Are Patients a Covered Entity Under HIPAA? (w/Examples) + FAQs

No. Patients are not a covered entity under the Health Insurance Portability and Accountability Act. HIPAA only covers three groups: health plans, health care clearinghouses, and health care providers who send certain transactions electronically, as defined in 45 CFR §160.103. Patients are the people HIPAA protects, not the people HIPAA regulates.

This matters because many patients believe HIPAA stops them from sharing their own medical information, or that they can personally sue a nosy neighbor for “a HIPAA violation.” Neither is true under the HIPAA Privacy Rule, and courts have repeatedly ruled there is no private right of action, as confirmed in Acara v. Banks, 470 F.3d 569 (5th Cir. 2006).

According to the most recent HHS Office for Civil Rights breach portal, more than 275 million Americans had protected health information exposed in reported breaches during 2024 alone, yet zero of those enforcement actions targeted a patient. That statistic tells the real story of who HIPAA regulates.

Here is what this article will teach you:

• 🏥 Who HIPAA actually covers and why patients sit outside that circle
• 📱 How social media, wearables, and patient apps change the privacy picture
• ⚖️ What legal tools patients do have when their records are mishandled
• 🧾 The exact rights patients get under the Privacy Rule and the Cures Act
• 🚫 The biggest HIPAA myths that get patients, families, and small practices in trouble

Who HIPAA Actually Covers

HIPAA uses a narrow list of regulated parties. The statute and its rules name three covered entities and one support category called business associates. If you are not on that list, HIPAA does not bind you directly, even if you handle health information every day.

The definition in 45 CFR §160.103 is the anchor. It names health plans, health care clearinghouses, and any health care provider who transmits health information electronically in connection with a transaction covered by the rules. Congress chose this list in 1996 to reach the businesses that control the flow of claims and payment data.

The consequence of the narrow list is that huge amounts of health data sit outside HIPAA. A fitness tracker company, a symptom-checker app, a life insurance underwriter, and a school nurse may all touch health data without being covered. Patients often assume HIPAA follows the data, but HIPAA follows the entity.

A common misconception is that “anyone with medical records must follow HIPAA.” That is false. The Federal Trade Commission and state attorneys general often step in where HIPAA stops, using laws like the FTC Health Breach Notification Rule.

Health Plans

A health plan is any individual or group plan that pays the cost of medical care. This includes private insurers, HMOs, Medicare, Medicaid, employer group health plans with 50 or more participants, and the CHIP program. The Privacy Rule covers health plans whether or not they transmit data electronically.

The consequence for a health plan that ignores HIPAA is steep. Civil money penalties under the HITECH Act reach $71,162 per violation and $2,134,831 per identical violation per year as adjusted for inflation by OCR in 2024.

For example, a self-insured employer plan for a 200-person company in Vilnius with a U.S. subsidiary must follow HIPAA because it pays for U.S. medical care. The misconception that only insurance companies count causes many employers to skip training and get fined.

Health Care Clearinghouses

A clearinghouse is a middle-man that translates nonstandard claims data into the standard formats required by the HIPAA Transactions Rule. Think of companies like Change Healthcare or Availity which route billions of claims between providers and payers.

If a clearinghouse leaks data, the consequence is not just federal. The 2024 Change Healthcare ransomware breach affected an estimated 100 million people and triggered a formal OCR investigation, state AG suits, and class actions.

A common misconception is that clearinghouses are “just pipes” and therefore exempt. They are fully covered entities. Every byte they touch is protected health information.

Health Care Providers Who Bill Electronically

Doctors, dentists, psychologists, chiropractors, nursing homes, and pharmacies become covered only when they transmit information electronically in connection with a HIPAA transaction, such as a claim or eligibility check. A cash-only therapist who never bills insurance electronically may sit outside HIPAA, as HHS explains in its FAQ.

The consequence of this nuance is that two therapists across the hall can have different legal duties. One who files insurance claims online is covered. One who takes only cash is not, although state privacy laws may still apply.

