The Privacy Rule stipulates patient rights under HIPAA which Covered Entities must comply with if they are to meet the requirements of the Health Insurance Portability and Accountability Act. This guide lists the patient rights under HIPAA and suggests how Covered Entities can best accommodate patients who exercise their rights.
HIPAA Covered Entities have to provide patients with – or prominently display – a Notice of Privacy Practices. The Notice of Privacy Practices must, at a minimum, explain the privacy practices of the organization and provide a user-friendly explanation of patient rights under HIPAA. While each organization´s privacy practices may differ, patient rights under HIPAA are always the same.
Patients have the right to request a copy of their medical records
Patients can ask to see, or obtain a copy of, their medical records. Patients can choose whether to receive their medical records on paper or electronically – either by USB pen drive, via email, or via a web portal. Covered Entities have to comply with the request within thirty days or provide the patient with a written explanation why they are unable to do so.
Before complying with the request, Covered Entities should verify the identity of the individual requesting access to PHI (if the identity or authority of the person is not already known) and review the content of the information being released to ensure there is no likelihood of the disclosure causing harm (see 45 CFR § 164.524 – Reviewable Grounds for Denial).
Thereafter, HHS´ Office for Civil Rights recommends complying with the request by electronic means wherever possible as “providing readily available electronic access may have the secondary effect of enhancing communication with individuals, which in turn may lead to improved quality of care and strengthened consumer satisfaction”.
Patients have the right to request erroneous information is corrected
If a patient believes their medical records are inaccurate or incomplete, they have the right to request erroneous information is corrected. However, there are a number of circumstances in which Covered Entities may be unable to comply with the request:
- The erroneous information is not part of a “designated record set” (see 45 CFR § 164.501 for the definition of a Designated Record Set),
- It was not created by the Covered Entity being asked to correct the information (unless the originator of the PHI is no longer available),
- The information is additional to the PHI provided by the Covered Entity is response to a right of access request, or
- The Covered Entity believes the information is accurate and complete.
If a Covered Entity denies the patient rights under HIPAA to correct erroneous information, the Covered Entity must explain to the patient the reason(s) for denying the request and provide the patient with details of how to submit a written statement of disagreement and how to make a complaint to the Secretary of Health and Human Services.
If the patient subsequently submits a statement of disagreement, they have the right to request the Covered Entity´s denial and the statement of disagreement are included with any future disclosures of PHI relating to the information in question. Considering the amount of work involved complying with these patient rights under HIPAA, the best option is to agree to the original request for correction whenever possible.
Patients have the right to know with whom health information is shared
In the Notice of Privacy Practices, Covered Entities should explain how health information is used and with whom it is shared. In most cases, uses will include treatments, operations, and billing; but the list of allowable disclosures can be confusing to patients – especially as patients also have the right to request PHI is not shared with certain people or organizations.
Consequently, Covered Entities should make it clear what information they are required to share (i.e., reporting suspected abuse, neglect, or domestic violence), what information they can share when it is believed it is in the patient´s best interest (i.e., health information with family and friends), and what information requires patient consent before it can be shared (i.e., psychotherapy notes).
With regards to patient rights under HIPAA not to share health information with certain people or organizations, Covered Entities can only agree to the request if there is no conflict with state or federal laws. Consequently, Covered Entities need to be aware of which laws may limit their ability to comply with this request and include any exceptions in the Notice of privacy Practices.
Patients have the right to know with whom PHI has been shared, and why
Patients have the right to request a list of the times PHI has been shared for purposes other than treatment, operations, and billing. Covered Entities have to comply with this request and not only supply a list of the times PHI has been shared for the last six years, but also detail with whom it has been shared and why it was shared.
This “accounting of disclosures” applies to any time PHI has been accessed by or transmitted to third parties that do not have an allowable authorization as permitted by the Privacy Rule. However, the list does not have to include disclosures of PHI made to a business associate under a Business Associate Agreement as these disclosures are considered to be healthcare operations.
