Federal law protects the privacy of patients’ identifiable health information. This important law is the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. It is enforced by the Office for Civil Rights within the U.S. Department of Health and Human Services (DHHS).
The HIPAA Privacy Rule does not prohibit everyone who has access to your personal health information from disclosing it without your consent. It mainly applies to health care providers (such as doctors, hospitals, and pharmacies) and health plans (such as health insurers, HMOs, and company health plans). For the providers and plans covered by HIPAA, there also may be certain instances when disclosure without consent is permitted.
The health privacy information on the DHHS website provides a good explanation of who is covered by the HIPAA Privacy Rule, what health information is protected, and how to file a complaint with the Office for Civil Rights if you think someone has failed to protect your privacy.