What are Patient Rights Under HIPAA?


Patient rights under HIPAA encompass the right to access and obtain copies of their health information, the right to request corrections to their records, the right to receive privacy notices, the right to control the sharing of their health information, the right to file complaints about privacy violations, the right to know who has accessed their health information, the right to obtain an account of disclosures of their health information, and the right to request restrictions on the use or disclosure of their health information.

Patient rights under HIPAA are stipulated by the Privacy Rule. Covered Entities – and, in some cases, Business Associates – must comply with the standards relating to patient rights if they are to meet the requirements of the Health Insurance Portability and Accountability Act. This guide lists the patient rights under HIPAA and suggests how Covered Entities can best accommodate patients who exercise their rights.

Patient Rights under HIPAA Description
Patients have the right to request a copy of their medical records This foundational patient right, established under HIPAA, empowers individuals to review their health history, treatment plans, diagnoses, and collaborate effectively with healthcare providers.
Patients have the right to request erroneous information is corrected HIPAA grants patients the authority to challenge and rectify inaccuracies, incompleteness, or misleading information in their health records, contributing to a culture of patient safety.
Patients have the right to know with whom health information is shared This right enhances transparency by enabling patients to be informed about who accesses their health information and for what purpose, promoting accountability and trust.
Patients have the right to know why PHI has been shared Patients can inquire about the reasons behind the sharing of their Protected Health Information (PHI), enabling them to comprehend the context of disclosures and ensuring appropriate use.
Patients have the right to determine how they are contacted HIPAA respects patient preferences by granting the right to specify preferred communication methods, fostering patient engagement and personalized interactions.
Patients have the right to object to certain disclosures Acknowledging diverse preferences, this right empowers patients to object to specific uses or disclosures of their health information, promoting individualized care and autonomy.

HIPAA Covered Entities have to provide patients with – or prominently display – a Notice of Privacy Practices. The Notice of Privacy Practices must, at a minimum, explain the privacy practices of the organization and provide a user-friendly explanation of patient rights under HIPAA. While each organization´s privacy practices may differ, patient rights under HIPAA are always the same.

However, a patient’s HIPAA rights only apply to Protected Health Information (PHI) maintained in a designated record set for which they are the subject or an authorized personal representative of the subject (i.e., the parent of a child). Under HIPAA, patients have the right to do all the following except access PHI maintained about them in another, non-related designated record set.

Importance of Accurate Health Records for Effective Patient Care

Accurate health records stand as the bedrock upon which quality patient care is built, forming an essential foundation for informed decision-making and personalized medical interventions. These comprehensive records chronicle an individual’s medical history, diagnoses, treatments, allergies, and other critical health-related information. Ensuring the accuracy of these records is paramount, as they play an integral role in guiding healthcare providers in delivering optimal care. Inaccurate health records can lead to serious consequences that ripple across the healthcare spectrum.

One glaring consequence is the potential for misdiagnoses. Imagine a scenario where an incorrect allergy status is recorded, leading a healthcare provider to prescribe medication that triggers an adverse reaction. Such errors can have far-reaching implications, ranging from unnecessary treatments and delays in proper interventions to exacerbation of medical conditions and compromised patient safety. Inaccurate health records can result in incorrect treatment plans. Providers rely on these records to make informed decisions about treatment options, medication dosages, and surgical interventions.

A simple error in recording a patient’s medical history or medication regimen can lead to treatment plans that are ineffective or, worse, harmful. This can lead to wasted time, resources, and increased risk to the patient’s well-being. Medication errors are also a significant concern arising from inaccurate health records. Prescription decisions are influenced by the information contained within these records. Mistakes in recording current medications, dosages, or allergies can lead to prescribing medications that interact adversely, compromising treatment efficacy and patient safety.

The right to request corrections to health records, as enshrined in HIPAA, is a powerful tool that empowers patients to take an active role in their healthcare journey. This right acknowledges that patients possess unique insights into their medical history, treatment experiences, and allergies. By exercising this right, patients can ensure that their health records accurately mirror their health status. This proactive engagement not only safeguards patients from potential harm arising from errors but also promotes a sense of ownership over their health.

Patients have the right to request a copy of their medical records

Patients can ask to see, or obtain a copy of, their medical records. Patients can choose whether to receive their medical records on paper or electronically – or have it sent to a designated person or alternate health care provider. Covered Entities have to comply with the request within thirty days or provide the patient with a written explanation why they are unable to do so.

Before complying with the request, Covered Entities should verify the identity of the individual requesting access to PHI (if the identity or authority of the person is not already known) and review the content of the information being released to ensure there is no likelihood of the disclosure causing harm (see 45 CFR § 164.524 – Reviewable Grounds for Denial).

