You’ve seen the posters. The little laminated cards handed out at every doctor’s office. The mandatory training video everyone skips until HR threatens to dock pay.
And then you get to the quiz.
All of the following are purposes of HIPAA except…
You freeze.
Because you think you know what HIPAA is — privacy, security, patient rights — but the except part? That’s where the trap is.
And here’s the thing: most people don’t actually know what HIPAA was designed to do. They just know it’s “the health privacy law.”
That’s not enough.
Not if you work in healthcare. And not if you manage patient data. Not even if you’re just trying to understand why your doctor won’t tell your spouse how you’re doing.
Let’s cut through the noise.
What Is HIPAA — Really?
HIPAA stands for the Health Insurance Portability and Accountability Act. Passed in 1996. Sounds like a government acronym you’d file under “ignore.
But here’s the truth: it wasn’t created to make doctors say “I can’t tell you that” every time you ask a question Simple, but easy to overlook..
It was created because people were losing their health insurance when they switched jobs — or got sick Easy to understand, harder to ignore..
It was created because medical records were being shared like gossip at a high school lunch table That's the part that actually makes a difference..
It was created because no one had rules. No one had standards.
So HIPAA did three big things:
1. It protected health insurance coverage when you changed or lost your job
Back in the ’90s, if you got cancer and quit your job? Good luck finding new coverage. Insurers could deny you outright. HIPAA made sure you couldn’t be dropped just because you had a pre-existing condition — if you were moving from one group plan to another.
2. It set national standards for electronic health records
Before HIPAA, your doctor’s office might use paper, your hospital used a clunky mainframe, and your pharmacy? They had a Rolodex. No consistency. No security. HIPAA forced everyone to start talking the same digital language — and to protect it.
3. It gave patients rights over their own health information
You have the right to see your records. To request corrections. To know who’s accessed them. To say no to certain uses.
That last one? That’s what people remember No workaround needed..
But here’s what most people miss: HIPAA isn’t about secrecy. It’s about control.
Why It Matters / Why People Care
Let me tell you about Sarah Not complicated — just consistent..
She was 32. Diagnosed with depression. Started therapy.
Her employer’s wellness program — the one she signed up for “to get a discount on gym membership” — asked for her mental health records.
She didn’t think twice. She trusted them Small thing, real impact..
A month later, she was passed over for a promotion.
No one said why. But she found out later: her boss had seen her diagnosis Easy to understand, harder to ignore..
That’s not hypothetical. That’s real Small thing, real impact..
HIPAA doesn’t cover every piece of health data. It doesn’t apply to your employer’s wellness program unless they’re a covered entity. But Sarah didn’t know that.
And that’s the problem Most people skip this — try not to..
People think HIPAA protects them from everyone.
It doesn’t.
It protects you from covered entities — healthcare providers, insurers, clearinghouses — and their business associates Worth knowing..
Your employer? Because of that, your gym? Even so, your fitness tracker app? Not covered.
So when you hear “HIPAA violation,” you assume it’s illegal. But sometimes, it’s just… unethical But it adds up..
Understanding the boundaries? That’s the difference between knowing your rights and being blindsided.
How It Works (or How to Do It)
HIPAA doesn’t just say “be nice.” It lays out concrete rules.
The Privacy Rule
This is the one everyone thinks of. It says:
- You can’t disclose protected health information (PHI) without consent — unless it’s for treatment, payment, or healthcare operations.
- Patients must get a Notice of Privacy Practices.
- You can’t use PHI for marketing without explicit permission.
- You must allow patients to access their records within 30 days.
Simple? Yes.
Easy to mess up? Absolutely.
I’ve seen clinics email patient lists in plain text. In practice, i’ve seen receptionists leave charts open on desks. I’ve seen billing staff discuss a patient’s copay in the elevator Practical, not theoretical..
All violations That's the part that actually makes a difference..
The Security Rule
This one’s technical. It applies to electronic PHI (ePHI).
It requires:
- Administrative safeguards — policies, training, risk assessments
- Physical safeguards — locked file cabinets, access controls to server rooms
- Technical safeguards — encryption, audit logs, password policies
It’s not about being fancy. It’s about being intentional.
A small practice doesn’t need military-grade encryption. Here's the thing — they do need to delete old patient files. But they do need to turn on auto-lock on laptops. They do need to train staff not to text patient names Worth keeping that in mind. But it adds up..
The Breach Notification Rule
If PHI is stolen or exposed? You’ve got to tell the patient. And the Department of Health and Human Services. And sometimes the media — if it affects 500+ people.
No hiding. No sweeping it under the rug It's one of those things that adds up..
The Enforcement Rule
This is the stick. Violations can cost up to $1.5 million per year per violation.
And yes — individuals can be fined too. Not just organizations.
Common Mistakes / What Most People Get Wrong
Here’s what most people think HIPAA does — and why they’re wrong:
❌ “HIPAA stops family members from getting info.”
Nope. You can share info with family if the patient agrees — or if it’s in their best interest and they’re incapacitated.
❌ “HIPAA means I can’t talk to my coworkers about patients.”
You can — if it’s for treatment or operations. “Mrs. Jones needs a follow-up” is fine. “Mrs. Jones is a drug addict” is not.
❌ “HIPAA applies to everything health-related.”
It doesn’t cover employers, schools, life insurers, or apps like MyFitnessPal.
❌ “HIPAA violations are always intentional.”
Most aren’t. They’re careless. A misdirected email. A lost USB drive. A conversation overheard in a waiting room Most people skip this — try not to..
The law doesn’t care if you meant well. You’re still responsible And that's really what it comes down to. Which is the point..
Practical Tips / What Actually Works
Here’s what works in real life — not just on paper:
✅ Train staff like they’re surgeons, not interns
One 10-minute training every year? Useless. Do quarterly 15-minute refreshers. Use real examples from your own office. “Remember last month when Karen sent the wrong file? That’s a breach.”
✅ Encrypt everything — even if you think it’s “not important”
A patient’s name + birthdate = PHI. A list of appointment times? PHI. Your spreadsheet of “just names and dates” is a liability.
✅ Use patient portals — not email or text
Emailing a lab result? Risky. Texting a diagnosis? Violation. A secure portal? Safe.
✅ Say “I can’t share that” — then explain why
Don’t just shut down. Say: “I’m not allowed to share that under HIPAA, but I can help you get your records or talk to your provider.”
✅ Audit your systems every six months
Check who has access. Delete old accounts. Review logs. If you’re not auditing, you’re not complying.
FAQ
Does HIPAA prevent me from asking my doctor about my child’s health?
No — if your child is a minor, you’re generally allowed access. But if they’re 18+, HIPAA gives them control, even if you’re paying the bill.
Can my employer ask for a doctor’s note?
Yes. HIPAA doesn’t stop employers from asking for proof of illness — it just stops them from getting medical records without your consent.
Is my health app covered by HIPAA?
Only if it’s provided by your doctor or insurer. Fitbit, Apple Health, MyFitnessPal? Not covered Small thing, real impact..
