US Medical Privacy Law — HIPAA, HITECH & Patient Rights

1. HIPAA — Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the US Congress in 1996. It establishes national standards for the protection of individuals' medical records and personal health information. HIPAA applies to covered entities — including healthcare providers, health plans, and healthcare clearinghouses — and their business associates.

Who is a Covered Entity?

Healthcare providers who transmit health information in electronic form (such as billing or clinical records), health plans (insurers, Medicare, Medicaid), and healthcare clearinghouses are all covered entities under HIPAA. As a licensed acupuncture and wellness practice, Amityville Wellness is a covered entity subject to HIPAA's full requirements.

The Privacy Rule (45 CFR Parts 160 and 164)

The HIPAA Privacy Rule establishes national standards for the protection of Protected Health Information (PHI). It sets limits on how PHI may be used and disclosed without patient authorization. Key provisions include:

Patients must receive a Notice of Privacy Practices (NPP) explaining how their PHI is used
PHI may only be used for treatment, payment, and healthcare operations (TPO) without authorization
Patients have the right to access, amend, and restrict the use of their health records
Covered entities must apply the Minimum Necessary standard — only accessing the minimum PHI needed for the purpose
PHI may not be sold, shared with employers, or disclosed to family members without explicit patient consent

The Security Rule (45 CFR Part 164, Subparts A and C)

The HIPAA Security Rule requires covered entities to implement appropriate safeguards to protect electronic PHI (ePHI). This includes:

Administrative safeguards: Workforce training, access management, incident response procedures
Physical safeguards: Controlled facility access, workstation and device security, media controls
Technical safeguards: Access controls, audit logs, encryption in transit and at rest, automatic logoff

The Breach Notification Rule

Under the Breach Notification Rule, covered entities must notify affected individuals, the Department of Health and Human Services (HHS), and in some cases the media, following the discovery of a breach of unsecured PHI. Notification must occur within 60 days of discovering the breach.

2. HITECH Act — Enforcement & Breach Notification

The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act of 2009. It significantly strengthened HIPAA by expanding its enforcement reach and increasing penalties for non-compliance.

Key HITECH Provisions

Extended HIPAA Privacy and Security Rule obligations to Business Associates directly (not just via contracts)
Established a tiered civil penalty structure based on culpability — ranging from unknowing violations to willful neglect
Required HHS to conduct periodic audits of covered entities and business associates
Gave patients the right to request their health records in electronic format when held in an EHR system
Introduced the requirement to account for disclosures made through an electronic health record system

Business Associates Under HITECH

HITECH made Business Associates (companies that create, receive, transmit, or maintain PHI on behalf of a covered entity) directly liable under HIPAA. This means cloud providers, billing companies, appointment scheduling software vendors, and other service providers handling PHI must themselves comply with HIPAA Security Rule requirements.

⚠ Important

A Business Associate Agreement (BAA) must be signed before sharing PHI with any third-party vendor. Without a BAA, sharing PHI constitutes a HIPAA violation even if no breach occurs.

3. Protected Health Information (PHI) — What Counts?

Protected Health Information (PHI) is any individually identifiable health information held or transmitted by a covered entity, in any form — electronic, paper, or oral. PHI relates to a person's past, present, or future physical or mental health condition, the provision of healthcare to them, or their past, present, or future payment for healthcare.

The 18 HIPAA Identifiers

The following 18 categories of information, when combined with health data, constitute PHI and must be protected:

Names (full name, first name, last name)
Geographic data smaller than a state (street address, city, county, zip code)
Dates (except year) — birth date, admission date, discharge date, death date
Phone numbers
Fax numbers
Email addresses
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers (bank/financial)
Certificate and license numbers
Vehicle identifiers and serial numbers (including license plates)
Device identifiers and serial numbers
Web URLs
IP addresses
Biometric identifiers (finger and voice prints)
Full-face photographs and comparable images
Any other unique identifying number, characteristic, or code

De-Identification

PHI that has been de-identified — meaning all 18 identifiers have been removed or a statistical expert has certified that re-identification risk is very small — is no longer subject to HIPAA protections and may be used or disclosed freely.

Electronic PHI (ePHI)

ePHI is PHI that is created, stored, transmitted, or received in electronic form. It is subject to both the Privacy Rule and the Security Rule, requiring both physical and technical safeguards such as encryption, access controls, and audit trails.