A real scenario: Dr. Maya Patel runs a cash-only concierge clinic in Austin. Because she never files electronic claims, HIPAA does not reach her. The misconception that “all doctors follow HIPAA” gives her patients a false sense of security when in fact Texas HB 300 is what actually controls her duties.

Why Patients Are Not Covered

Patients hold rights under HIPAA, but they do not carry duties imposed by HIPAA. The law regulates the organizations that collect, store, and share health data, not the people whose bodies produced it. This design choice reflects a simple idea: you cannot breach your own privacy.

The Privacy Rule at 45 CFR §164.502 treats individuals as subjects of protected health information. It gives them power over their records. It never tells them how to store or share their own data.

The consequence is that a patient can legally post their own lab results on Instagram, email their own MRI to a friend, or publish a memoir about their cancer journey. They may face other legal risks like defamation or employment problems, but HIPAA is not one of them.

A real scenario: Marcus Johnson livestreams his chemotherapy sessions on YouTube. HIPAA does not touch Marcus. It does, however, bind the hospital nurse who appears on camera and names another patient in the background — because the nurse is workforce of a covered entity.

Patients Hold Rights, Not Duties

Under the Right of Access rule in 45 CFR §164.524, patients can demand copies of their records within 30 days. Providers who stall face OCR’s Right of Access Initiative, which has produced more than 50 settlements since 2019.

The consequence of ignoring this right is a published resolution agreement and fines often between $3,500 and $240,000. For example, in 2023 UnitedHealthcare paid $80,000 to settle a records-access complaint.

A common misconception is that patients must explain why they want their records. They do not. The rule bars providers from demanding a reason.

Personal Representatives Step Into Patient Shoes

A personal representative is a person who has legal authority to make health decisions, such as a parent of a minor or a health care power of attorney. Under 45 CFR §164.502(g), the representative receives the same rights the patient would have.

The consequence of misidentifying a representative is serious. A provider who hands records to an ex-spouse without legal authority commits an impermissible disclosure.

For example, Elena Rodriguez holds a durable power of attorney for her father. She can request his records, but she is still not a covered entity. She is exercising the patient’s rights, not bearing HIPAA duties.

Three Real-World Patient Scenarios

Patients often worry they have “committed a HIPAA violation.” These three scenario tables show how HIPAA actually applies to patient behavior.

Scenario 1: Patient Posts on Social Media

Scenario 2: Patient Records a Doctor Visit

Scenario 3: Patient Uses a Health App

Named Examples Showing How HIPAA Treats Patients

These three named examples show the rule in action.

Example 1 — James the Blogger. James Carter writes a public blog about his multiple sclerosis. He names his neurologist and posts his own MRI scans. HIPAA does nothing to James because he is not a covered entity. The neurologist, however, cannot confirm or deny anything James wrote without written authorization under 45 CFR §164.508.

Example 2 — Linda the Caregiver. Linda Nguyen cares for her mother who has dementia. She asks the nursing home for a full medication list. Because Linda holds a valid health care power of attorney, she is a personal representative under 45 CFR §164.502(g). The nursing home must give her the records within 30 days.

Example 3 — Trevor the TikToker. Trevor Adams films himself in a hospital gown and accidentally films another patient’s chart on a nearby wall. Trevor is fine under HIPAA. But the hospital that left the chart visible may have failed its Security Rule safeguards, specifically the physical safeguards at 45 CFR §164.310.

Mistakes to Avoid

Patients, families, and even small practices make the same errors over and over. Each mistake has a specific negative consequence.

