Medical information held by a covered entity (PHI) can only be given to other individuals or entities if the patient signs a written authorization or if the information is subject to one of the exceptions in HIPAA that allow release without the patient's specific authorization. When a person first seeks care from a covered entity, the provider must give the patient a HIPAA privacy form that explains the patient's rights under HIPAA. This is in addition to requiring a general consent to medical care, a release to allow medical information to be released to insurance companies to bill for care, and an acknowledgement that the patient was given the HIPAA privacy information. If the patient does not want information released to an insurance company, the patient must make other arrangements to pay for care. (If the patient is part of an MCO and is seeking care from an MCO physician, the physician must share information with the MCO. If the patient refuses to sign the HIPAA privacy information acknowledgement, the provider may still provide treatment, but must document in the record that the patient was were given information about HIPAA.

Patients have a right to require medical care providers to protect their communications. For example, asking the physician to call at home, rather than the office, to prevent co- workers from knowing the persons is seeking medical care. While physicians have traditionally talked to family members about care, patients can specify who medical care providers can and cannot talk to about their care. Providers must respect these requests unless they conflict with other provisions of HIPAA, or other legal requirement such as public health reporting laws. Providers must also be careful not to share information inadvertently witrh other patients who might overhear conversations in the medical office. The regulations allow patients who believe that their medical care providers are not complying with the HIPAA regulation to make a complaint to HHS' Office for Civil Rights (OCR), which is charged with investigating complaints and enforcing the privacy regulation.