Skip to Accessibility Tools Skip to Content Skip to Footer

HIPAA Basics for Migraine Patients: What Are Your Rights?

The Health Insurance Portability and Accountability Act (HIPAA), a 1996 federal law, gives patients certain rights with respect to their health records and information.

This article is the first in a series of three about HIPAA: Part 1: Your rights, Part 2: Spotting violations of these rights, and Part 3: How to file a complaint about possible violations.

HIPAA protections are all about maintaining the privacy of your health care information and giving you the power to determine who has access to it. These rules apply to information regardless of format: Oral, written or electronic.

Under HIPAA you have the right to, for example:

  • Review your health records. This includes getting a copy of the records either on paper or electronically (your preference if the provider has both capabilities). The health care provider has 30 days to comply with your records request.
  • Ask for corrections to your medical records.
  • Receive a written policy stating how your information may be used.
  • Request a report telling you how your information has been used.
  • Decide who your information can be shared with, such as marketers.
  • Complain if your rights aren’t being respected or your information isn’t being protected.

Examples of entities required to follow HIPAA include, but are not limited to:

  • Health care providers, such as doctors, support staff, hospitals, clinics and pharmacies.
  • Health plans, such as insurance companies, HMOs, Medicaid and Medicare.

Your private health information can be accessed under limited conditions, including:

  • To facilitate your care and treatment.
  • To pay for your health care.
  • With the person financially responsible for your health care bills, unless you state otherwise.
  • To make required reports to government agencies regarding things like occurrences of certain diseases or gunshot wounds.
  • To prevent a serious health risk to you, the patient, or to other people.

Other important things to know:

  • Employers: Employers are not required to comply with HIPAA’s privacy protections.
  • Personal representatives: Generally a personal representative must be allowed access to review and inspect your health records on your behalf. A parent would be a personal representative for a minor child. If you have appointed a health care power of attorney that person could act as your personal representative.
  • Family & friends: Except under certain circumstances, providers are not allowed to share your health information with your family members or friends to maintain your privacy. But you can give your providers permission to share your information with whomever you choose, such as your spouse, parents or siblings. Providers typically prefer you to give written permission, but it is not required by law.

This article is intended to give you a brief overview, so none of the examples are exclusive. I’ll be covering more information about HIPAA in parts two and three of this series, but if you have questions now, please share them in the comments.

This article represents the opinions, thoughts, and experiences of the author; none of this content has been paid for by any advertiser. The team does not recommend or endorse any products or treatments discussed herein. Learn more about how we maintain editorial integrity here.

1. Department of Health and Human Services, "Guidance Materials for Consumers," accessed April 13, 2013,


  • bluu
    5 years ago

    Good morning…
    I am always interested in learning more about the laws as it pertains to our rights and our health conditions.

    I am suprised to read in your article that employer’s are able to view our medical files and we are not protected by HIPAA. How is it determined by our employer’s personnel office who views our records? How far back can they go and what exactly are they looking for? Who monitors them while they view our files? And, how long are they allowed acess to our files?

    I recently encountered this (I live in CA) when I was completing my request for FMLA. There was a portion of the form giving my employer “temporary limited acess to my medical records” that they were asking me to sign. I did not feel comfortable signing it, so I didn’t. My doctor said the information they need to know about my condition is stated on the form. The research I did do showed from the US Department of Health & Human Services stated on the paperwork they need to have a timeperiod (begining & end date) of how long the “limited acess” is good for (varies from state to state). Is that correct?

    What do employers do with the information? Are they trying to establish we do indeed have an illness? They are not doctors, I guess is my bottom line. Can you help me to understand?

    Thank you

  • Diana-Lee author
    5 years ago

    In a nutshell, employers are not considered “covered entities” under the law and are therefore not bound by its provisions the way covered entities are.

    While there are legitimate reasons for an employer to be made of our health information, it seems fundamentally unfair to employees that this information can be used in just about any capacity the employer sees fit.

  • Poll