The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule sets rules and limits on who can look at and receive your protected health information, or information that relates to your health or health care you have received and can also be used to identify you. Your health information may be used and shared with doctors and hospitals; with family, relatives, friends, or others you specify; with the police in special cases such as gunshot wounds; and with government agencies that report on the incidence of various illnesses.

Your health care provider and health plan must give you a notice that tells you how they may use and share your health information and how you can exercise your health privacy rights. In most cases, you should get this notice on your first visit to a provider or in the mail from your health insurer, and you can ask for a copy at any time. The provider or health plan cannot use or disclose information in a way that is not consistent with their notice.

Unless HIPAA explicitly allows for the use or disclosure of your protected health information (similar to the situations as noted above), your personal health information (PHI) cannot be used or shared without your written permission. For example, without your authorization, your provider generally cannot give your information to your employer, use or share your information for marketing or advertising purposes, or share private notes about your health care.

Learn more about how your provider and health plan are to be open and transparent about how they handle your health information.