• Assuming HIPAA lets patients sue directly. It does not. Acara v. Banks and Webb v. Smart Document Solutions confirm no private right of action, so patients must file OCR complaints or use state law instead.
• Believing HIPAA covers every app on your phone. Most consumer apps fall under the FTC Act and state laws, not HIPAA, which means different remedies and different timelines.
• Thinking cash-only providers are covered. They may not be if they never bill electronically, as the HHS FAQ makes clear.
• Signing blanket authorizations without reading them. A patient can give up marketing protections under 45 CFR §164.508 without realizing it, leading to unwanted solicitations.
• Forgetting that state law can be stricter. Laws like California’s CMIA, Texas HB 300, and the New York SHIELD Act add duties HIPAA does not.
• Using personal email to send records. Even when patients themselves send unencrypted email, they open themselves up to identity theft risks that HIPAA cannot fix.
• Confusing confidentiality with HIPAA. A rude coworker who shares your diagnosis is not a HIPAA violator unless they work for a covered entity.
• Missing the 60-day breach notice clock. Covered entities must notify patients within 60 days under 45 CFR §164.404; patients who wait too long to act may lose state-law claims.
• Assuming minors control all their own records. Under 45 CFR §164.502(g)(3), state law decides when a minor acts for themselves.
• Ignoring information-blocking rights. The 21st Century Cures Act gives patients near-real-time access to electronic health information, and providers who block access face penalties under 45 CFR Part 171.

Do’s and Don’ts for Patients

Do’s

• Do file complaints with the OCR Complaint Portal within 180 days; timely filing preserves your federal remedy.
• Do request your records in writing and keep the receipt; it starts the 30-day clock under 45 CFR §164.524.
• Do check whether your state has a private right of action; states like Illinois and Connecticut allow suits.
• Do read the Notice of Privacy Practices at check-in; it tells you how your data will move.
• Do use two-factor authentication on patient portals because portals are one of the top attack targets.

Don’ts

• Don’t assume HIPAA protects data inside consumer apps; the FTC Health Breach Notification Rule may apply instead.
• Don’t sign blanket authorizations; limit the purpose and expiration date.
• Don’t record other patients; even if HIPAA ignores you, state privacy torts may not.
• Don’t share your portal password with family; once shared, HIPAA protections weaken.
• Don’t wait to report a breach; the sooner OCR hears, the stronger the investigation.

Pros and Cons of HIPAA’s Narrow Patient Definition

Pros

• Protects the free speech of patients who need to tell their stories publicly.
• Avoids criminalizing everyday conversations about personal health.
• Keeps enforcement focused on the largest data holders who create the most risk.
• Supports patient advocacy movements that rely on shared lived experience.
• Prevents chilling effects on caregivers who coordinate family health decisions.

Cons

• Leaves consumer health apps in a regulatory gap that confuses users.
• Means patients cannot directly sue under federal law when records leak.
• Creates uneven protection because state laws vary widely.
• Allows employers in states without wage-privacy laws to learn health facts indirectly.
• Fosters the myth that HIPAA covers everything, leading to false confidence.

Patient Rights Under HIPAA and the Cures Act

Even though patients bear no HIPAA duties, they hold powerful rights. The Privacy Rule and the 21st Century Cures Act information-blocking rule together form a toolkit that most patients never fully use.

The Right of Access lets patients get electronic copies at the cost of labor plus supplies, capped at a reasonable fee. The consequence for providers who overcharge is an OCR settlement and a corrective action plan, as happened with Banner Health in 2023.

Patients also have the right to request amendments under 45 CFR §164.526, an accounting of disclosures under 45 CFR §164.528, and restrictions on certain disclosures under 45 CFR §164.522. Each right has its own procedure and deadline.

A common misconception is that patients must use a special form. They do not. A simple written request by email is enough, and the OCR Right of Access FAQ confirms that providers cannot require portal use.

Requesting Records Step by Step

The process has five line items. First, identify the records you want with reasonable specificity. Second, choose the format — paper, PDF, or patient portal download. Third, pick the delivery method, including unencrypted email if you accept the risk in writing, as allowed by the OCR email guidance. Fourth, sign and date the request. Fifth, track the 30-day clock and file an OCR complaint if it expires.

The consequence of skipping a step is delay. For example, patients who forget to specify “electronic copy” sometimes receive paper copies at higher cost.

