient's care, but this is discretionary, not obligatory.

Mental health and substance use records. Psychiatric notes and records related to substance use disorder treatment carry heightened protections. Records related to federally assisted substance use disorder treatment are governed by 42 CFR Part 2, a framework that is stricter than baseline HIPAA and limits disclosure even for treatment purposes without explicit patient consent. The mental health patient rights section explores this distinction in depth.

Employer requests. Employers generally cannot access an employee's medical records through a provider without written authorization. Workers' compensation proceedings involve a narrower exception, permitting disclosure related specifically to the work-related condition.

Telehealth encounters. Video-based visits generate PHI subject to the same HIPAA rules as in-person care. Platforms must execute Business Associate Agreements with covered entities. The telehealth patient rights page addresses platform-specific issues in more detail.

Decision boundaries

The legal framework recognizes circumstances where privacy yields to competing interests. These exceptions are defined and limited — not open-ended:

The line between mandatory disclosure and patient authorization can look blurry in practice, but the structure is precise: if no explicit statutory exception applies and no valid patient authorization exists, the default answer is non-disclosure. That default is the architecture of the entire system.

For patients navigating a situation where they believe their privacy rights have been violated, the how to file a patient rights complaint page outlines the formal OCR complaint process and applicable deadlines.

References