Thereafter, HHS´ Office for Civil Rights recommends complying with the request by electronic means wherever possible as “providing readily available electronic access may have the secondary effect of enhancing communication with individuals, which in turn may lead to improved quality of care and strengthened consumer satisfaction”.

Patients have the right to request erroneous information is corrected

If a patient believes their medical records are inaccurate or incomplete, HIPAA laws provide patients with the right to request erroneous information is corrected. However, there are a number of circumstances in which Covered Entities may be unable to comply with the request:

  • The erroneous information is not part of a “designated record set” (see 45 CFR § 164.501 for the definition of a Designated Record Set),
  • It was not created by the Covered Entity being asked to correct the information (unless the originator of the PHI is no longer available),
  • The information is additional to the PHI provided by the Covered Entity is response to a right of access request, or
  • The Covered Entity believes the information is accurate and complete.

If a Covered Entity denies the patient rights under HIPAA to correct erroneous information, the Covered Entity must explain to the patient the reason(s) for denying the request and provide the patient with details of how to submit a written statement of disagreement and how to make a complaint to the Secretary of Health and Human Services.

If the patient subsequently submits a statement of disagreement, they have the right to request the Covered Entity´s denial and the statement of disagreement are included with any future disclosures of PHI relating to the information in question. Considering the amount of work involved complying with these patient rights under HIPAA, the best option is to agree to the original request for correction whenever possible.

Patients have the right to know with whom health information is shared

In the Notice of Privacy Practices, Covered Entities should explain how health information is used and with whom it is shared. In most cases, uses will include treatments, operations, and billing; but the list of allowable disclosures can be confusing to patients – especially as patients also have the right to request PHI is not shared with certain people or organizations.

Covered Entities should make it clear what information they are required to share (i.e., reporting suspected abuse, neglect, or domestic violence), what information they can share when it is believed it is in the patient’s best interest (i.e., health information with family and friends), and what information requires patient consent before it can be shared (i.e., psychotherapy notes).

With regards to patient rights under HIPAA not to share health information with certain people or organizations, Covered Entities can only agree to the request if there is no conflict with state or federal laws. Covered Entities need to be aware of which laws may limit their ability to comply with this request and include any exceptions in the Notice of Privacy Practices.

Patients have the right to know why PHI has been shared

Patients have the right to request a list of the times PHI has been shared for purposes other than treatment, operations, and billing. Covered Entities have to comply with this request and not only supply a list of the times PHI has been shared for the last six years and why it has been shared.

This “accounting of disclosures” applies to any time PHI has been accessed by or transmitted to third parties that do not have an allowable authorization as permitted by the Privacy Rule. However, the list does not have to include disclosures of PHI made to a business associate under a Business Associate Agreement as these disclosures are considered to be healthcare operations.

In theory, the list should be a very short list consisting of disclosures the patient has consented to or have been made in the patient´s best interests. However, all other disclosures must be included, even if they have been made without the consent of the patient. If it is subsequently discovered disclosures have been hidden from the patient, it could result in a substantial fine.

Patients have the right to determine how they are contacted

When Covered Entities attempt to contact patients, the risk exist they might disclose PHI to individuals without the consent of a patient (i.e., an individual who shares the patient´s home, an employer, a receptionist, etc.). To prevent this scenario happening, Covered Entities should encourage patients to inform them how they would like to be contacted (voice, SMS, email, etc.).

Covered Entities also need to be aware if a voice message can be left if the patient is unavailable. Many patients will be happy to give their consent for a voice message to be left with a family member or other person involved in their care but might not consent for a voice message to be left on an answering machine if the machine is accessible to individuals who share the patient´s home.

There are also some patient rights under HIPAA that limit what patients can be contacted for. For example, Covered Entities can contact patients for fundraising efforts, but if the patient asks not to be contacted again for fundraising efforts, the Covered Entity has to record the patient´s request and comply with it. Most other contacts not related to healthcare require patient consent.

Patients have the right to object to certain disclosures

In addition to patients having the right to request health information is not shared with certain people or organizations (including health plans when treatments are paid for privately), patients have the right to object to disclosures of PHI for directory and notification purposes.

It is a common practice in many health care facilities to maintain a directory of patient information containing the name, general condition, religious affiliation, and location within the facility, so that the information can be disclosed to any person asking about the individual by name.

Patients should be given the opportunity to agree or object to their information being included in a directory or used to notify family, friends, and public agencies about their condition. If a patient is unable to exercise this right due to incapacitation, Covered Entities can assume the patient agrees to the disclosures only if they are considered to be in the patient´s best interests.

