Under HIPAA, patients are granted a set of fundamental rights regarding their protected health information (PHI). These rights include the ability to access and obtain copies of their medical records, request corrections to inaccurate or incomplete information, receive a clear notice of privacy practices, request restrictions on certain uses and disclosures of their PHI, request confidential communications, obtain an accounting of disclosures, and revoke authorizations for sharing their information.
According to an Online Research Journal Perspectives in Health Information Management study, ‘Health Information Privacy Laws in the Digital Age: HIPAA Doesn't Apply’, “Compliance with the original HIPAA regulations took significant time and effort by healthcare facilities, and more changes were on the horizon as the focus on patient rights grew. As the challenges and risks of healthcare privacy took center stage, legislators became increasingly eager to draft privacy legislation with a narrower scope.”
The relevance of these rights to healthcare organizations is multifaceted. They form the legal and ethical foundation for patient privacy and data security. Respecting patient privacy is associated with greater patient satisfaction and willingness to share sensitive information, which can improve clinical outcomes.
An excerpt from Chapter 4 of Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research notes, “In general, the Privacy Rule preempts contrary state laws relating to the privacy of health information. Generally, this means that if it is impossible for a covered entity to comply with both the Privacy Rule and the state law in question, the Privacy Rule will be applied in the situation and the state law will be considered void.”
States are permitted to enact laws that provide even greater privacy protections for patients. This dual-layered approach ensures that no patient in the United States receives less protection than what HIPAA requires, while also allowing for regional variations that may reflect local values or address specific health concerns.
For example, some states have laws that require explicit patient consent for the disclosure of certain types of sensitive health information, such as mental health records or HIV status, even when HIPAA might permit such disclosures under certain circumstances. When state and federal laws conflict, the law that is more protective of patient privacy prevails.
Patients can request electronic or paper copies of their medical records within 30 days, though extensions up to 60 days are permitted with explanation. Covered entities must provide records in the requested format if feasible and may charge reasonable costs. This right enables patients to review diagnoses, share data with providers, and identify errors. It also supports continuity of care and empowers individuals to participate actively in treatment decisions.
Patients may request amendments to PHI that they believe is inaccurate or incomplete. Covered entities must respond within 60 days, either approving the correction or providing a written denial with reasons (e.g., the record is accurate). If denied, patients can submit a rebuttal statement to be included in their file.
Covered entities must provide a clear, written Notice of Privacy Practices (NPP) detailing how PHI is used/disclosed, patient rights, and the entity’s legal duties. The NPP must explain how to file complaints and contact the organization’s privacy officer. Patients typically receive this notice during their first interaction and can request copies anytime.
Patients have the right to request restrictions on how their PHI is used or disclosed by a covered entity, including for treatment, payment, or healthcare operations, as well as disclosures to family members or others involved in their care. Healthcare providers are generally not required to agree to these requests, except in specific cases, such as when the patient requests that PHI related to a service they paid for out-of-pocket not be disclosed to their health plan for payment or operations purposes.
Patients can ask providers to communicate PHI through alternative means (e.g., through email) or locations (e.g., a workplace address). Covered entities must accommodate reasonable requests to prevent unauthorized disclosures by using tools like HIPAA compliant email platforms.
Patients may request a list of non-routine PHI disclosures made over the past six years, excluding those for treatment, payment, or operations. The accounting must include the recipient, purpose, and date of each disclosure. This right helps patients monitor unauthorized data sharing, such as disclosures to employers or for research without authorization.
Patients can revoke prior written authorizations for PHI use/disclosure at any time, except if the covered entity has already acted based on that authorization. Revocations must be in writing and processed promptly. This right allows individuals to halt further data sharing, such as stopping a research study’s access to their records.
While HIPAA generally supports patient access and correction rights, there are specific situations where requests may be denied. Access can be denied if the information falls into certain categories, such as psychotherapy notes (which are kept separate from the rest of the medical record), information compiled for use in legal proceedings, or records that could endanger the life or physical safety of the patient or another person.
An excerpt from Patient Confidentiality notes, “The healthcare provider may deny access to PHI if he or she believes such access may harm the patient or others. A patient must request, in writing, to obtain his or her medical chart.”
Requests for corrections may be denied if the provider determines that the information is accurate and complete, was not created by the provider, or is not part of the designated record set. In cases of denial, the provider must give the patient a written explanation and inform them of their right to appeal or submit a statement of disagreement.
According to Chapter 4 from Beyond the HIPAA Privacy Rule, “OCR is in charge of enforcement and decides whether and when to pursue a regulatory investigation and penalties against a covered entity (Stevens, 2003). In addition, it is important to note that this does not prevent an individual from pursuing a private right of action under state law (Pritts, 2008).”
If a patient believes their HIPAA rights have been violated, they have the right to file a complaint with the healthcare provider’s privacy officer or directly with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Complaints should be submitted in writing and include the name of the covered entity, a description of the alleged violation, and relevant dates.
The OCR provides an online portal, as well as options for mail and email submissions. Complaints must generally be filed within 180 days of when the patient knew or should have known about the violation. The OCR investigates complaints and may require corrective actions, impose fines, or conduct audits.
HIPAA prohibits covered entities from retaliating against individuals who file complaints. This process provides patients with a clear avenue for seeking redress and ensures that healthcare organizations are held accountable for upholding privacy standards.
Generally, your health information cannot be used or shared without written authorization unless HIPAA specifically allows it, such as for treatment, payment, or healthcare operations.
No, providers are not obligated to agree to every restriction request. However, if a patient pays out-of-pocket in full for a service, providers must honor requests to restrict disclosures to health plans related to that service. Any agreed-upon restrictions must be strictly followed to avoid HIPAA violations.
Providers must give every new patient a clear, written Notice of Privacy Practices that explains how PHI is used and disclosed, patients’ rights, and how to file complaints. They must make reasonable efforts to obtain the patient’s acknowledgment of receipt.