HIPAA
A US law that sets national standards for protecting sensitive patient health information from disclosure without patient consent.
A US law that sets national standards for protecting sensitive patient health information from disclosure without patient consent.
Also known as
Health Insurance Portability and Accountability Act, US health privacy law
Why travellers need to know
HIPAA applies to US providers only. Travellers treated in the US have strong data rights — the right to access records, request corrections, and restrict sharing. Outside the US, different frameworks apply.
Real-world example
A Canadian traveller is treated at a Florida emergency room. She later asks for a copy of her records to share with her GP back in Toronto. The hospital's HIPAA compliance officer explains she can request her records — and under HIPAA, the hospital must provide them within 30 days.
Country-specific notes
🇺🇸 United States
HIPAA gives you the right to access your records within 30 days
Any covered entity (hospital, clinic, insurer) must provide a copy of your health records on request. They can charge a reasonable fee but cannot refuse.
Request records in writing and keep a copy of the request — this starts the 30-day clock legally.
🇬🇧 United Kingdom
The UK equivalent is the UK GDPR and Data Protection Act 2018
NHS patients have a right of access under UK GDPR, with a 30-day response window. Private hospitals must comply with the same rules.
UK hospitals often have a Subject Access Request (SAR) form — ask at reception or find it on the hospital's website.
🇪🇺 European Union
EU GDPR gives patients extensive rights over health data
Under GDPR, health data is classified as a special category requiring explicit consent for processing. Patients can request deletion, correction, and portability of their data.
EU data rights apply regardless of nationality — a non-EU traveller treated in France has the same GDPR rights as a French citizen.
Frequently asked questions
Does HIPAA protect me if I'm not American?
Yes. HIPAA protects all patients treated by US covered entities, regardless of nationality or citizenship. If you received care at a US hospital or clinic, HIPAA applies to your records.
What happens if a US provider shares my data without consent?
This is a HIPAA violation. You can file a complaint with the US Department of Health and Human Services (HHS) Office for Civil Rights. Penalties range from $100 to $50,000 per violation.
Your Nomedic data is encrypted, never sold, and deletable on request — full GDPR compliance.