Disclosing Your Sexual Orientation or Gender Identity to Healthcare Providers: The Effect of New HIPAA Regulations

Medical professionals generally agree that patients receive better medical care when they are able to be honest and open with their healthcare providers. In both quality and quantity, a patient’s description of his or her medical history can be far more important than any physical exam, laboratory tests, or other diagnostic tools in helping determine the patient’s health status. Information about sexual orientation and gender identity is an essential part of any medical history. Comfortable dialogue about a patient’s identity and relationships can help to focus a provider’s inquiries, personalize professional advice and assistance, and generate an overall higher quality of care.

Despite the value of such frank discussions, studies have shown that many gay, lesbian, bisexual, and transgendered (LGBT) persons are reluctant to discuss their sexual orientation or gender identity with their health care providers out of fear of ridicule, abandonment of care, or improper disclosure of their sexual orientation or health status to third parties. New federal regulations that went into effect in April 2003 help to clarify the rights of LGBT persons and the responsibilities of health care providers regarding the confidentiality of medical information.

These new regulations, issued by the U.S. Department of Health and Human Services under the Health Insurance Portability and Accountability Act (known as “HIPAA”), create a federal standard dictating how medical providers and health plans can use and disclose patients’ private information. The rules tell health plans and healthcare providers when they can and cannot disclose private information about a patient, and, in some cases, when they must disclose that information. This fact sheet summarizes the new federal privacy rules and discusses how they regulate the communication of information regarding a patient’s sexual orientation or gender identity.

What kind of information is covered by the privacy rules?

The new privacy rules regulate disclosure of a wide range of information about patients. Specifically, the rules create limited safeguards for all “protected health information,” which includes any information that relates to (1) a patient’s past, present or future physical or mental health or condition, (2) the provision of healthcare to the patient, or (3) payment for the patient’s healthcare. As long as the information is collected from the patient, can be used to identify the patient, and is transmitted or maintained in some form by the healthcare provider or health plan, it is protected under the federal privacy rules.

The privacy rules protect diagnostic information like a patient’s HIV status, information related to medical treatment like a patient’s family history, and other identifying information like a patient’s name, address or social security number. Because information about a patient’s sexual orientation and gender identity is often very relevant – and sometimes absolutely crucial – to the provision of healthcare, it is protected by the federal privacy rules as well.

When can a healthcare provider use or disclose information regarding her patient’s health condition, sexual orientation or gender identity?

The federal privacy rules create certain protections against the disclosure of private information about patients, but those protections are not absolute. The rules describe three different classes of information: (1) information that cannot be disclosed without written permission, (2) information that cannot be disclosed without informal verbal permission, and (3) information that can be disclosed without any permission.


  • Written permission required: In certain limited circumstances, a provider must obtain written authorization before disclosing a patient’s private information. Specifically, a provider must obtain an authorization in order to disclose psychotherapy notes or to use a patient’s protected information for marketing purposes.

    Informal verbal permission required: In other circumstances, a provider must give the patient an informal opportunity to object before sharing private information about the patient. For instance, such verbal agreement is usually required before disclosing information to a patient’s friends or family.

    No permission required:> In a variety of other circumstances, a healthcare provider may disclose information about a patient without the patient’s consent. For example, a provider may disclose information about a patient for the following purposes:


    • To provide treatment to the patient or to facilitate payment for that treatment
    • To share information with business associates who work with the provider
    • To report certain information, such as a diagnosis of AIDS or an incident of domestic violence, to relevant public health authorities when the law requires or permits such reporting
    • To assist a law enforcement investigation or to provide eligibility information to a public benefits program
    • For any purpose, as long as the information revealed by the provider does not identify the individual patient

    This list is not exhaustive; the federal rules list several other situations when a provider may disclose a patient’s private information without consent. In other words, there are many situations where a patient’s disclosures to a doctor may not remain confidential. However, when a provider discloses information about a patient, the provider usually must try to reveal as little private information as possible. In most cases, this should mean that the provider cannot disclose a patient’s sexual orientation or gender identity without the patient’s consent.

Are there any other ways that private information about a patient’s health condition, sexual orientation or gender identity can be protected against disclosure by a healthcare provider?

In addition to the federal rules, information about patients may be protected in two other ways.

  • Private agreements between patients and providers: First, a patient may request that a provider agree to additional protections, and if the provider agrees, the provider generally must keep that promise. For example, if a patient elicits an agreement from a doctor that the doctor will not disclose the patient’s sexual orientation without the patient’s prior written consent, then the doctor generally must comply with the agreement.

    Additional protections afforded by state laws: Second, some states have laws that provide additional protections for patients. For example, many states broadly prohibit healthcare providers and laboratories from disclosing patients’ HIV test results except in certain circumstances. The federal rules do not free providers from their legal duties to comply with those more protective state laws.

What rights do the new privacy rules grant to patients?

Aside from the confidentiality and disclosure of health information, the new federal rules describe a few related rights that patients may exercise:

  • Right to inspect and copy medical records: With some exceptions, a patient has the right to inspect and obtain copies of all private records that a provider maintains. A patient who requests copies of medical records may have to pay for the cost of copying.
  • Right to amend records: A patient may request that a provider change information in medical records if the patient believes the information is inaccurate or incomplete. Although the provider need not necessarily make the change, the provider must respond to the request and permit the patient to include a statement in the records explaining the disagreement.


  • Right to accounting of disclosures: With some limitations, a patient may request that a provider furnish a list of everyone to whom the provider has disclosed the patient’s protected information within the past six years. The provider may not charge the patient for this service unless the patient requests more than one accounting in a 12-month period.
  • Right to receive communications from provider in a confidential manner: If a patient asks a provider to communicate with him in a confidential way, the provider must usually comply with the request. For instance, if a patient lives with his parents and does not want them to know he is gay, he can ask his doctor to send all private information to him at his work address and to call him at his work phone number.

How can a patient complain if a provider has violated the privacy rules?

If a patient believes that a healthcare provider has violated the privacy rules, the patient may either (1) file a written complaint with the Department of Health and Human Services (HHS) within 180 days of the violation, or (2) file a complaint with the provider. If the patient files a complaint with HHS, and HHS agrees that the rules have been violated, HHS may impose a fine on the provider or, in rare cases, pursue criminal charges.

When do medical providers have to tell patients about their privacy rights?

Most health care providers in the U.S., including private physicians’ offices and hospitals, must provide each patient with a description of the patient’s privacy rights during the patient’s first doctor’s visit after the rules became effective in mid-April 2003. Patients should keep these documents in their files for future reference, particularly if they have questions about the release of sensitive information by their healthcare providers.

For More Information:

This fact sheet includes some basic information about the federal privacy regulations, but the information is not comprehensive. For more information about the regulations, we encourage you to visit any of these web sites:

June 18, 2003