In theory, the list should be a very short list consisting of disclosures the patient has consented to or have been made in the patient´s best interests. However, all other disclosures must be included, even if they have been made without the consent of the patient. If it is subsequently discovered disclosures have been hidden from the patient, it could result in a compliant and substantial fine.
Patients have the right to determine how they are contacted
When Covered Entities attempt to contact patients, the risk exist they might disclose PHI to individuals without the consent of a patient (i.e., an individual who shares the patient´s home, an employer, a receptionist, etc.). To prevent this scenario happening, Covered Entities should encourage patients to inform them how they would like to be contacted (voice, SMS, email, etc.).
Covered Entities also need to be aware if a voice message can be left if the patient is unavailable. Many patients will be happy to give their consent for a voice message to be left with a family member or other person involved in their care but might not consent for a voice message to be left on an answering machine if the machine is accessible to individuals who share the patient´s home.
There are also some patient rights under HIPAA that limit what patients can be contacted for. For example, Covered Entities can contact patients for fundraising efforts, but if the patient asks not to be contacted again for fundraising efforts, the Covered Entity has to record the patient´s request and comply with it. Most other contacts not related to healthcare require patient consent.
Complaints when Patient Rights Under HIPAA are Violated
Patients have the right to make a formal complaint if they believe their patient rights under HIPAA have been violated. The complaint could be due to (for example) an unreasonable delay in providing a medical record, the failure to respond to a correction request, or because PHI has been disclosed to a third party without authorization or consent.
Patients can complain to the Covered Entity or to the Department of Health and Human Services. Covered Entities should include the contact details for both options in the Notice of Privacy Practices – especially the name, number, and email address for their HIPAA Privacy Officer – and be aware that unresolved complaints to a Covered Entity can subsequently be escalated by a patient to the Department of Health and Human Services.
It is also important for Covered Entities to be aware that patients have the right to change their mind about how their PHI is managed. Provided the change of mind is communicated in writing, Covered Entities must abide by the patient´s current wishes with regards to patient rights under HIPAA. Any course of action based on out-of-date information or retrospective consent is a violation of HIPAA.
Patient Rights FAQs
Where can I find further information about what should be included in a Notice of Privacy Practices?
The Department of Health and Human Services has a web page dedicated to guidance on this subject. On the web page you will find model Notices of Privacy practices for both healthcare organizations and health plans in both English and Spanish.
Are all organizations that collect personal data required to comply with patient rights under HIPAA?
No. Only HIPAA Covered Entities (healthcare organizations, health plans, and healthcare clearinghouses) are required to comply with patient rights under HIPAA. However, other organizations such as schools, employers, state agencies, and life insurance carriers may be subject to other state or federal privacy laws.
Can Covered Entities charge patients for providing a copy of their medical records?
With regards to providing a patient with a copy of their medical records, Covered Entities are allowed to charge a reasonable, cost-based fee. Most other requests are free (i.e., requests to correct erroneous information), although some Covered Entities may charge for an “accounting of disclosures” list – particularly if a list is requested more than once a year.
What happens if a patient is unable to exercise their patient rights under HIPAA?
If a patient has a legal guardian or has given someone medical power of attorney, the appropriate person can exercise the rights on the patient´s behalf. Alternatively, a Covered Entity can make decisions on the patient´s behalf provided it is believed they are in the patient´s best interest. These decisions – and the reasons for them – must be documented.
When can a Covered Entity disclosed a patient´s PHI without their consent?
In most cases, allowable disclosures of PHI without a patient´s consent are limited to the provision of healthcare, healthcare operations, and payment for healthcare. In certain circumstances, a Covered Entity can disclose PHI for reasons such as public safety, research, organ donation requests, and workers´ compensation claims.
Why might a patient want to limit what information is shared about them?
There could be a number of reasons. For example, a patient may not want their employer to know about a condition that might affect future work opportunities. Alternatively, if the patient pays for health care privately, they may not want their health insurer to know about it because the health insurer may increase the premiums on their coverage or reduce the deductible for future claims.