State Privacy Overlays

State laws often fill the gaps HIPAA leaves behind. California’s CMIA allows patients to sue for up to $1,000 in nominal damages plus actual damages. Texas HB 300 extends coverage to any entity that comes into possession of PHI. New York’s SHIELD Act layers on broad breach-notification duties.

The consequence of ignoring state law is losing the strongest remedy. A California patient whose pharmacy leaks records may recover more under CMIA than any federal route. The misconception that “HIPAA preempts state law” is false — HIPAA sets a floor, not a ceiling, under 45 CFR §160.203.

How Enforcement Works When Patients Are Harmed

When a covered entity mishandles patient data, HIPAA offers an administrative remedy, not a lawsuit. Patients file a complaint with OCR, which investigates, negotiates resolution agreements, or imposes civil money penalties. Criminal cases go to the Department of Justice under 42 USC §1320d-6.

The consequence of a confirmed violation can include penalties from $137 to $71,162 per violation depending on culpability, per the 2024 adjusted tiers. Criminal penalties reach $250,000 and ten years in prison for malicious disclosures.

A real scenario: Nurse Kevin Brooks at a Cleveland hospital peeks at his ex-girlfriend’s records. OCR fines the hospital, state licensing sanctions Kevin, and prosecutors charge him under the criminal HIPAA statute. The patient herself receives no check from HIPAA but may sue under state law.

Recap of Key Rulings

Courts have shaped how patients interact with HIPAA. In Byrne v. Avery Center for Obstetrics, 327 Conn. 540 (2018), the Connecticut Supreme Court allowed a state negligence claim that used HIPAA as the standard of care. In Acara v. Banks, the Fifth Circuit confirmed no private right of action. In Faber v. Ciox Health, the Sixth Circuit struck down OCR’s third-party access fee limits.

The consequence for patients is that the courthouse door opens through state law, not HIPAA. A common misconception is that federal preemption closes every door. It does not.

FAQs

Are patients ever considered a covered entity?

No. Patients are the subjects of protected health information, not the regulated parties. HIPAA’s covered entity definition at 45 CFR §160.103 lists only plans, clearinghouses, and billing providers.

Can a patient violate HIPAA by posting their own records online?

No. A patient controls their own health information and may share it freely. Other laws like defamation or state privacy torts may apply, but HIPAA does not.

Can patients sue a hospital directly under HIPAA?

No. Federal courts uniformly hold there is no private right of action under HIPAA, as shown in Acara v. Banks. Patients must file with OCR or use state law.

Does HIPAA protect data in my Fitbit or Apple Watch?

No. Consumer wearables usually fall outside HIPAA unless linked to a covered entity. The FTC Health Breach Notification Rule often applies instead.

Can a patient record their own doctor’s visit?

Yes. Patients may record their own appointments, though state wiretap laws such as California Penal Code §632 may require telling the other party first.

Does a power of attorney make someone a covered entity?

No. A personal representative under 45 CFR §164.502(g) exercises the patient’s rights but does not bear HIPAA duties.

Can a patient waive HIPAA rights?

Yes. A patient may sign a valid authorization under 45 CFR §164.508 allowing sharing for specific purposes, with the right to revoke in writing.

Must a cash-only therapist follow HIPAA?

No. If the therapist never transmits electronic transactions, HIPAA may not apply, per the HHS FAQ. State law usually still applies.

Can an employer ask for a doctor’s note without violating HIPAA?

Yes. Employers are not covered entities, so HIPAA does not bar the request. The ADA and FMLA limit what the employer can demand and store.

Does HIPAA apply to schools?

No. Most school health records fall under FERPA, not HIPAA, which means a different agency and different remedies.

Can a patient get records for a deceased family member?

Yes. Under 45 CFR §164.502(g)(4), the executor of the estate has personal representative rights, and protections last 50 years after death.

Do state laws give patients more rights than HIPAA?

Yes. States like California, Texas, and New York add private remedies, shorter breach timelines, and broader entity coverage that HIPAA does not include.