hipaa facts

7 HIPAA Facts You Need To Be Aware Of

Some privacy policies require an advanced degree just to understand the agreement. Consumers can all but give away their rights their personal information by accepting policies without understanding what they’re signing up for.

HIPAA regulations, however, don’t require patients to read between the lines. 

Under the federal Health Insurance Portability and Accountability Act (HIPAA) law, health information must be protected at all times no matter whether it’s storage on a digital server or an office file cabinet.  

Here are 7 HIPAA facts you need to be aware of in order to avoid hefty fines. 

1. Doctors Can Exchange Info

One important thing to note about HIPAA rules and regulations is that doctor’s don’t need consent to share patient health information. If two healthcare providers are using a patient’s date for the purposes of treatment, payment or just general information, there’s no need to get permission to do so. 

This can be a huge convenience for doctor’s who need access to a patient’s medical records since they won’t have to wait on the patient to remember to follow through. 

2. Mobile Apps Shouldn’t Store Data

Mobile apps present a tricky area when it comes to HIPAA regulations. Developers must have a plan in place for potential data breaches.

Since apps might not operate with the robust IT staff of a hospital or other large healthcare organization, it’s a good rule of thumb to avoid storing healthcare data within the app. It’s less maintenance and security if your cloud server isn’t already HIPAA certified. 

Still, it’s a good idea to have a plan in place to scale your app once you get more users. A HIPAA compliant server might not be cheap, but it’ll help save you legal trouble in the event of a data breach.

Unlike credit cards and bank information, patients can’t simply change their medical records and gain a new privacy barrier. Once hackers have their data, the damage is irreversible. 

3. Patients Don’t Own Their Own Health Information

One HIPAA fact that might surprise patients is that they don’t own their own health information. Medical records are the property of the healthcare provider.

Since HIPAA protects the patient’s privacy, this typically isn’t an issue for patients. It does block hospitals from doing things like selling medical records to big pharma partners for profit. 

Also, lack of ownership doesn’t mean patients don’t have the right to request information whenever they want. Hospitals and doctor’s offices have to accommodate anyone that requests his or her medical records. 

4. Some Companies are Exempt from Following HIPAA Rules

Health information isn’t protected everywhere. There are organizations and industries that don’t have to comply with HIPAA laws.

For example, life insurance companies, schools, law enforcement, and employers are all exempt from HIPAA regulations. This presents gaps in privacy standards that can have a negative impact on the patient.

But since none of these organizations provide medical care, the likelihood of health information leaking is fairly slim. 

5. Lawsuits Aren’t Permitted

Data breaches happen to the best of the best. Though HIPAA requirements are legally mandated, it doesn’t mean patients can sue you for making mistakes or getting hacked.

Instead of filing a lawsuit, anyone with a HIPAA related complaint must contact the U.S. Department of Health and Human Services. The agency requires written notification of any violations. 

6. Not Knowing HIPAA Facts Can Be Expensive

It’s important to educate yourself on ongoing changes in HIPAA legislation. Fines can reach up to $1.5 million.

Protect your organization from potential offenses by hiring a HIPAA compliance consultant to track ongoing rules and regulations. It might cost you more in overhead, but it’ll save you money in the event your organization is audited. 

Fines per violation range from $100 to $5,000. Claiming ignorance of the law won’t protect you financially from the law. Spend the money to audit your own operations and IT to make sure you’re organization is on track.  

7. Email is Allowed

There’s a big misconception that emails aren’t allowed under HIPAA laws. But this couldn’t be farther from the truth.

Healthcare organizations can email patients even if their emails aren’t encrypted. The key is to take proper care not to distribute any identifiable information that can pose a problem if you’re hacked.

Keep in mind that marketing information isn’t exempt from HIPAA rules. Your patient intake forms that gather personal contact information for medical treatment doesn’t give you the automatic right to include patients in your marketing communications.

You’ll need consent from patients in order to send out promotional information on behalf of your organization. Not getting permission can lead to potential complaints and/or fines. 


HIPAA laws protect both the patient and the healthcare provider from negligence. The law was created in 1996 as a way to easily transfer health insurance information as people moved between employers. 

Later, the law supported healthcare providers who needed access to patient medical records in order to provide adequate treatment. Cutting out the patient as the primary point of contact for those records helped streamline medical care.

In our growing digital age, HIPAA helps protect patient privacy. There’s no foolproof strategy for avoiding data breaches or information leaks, but HIPAA forces organizations to think carefully about their technology and operations.

Patients can rest assured that the threat of high fines motivate large organizations to tread carefully as they handle their medical records. 

HIPAA Regulations are Worth It

When patients and providers honor HIPAA laws, it’s a win-win situation. Understanding basic HIPAA facts keeps organizations from paying hefty fines or dealing with a PR nightmare.

Patients have many options when it comes to healthcare treatment. Make sure your brand is associated with data security and professionalism by following HIPAA guidelines down to the letter.

For more information or to get a HIPAA risk analysis for your organization, contact us today. 

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top