How to Legally Make Your Medical Records Private

Your medical records contain deeply personal information:

• Diagnoses
• Treatments
• Medications
• Mental Health
• Substance-use care

...and more. Many patients assume that once they visit a doctor, the data remains fully private.

Providers may share your records by default for certain permitted purposes. 

Understanding how your rights work gives you practical steps to assert more control over that data.

This article explains how to make your medical records private under the law.

What laws protect your medical privacy?

Federal Protection: The HIPAA Privacy Rule

HIPAA (the Health Insurance Portability and Accountability Act) sets national standards to protect protected health information (PHI).

PHI covers health-related information tied to an identifiable individual, in any format (electronic, paper or oral).

HIPAA allows covered entities (such as healthcare operations (TPO) without your specific authorization.

For any use beyond TPO (treatment, payment, operations), providers need your written authorization.

This sets a baseline ("floor") of protection.

State Laws and Enhanced Protections

States may enact laws that go beyond HIPAA's protections.

Several states, including:

• California
• Maine
• Maryland
• Montana
• New York
• Washington

...have detailed statutes governing medical records and health information.

When a state law offers stronger privacy rights than HIPAA, the state law applies (HIPAA does not preempt it).

What practical methods exist to make your record more private?

Request Restrictions on Uses and Disclosures

Under HIPAA regulation 45 CFR §164.522, you may request that a healthcare provider restrict how your PHI is used or disclosed.

For example, limiting disclosure to family members or to your insurer.

While providers are not obligated to agree in every case, there is one mandatory case:

If you pay for a treatment in full and ask the provider not to tell your health plan, the provider must put that in writing.

After you and the provider sign a written restriction, the provider follows it, except in emergencies.

1. Opt-out of Health Information Exchanges (HIEs)

Many states operate electronic health information (HIEs) systems that allow hospitals, providers, and labs to share patient data.

You may have the right to opt out, or in some states, the system is opt-in by default.

The policies vary:

• In opt-out states, the health information exchange enrolls you automatically unless you opt out.
• In opt-in states, you must consent to sharing

Some types of sensitive data (mental health, substance use, reproductive care) often require special consent anyway.

To opt out, identify the HIE your provider uses. Contact the privacy officer. Submit an opt-out request and follow up to confirm removal.

Note: Opt-out does not stop all sharing (emergency care still allows disclosures).

2. Be Selective When Signing Release / Authorization Forms

Do not assume a medical records release or authorization gives you full control.

Many forms are broad. To enhance privacy:

• Cross out unnecessary language and write in specific limitations (e.g., only lab results from July‑August 2024).
• Limit the time period for which the authorization is valid.
• Name only the specific entities permitted to receive your information.

These changes reduce unnecessary sharing while still fulfilling the provider’s legal requirements. 

3. Request Amendments to Correct or Clarify Information

Under HIPAA, you may request an amendment to records you believe are inaccurate or incomplete.

You must submit the request in writing, clearly identifying what information is wrong and why.

The provider has 60 days (with a possible 30‑day extension) to respond.

If the provider says no to your change, send a short written objection. “The provider must add it to your record.

This process ensures your record reflects your correction or viewpoint

4. Maintain Your Own Copies

Keeping your own copy of your medical records adds an extra layer of control.

Keeping your own copy lets you see what is in your file, choose what to share, and rely less on providers to manage disclosures.

Securely store these records; encrypted digital storage or locked paper files are good options.

How This Connects to Vital Records

Many privacy actions involving your medical records also involve your vital records:

• like your birth certificate
• or a death certificate for a family member

These documents help you get medical records, prove legal authority, and manage care after a death.

HIPAA may block access to a deceased person’s records unless you show legal proof, usually a death certificate. Parents or guardians may need a child’s birth certificate to request or limit records.

Because medical and vital records are identity-linked, keep them secure to protect your data. 

StateVitalRecords.org helps you obtain these documents safely and gives you more control.

Here’s how it works:

• Go to StateVitalRecords.org to get your vital records online
• Select a state and begin your online order
• Fill out the form with the required information
• Upload a scan of your government-issued photo ID
• Complete a sworn statement, notarized online via webcam with NotaryLive (if required)
• Pay the fees
• We will send your application for you to the state (After we send it out, it's in the jurisdiction's hands)
• Your certified copy of the birth certificate will be mailed to your home from the jurisdiction

How to respond if your rights are violated?

If you suspect your medical privacy rights have been breached:

• Contact your provider’s privacy officer and ask for their investigation.
• File a formal complaint with the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services using the HHS website.
• If your state law was involved, you may also contact your state attorney general’s office.

Relevant Blogs

• Do you need a Birth Certificate to Get Married?
• How Do You Get Your Birth Certificate Online
• Can I get a California REAL ID without my Birth Certificate?