Patient Rights Under HIPAA

When most people think of HIPAA, they think of the rules that stop their doctor from sharing medical records without permission. But HIPAA is not just a set of restrictions on healthcare providers — it is also a bill of rights for patients.

The HIPAA Privacy Rule grants individuals specific, enforceable rights over their own health information. These rights are not theoretical. They are backed by federal law, and the HHS Office for Civil Rights actively enforces them.

Your Right to Access Your Health Information

This is the most fundamental patient right under HIPAA — and the one most frequently violated.

What You Can Request

You have the right to inspect and obtain a copy of your protected health information that is maintained in a designated record set. This includes:

• Medical records and clinical notes
• Billing and payment records
• Insurance enrolment and claims records
• Any other records used to make decisions about you

How to Make a Request

Submit a written request to your healthcare provider or health plan. They are required to respond within 30 days. If they need more time, they may extend by an additional 30 days — but they must notify you of the delay and the reason.

What They Can Charge

Providers may charge a reasonable, cost-based fee for copying records. This covers:

• Labour for copying (either paper or electronic)
• Supplies (paper, CD, USB drive)
• Postage if you request mailing

They cannot charge a retrieval fee, a fee for searching for your records, or any fee that would create a barrier to access.

What If They Deny Your Request?

There are very limited grounds for denial — primarily psychotherapy notes, information compiled for legal proceedings, and certain research data. If access is denied, you have the right to request a review of the denial.

Your Right to Amend Your Records

If you believe the information in your medical records is inaccurate or incomplete, you have the right to request an amendment.

How It Works

1. Submit a written request to the covered entity that created the record
2. Explain why you believe the information is inaccurate or incomplete
3. The covered entity must respond within 60 days (with one 30-day extension)

When Can They Deny an Amendment?

A covered entity may deny your request if:

• The information was not created by that entity
• The information is not part of the designated record set
• The information is accurate and complete
• The information is not available for access under HIPAA

If denied, you have the right to submit a statement of disagreement, which must be included in your record and disclosed with the contested information.

Your Right to an Accounting of Disclosures

You have the right to request a list of certain disclosures of your PHI made by a covered entity in the six years prior to the request.

What Must Be Included

• The date of each disclosure
• The name of the person or entity who received the information
• A brief description of the information disclosed
• The purpose of the disclosure

What Is Excluded

Disclosures for treatment, payment, and healthcare operations are excluded from the accounting requirement — which means the list may be shorter than you expect.

Your Right to Request Restrictions

You can request that a covered entity restrict how they use or disclose your PHI for treatment, payment, or operations. The covered entity is not required to agree — with one important exception:

The Special Rule for Self-Pay

If you pay for a service out of pocket in full, you can require the provider to withhold that information from your health plan. This is the only restriction request that a covered entity must honour.

Your Right to Confidential Communications

You have the right to request that communications about your health information be sent in a specific way — to a different address, by phone rather than mail, or through a secure portal. Covered entities must accommodate reasonable requests.

Your Right to a Notice of Privacy Practices

Every covered entity must provide you with a Notice of Privacy Practices that explains:

• How they may use and disclose your PHI
• Your rights under HIPAA
• Their legal duties regarding your information
• How to file a complaint

You should receive this notice at your first visit and whenever the notice is materially updated.

Your Right to File a Complaint

If you believe your HIPAA rights have been violated, you have the right to file a complaint:

• With the covered entity directly, through their privacy officer
• With the HHS Office for Civil Rights — online, by mail, or by email

You cannot be retaliated against for filing a complaint. Retaliation itself is a HIPAA violation.

How to File with OCR

• Visit HHS.gov
• File within 180 days of when you became aware of the violation
• Provide your name, the name of the covered entity, and a description of what happened

What Providers Should Know

For healthcare organisations, respecting patient rights is not optional. OCR's Right of Access Initiative has resulted in enforcement actions against providers who failed to respond to records requests. Penalties have ranged from $10,000 to over $200,000.

Best practices:

• Designate a staff member to handle access requests
• Track all requests from receipt to fulfilment
• Train front-desk staff on the 30-day deadline
• Maintain templates for responses and denials
• Review your processes annually

Further Reading

• HIPAA Privacy Rule
• what HIPAA is
• 18 HIPAA identifiers