4. State-Level Laws — CCPA & Beyond

While HIPAA establishes a federal baseline, individual states have enacted their own health privacy laws that may be stricter than federal requirements. When a state law is more protective of patient privacy than HIPAA, the state law prevails.

California Consumer Privacy Act (CCPA) / CPRA

The California Consumer Privacy Act (CCPA), amended and expanded by the California Privacy Rights Act (CPRA) effective January 1, 2023, grants California residents broad rights over their personal data. While health information covered by HIPAA is exempt from CCPA, the law applies to other personal data collected by healthcare businesses — for example, website visitor data, marketing data, and certain employee data.

Right to know what personal data is collected and why
Right to delete personal data (with limited healthcare exceptions)
Right to opt out of the sale or sharing of personal data
Right to correct inaccurate personal data
Right to limit use of sensitive personal information
No retaliation for exercising privacy rights

New York SHIELD Act (2019)

New York's Stop Hacks and Improve Electronic Data Security (SHIELD) Act expanded the state's data breach notification law and requires any business that owns or licenses the data of New York residents to implement reasonable cybersecurity safeguards. This applies to Amityville Wellness as a New York-based practice.

Broadened definition of private information to include biometric data, login credentials, and financial account data
Requires reasonable administrative, technical, and physical safeguards
Mandatory breach notification to affected New York residents and the NY Attorney General

New York Public Health Law — Mental Health Records

New York state law provides additional protections for mental health records beyond HIPAA, including stricter consent requirements before disclosing mental health information to third parties.

42 CFR Part 2 — Substance Use Disorder Records

Federal law under 42 CFR Part 2 provides heightened confidentiality protections for records relating to substance use disorder (SUD) treatment programs. These records require patient consent for nearly all disclosures, even those that would be permitted under HIPAA's TPO exceptions.

5. Your Patient Rights Under HIPAA

As a patient at Amityville Wellness, you have the following rights under HIPAA regarding your protected health information:

Right of Access (45 CFR § 164.524)

You have the right to inspect and receive a copy of your medical records and other PHI in a designated record set. We must provide access within 30 days of your request (extendable by 30 days with written notice). We may charge a reasonable, cost-based fee for copies. Since 2021 (21st Century Cures Act final rule), records must also be made available electronically at no charge when held in an EHR system.

Right to Amend (45 CFR § 164.526)

You may request that we correct or amend your PHI if you believe it is inaccurate or incomplete. We may deny the request if we determine the information is accurate, but we must document your disagreement in your record.

Right to an Accounting of Disclosures (45 CFR § 164.528)

You have the right to receive an accounting of disclosures of your PHI made by us in the 6 years prior to your request, except for disclosures for TPO, to you personally, or pursuant to an authorization.

Right to Request Restrictions (45 CFR § 164.522)

You may request that we restrict uses or disclosures of your PHI. We are not required to agree to most restrictions, but must agree to restrict disclosure to a health plan for services you paid for out-of-pocket in full.

Right to Confidential Communications (45 CFR § 164.522(b))

You may request that we communicate with you through a specific means or at a specific location (e.g., "call me only on my cell, not at my work number"). We must accommodate reasonable requests.

Right to a Notice of Privacy Practices

You have the right to receive a written Notice of Privacy Practices (NPP) that describes how we use and disclose your PHI, your rights, and our legal duties. This notice is provided at your first visit and is available upon request at any time.

Right to File a Complaint

If you believe your privacy rights have been violated, you may file a complaint with us directly or with the US Department of Health and Human Services, Office for Civil Rights (OCR). You will not be retaliated against for filing a complaint.

HHS OCR Complaint Portal

File a complaint online at: hhs.gov/hipaa/filing-a-complaint · Toll-free: 1-800-368-1019 (TTY: 1-800-537-7697)

6. Penalties & Compliance Obligations

HIPAA violations carry significant civil and criminal penalties, enforced by the HHS Office for Civil Rights (OCR) and the Department of Justice (DOJ). HITECH substantially increased the penalty amounts and introduced a tiered structure based on culpability.

