Can They Do That?

Subscribe

Can They Do That?

“Can My Doctor Share My Medical Information Without My Permission?” — Know Your Medical Privacy Rights

10 mins0
medical privacy rights

Imagine that you tell your doctor about a sensitive health issue, perhaps something you wouldn’t even confide in a family member. Later you learn that some of that information wound up in a report, or was shared with another provider, or worse — someone outside of health care — without your explicit consent.

Can your doctor legally do that? The short answer is sometimes, but with limits and we discuss these limits below. Understanding your medical privacy rights is really important in protecting yourself.

The cornerstone of medical privacy in the U.S. is the Health Insurance Portability and Accountability Act (HIPAA). HIPAA’s Privacy Rule sets national standards for how “protected health information” (PHI) can be used and disclosed by “covered entities” (healthcare providers, health plans, healthcare clearinghouses) and their business associates.

Under HIPAA, your medical information generally cannot be shared without your written authorization — unless a specific exception applies. This law is at the center of your medical privacy rights, defining both what can be shared and how providers must protect your information.

When Doctors Can Share Your Medical Information (Without Explicit Permission)

You might be surprised that in many situations, doctors can share medical information without obtaining your express consent—so long as the sharing is consistent with HIPAA rules. Understanding these exceptions helps you better defend your medical privacy rights.

1. Treatment, Payment, & Health Care Operations (TPO)

HIPAA allows disclosures for three core purposes — treatment, payment, and health care operations — without needing a separate signed authorization.

  • Treatment: A physician can discuss your case with specialists, share your records with labs, or coordinate your care with other providers.
  • Payment: Your provider or insurer may need your information to bill, process claims, or verify coverage.
  • Health care operations: This covers internal administrative tasks, quality control, and audits.

Even in these cases, the “minimum necessary” standard applies. Only the least amount of information needed for the task should be shared.

2. Sharing with Other Providers / Coordinated Care

Doctors can share patient information with other doctors, especially when coordinating care, consulting, or making referrals. This is considered part of treatment. However, if you’ve requested that certain data not be shared, your provider must respect that restriction.

Some disclosures are mandatory or allowed by law:

  • Public health reporting: e.g. to report communicable diseases or outbreaks.
  • Law enforcement / legal requests: in certain criminal investigations or mandated reporting (like abuse).
  • Serious risk: if there is an imminent threat to a person’s or the public’s safety.

These exceptions can limit your medical privacy rights, but they exist to balance individual privacy with public interest.

4. Specific Situations Requiring Authorization

For disclosures beyond TPO and legal mandates, a written authorization is required. For example:

  • Use or disclosure of psychotherapy notes.
  • Marketing use of your PHI.
  • Selling your PHI.

Here, your medical privacy rights are strongest and nothing can be shared without your explicit consent.

When Your Doctor Cannot Share Your Medical Information

Here is when doctors cannot share your information without written authorization:

  • They cannot freely share your PHI for marketing or commercial purposes without your authorization.
  • They cannot share more information than necessary.
  • They cannot override a valid restriction you set.
  • They cannot ignore stronger state laws that give you additional medical privacy rights.

Your Rights: How to Stay in Control of Your Medical Information

Here’s what your medical privacy rights are and how to use them.

1. Right to Access Your Records

You can request copies of your medical records. Providers must generally comply within 30 days. Accessing your records is one of the most basic medical privacy rights.

2. Right to Request Amendment

If your records contain errors, you can request corrections. Even if denied, you can add a statement of disagreement. This protects your medical privacy rights by ensuring accuracy.

3. Right to Restrict Disclosures

You can ask providers to restrict certain disclosures (for instance, not sharing with your insurer). While they don’t have to agree in all cases, if they do, your medical privacy rights demand they follow through.

4. Right to Confidential Communications

You can request communications in specific ways — for example, by email instead of phone.

5. Right to an Accounting of Disclosures

You can ask for a record of who accessed your information and why.

6. Right to File a Complaint

If you believe your rights were violated, you can file complaints with providers or the Department of Health and Human Services.

Real-Life Examples

  • Doctor to Specialist: Sharing lab results to coordinate treatment is allowed. Your medical privacy rights allow this type of disclosure under HIPAA.
  • Psychotherapy Notes: These are specially protected, requiring your explicit consent. That protection reflects your medical privacy rights.
  • Employer Access: Your employer generally cannot access your PHI without authorization, again demonstrating the strength of your medical privacy rights.

What to Do If Your Privacy Was Violated

  1. Ask questions: What was shared, and why?
  2. Request an accounting of disclosures.
  3. File a complaint: Start with your provider, then escalate to regulators if necessary.

Final Thoughts

The question “Can my doctor share my medical information without my permission?” doesn’t have a simple yes/no answer. There are rules, exceptions, and safeguards. But the important thing to remember is that you do have medical privacy rights. These rights give you the ability to access your records, correct errors, request restrictions, and hold providers accountable.

This article is for informational purposes only and does not constitute legal advice. Laws can vary by state and situation, and while we strive to provide accurate and up-to-date information, we are not attorneys. If you need legal advice about your specific circumstances, you should consult with a qualified professional. By using this site, you agree to our Terms and Conditions.

Follow Us!

Alicia Lillegard

Alicia Lillegard has over 20 years of experience in employment law, human resources and insurance, working with with large blue chip companies, startups, and not-for-profit organizations. Ms. Lillegard is currently Managing Director of New England Human Capital, a human resources consultancy which advises small and midsize businesses on Human Resources compliance, including employment procedures, employee relations and employee benefits. She holds her degrees from Loyola University and University of Illinois School of Law in Chicago.

Leave a Reply

Related Articles

Discover more from Can They Do That?

Subscribe now to keep reading and get access to the full archive.

Continue reading

Discover more from Can They Do That?

Subscribe now to keep reading and get access to the full archive.

Continue reading