Civil Penalties (Per Violation Category)

Tier 1 — Unknowing

$100–$50,000

Violation where the covered entity did not know and could not have known of the violation

Tier 2 — Reasonable Cause

$1,000–$50,000

Violation due to reasonable cause, not willful neglect

Tier 3 — Willful Neglect (Corrected)

$10,000–$50,000

Willful neglect where the violation was corrected within 30 days

Tier 4 — Willful Neglect (Not Corrected)

$50,000+

Willful neglect that was not corrected; up to $1.9 million per violation category per year

Criminal Penalties (45 CFR § 164.530)

Knowingly obtaining or disclosing PHI: Up to $50,000 fine and 1 year imprisonment
Under false pretenses: Up to $100,000 fine and 5 years imprisonment
With intent to sell, transfer, or use PHI for commercial advantage: Up to $250,000 fine and 10 years imprisonment

Compliance Obligations for Covered Entities

Designate a Privacy Officer and a Security Officer
Conduct regular risk assessments of ePHI systems
Implement and maintain written policies and procedures
Provide workforce training on HIPAA Privacy and Security
Execute Business Associate Agreements with all relevant vendors
Maintain documentation for 6 years from creation or last effective date
Respond to patient rights requests within required timeframes

7. HIPAA vs. GDPR — Key Differences

Patients from the European Union or those familiar with the EU's General Data Protection Regulation (GDPR) often ask how HIPAA compares. While both frameworks aim to protect health data, there are significant structural differences.

Aspect	HIPAA (USA)	GDPR (EU)
Scope	Healthcare-sector specific; applies only to covered entities and their BAs	Sector-neutral; applies to any organization processing data of EU residents
Legal Basis	No explicit legal basis required for TPO; authorization needed for other uses	Requires one of six legal bases (consent, contract, legitimate interest, etc.) for every processing activity
Consent	Not required for treatment, payment, or operations	Freely given, specific, informed, unambiguous consent is one primary legal basis; must be revocable
Data Subject Rights	Access, amendment, accounting of disclosures, restriction, confidential communications	Access, rectification, erasure ("right to be forgotten"), restriction, portability, objection, automated decision rights
Right to Erasure	Limited — no broad right to deletion; exceptions for legal obligations	Broad right to erasure, subject to limited exceptions
Data Portability	Electronic access via 21st Century Cures Act (for EHR systems)	Explicit right to receive data in a structured, commonly used, machine-readable format
Breach Notification	Within 60 days; large breaches (500+) must be reported immediately	Within 72 hours to supervisory authority; without undue delay to affected individuals
Maximum Penalty	$1.9 million per violation category per year	€20 million or 4% of global annual turnover (whichever is higher)
DPO Requirement	No formal DPO; Privacy Officer and Security Officer roles required	Data Protection Officer mandatory for certain organizations
Cross-border Transfers	No specific US domestic restriction; international transfers not specifically addressed	Strict rules on transfers outside the EEA; requires adequacy decision, SCCs, or other mechanism

Key Takeaway

HIPAA is narrower in scope (healthcare sector only) but very prescriptive in its technical requirements. GDPR is broader in scope and places greater emphasis on individual rights, explicit consent, and a stronger right to erasure. For international patients, both frameworks may apply — GDPR to any data processed about EU residents, HIPAA to health records held by US healthcare providers.

8. Our Commitment at Amityville Wellness

Amityville Acupuncture & Wellness is committed to maintaining the highest standards of health information privacy and security. Our practice implements the following measures to protect your PHI:

All staff receive annual HIPAA training
Electronic health records are stored on HIPAA-compliant, encrypted platforms
Business Associate Agreements are in place with all third-party service providers handling PHI, including our booking system (AcuSimple) and payment processor
Physical records are stored securely with restricted access
We never sell patient data to third parties
Minimum necessary standard is applied to all PHI access and disclosures
Patients receive our Notice of Privacy Practices at or before their first appointment
We conduct regular reviews of our privacy and security policies

9. Contact & Complaints

For questions about your privacy rights, to exercise any of your HIPAA rights, or to file a complaint with our practice, please contact us:

Privacy Contact

Amityville Acupuncture & Wellness
209 Broadway, Amityville, NY 11701
Phone: +1-631-691-0200
Email: privacy@amityvillewellness.com

You also have the right to file a complaint with the federal authority responsible for HIPAA enforcement without retaliation from our practice:

HHS Office for Civil Rights (OCR)

US Department of Health & Human Services
200 Independence Ave SW, Washington, DC 20201
Toll-free: 1-800-368-1019 (TTY: 1-800-537-7697)
Online: hhs.gov/hipaa/filing-a-complaint

For complaints related to California consumer privacy rights under the CCPA/CPRA, you may also contact the California Privacy Protection Agency (CPPA) at cppa.ca.gov.