Complaints when patient rights under HIPAA are violated

Patients have the right to make a formal complaint if they believe their patient rights under HIPAA have been violated. The complaint could be due to (for example) an unreasonable delay in providing a medical record, the failure to respond to a correction request, or because PHI has been disclosed to a third party without authorization or consent.

Patients can complain to the Covered Entity or to the Department of Health and Human Services. Covered Entities should include the contact details for both options in the Notice of Privacy Practices – especially the name, number, and email address for their HIPAA Privacy Officer – and be aware that unresolved complaints to a Covered Entity can subsequently be escalated by a patient to the Department of Health and Human Services.

It is also important for Covered Entities to be aware that patients have the right to change their mind about how their PHI is managed. Provided the change of mind is communicated in writing, Covered Entities must abide by the patient’s current wishes with regards to patient rights under HIPAA. Any course of action based on out-of-date information or retrospective consent is a violation of HIPAA.

The process of submitting correction requests for health records under HIPAA is designed to be accessible and patient-centered. Patients who wish to rectify inaccuracies, incompleteness, or misleading information in their health records can initiate the correction process by formally submitting a request to their healthcare provider. This request typically outlines the specific details of the inaccuracies, provides context for the necessary changes, and clearly states the desired corrections. Depending on the provider’s practices and technological capabilities, correction requests can often be submitted through written communication, email, or dedicated online portals. Clarity and precision are crucial at this stage, as accurate information expedites the correction process.

In alignment with HIPAA regulations, healthcare providers are required to respond to correction requests within a reasonable timeframe. This response window is set at 60 days from the receipt of the patient’s formal request. This ensures that patients receive timely resolution regarding the accuracy of their health records. However, it’s important to note that this 60-day period can be extended by an additional 30 days under certain circumstances. In such cases, providers must inform the patient of the extension and provide a written explanation for the delay. This transparency underscores the commitment to communication and patient engagement throughout the correction process.

One of the core tenets of the correction process is its collaborative nature. Upon receiving a correction request, healthcare providers undertake a comprehensive review to assess the validity of the requested changes. If the provider concurs that the information in question is indeed inaccurate or incomplete, they proceed to make the necessary corrections in the patient’s health records. This collaborative approach ensures that health records are reflective of the patient’s medical history and treatment journey, enhancing the overall quality and safety of patient care. In instances where the provider disagrees with the requested changes, they are obligated to communicate their stance to the patient in writing. This correspondence outlines the reasons behind the provider’s decision not to make the requested corrections. This open communication further emphasizes the patient’s role in the correction process and provides an opportunity for dialogue and understanding.

The process of submitting correction requests and the subsequent responses from healthcare providers exemplify the commitment to accuracy and patient-centered care. The collaborative effort between patients and providers ensures that health records are an accurate representation of an individual’s medical history, leading to improved healthcare decisions and outcomes.

HIPAA Patient Rights FAQs

Where can I find further information about what should be included in a Notice of Privacy Practices?

The Department of Health and Human Services has a web page dedicated to guidance on this subject. On the web page you will find model Notices of Privacy practices for both healthcare organizations and health plans in both English and Spanish.

Are all organizations that collect personal data required to comply with patient rights under HIPAA?

No. Only HIPAA Covered Entities (healthcare organizations, health plans, and healthcare clearinghouses) are required to comply with patient rights under HIPAA. However, other organizations such as schools, employers, state agencies, and life insurance carriers may be subject to other state or federal privacy laws.

Can Covered Entities charge patients for providing a copy of their medical records?

With regards to providing a patient with a copy of their medical records, Covered Entities are allowed to charge a reasonable, cost-based fee. Most other requests are free (i.e., requests to correct erroneous information), although some Covered Entities may charge for an “accounting of disclosures” list – particularly if a list is requested more than once a year.

What happens if a patient is unable to exercise their patient rights under HIPAA?

If a patient has a legal guardian or has given someone medical power of attorney, the appropriate person can exercise the rights on the patient´s behalf. Alternatively, a Covered Entity can make decisions on the patient´s behalf provided it is believed they are in the patient´s best interest. These decisions – and the reasons for them – must be documented.

When can a Covered Entity disclosed a patient´s PHI without their consent?

In most cases, allowable disclosures of PHI without a patient´s consent are limited to the provision of healthcare, healthcare operations, and payment for healthcare. In certain circumstances, a Covered Entity can disclose PHI for reasons such as public safety, research, organ donation requests, and workers´ compensation claims.

Why might a patient want to limit what information is shared about them?

There could be a number of reasons. For example, a patient may not want their employer to know about a condition that might affect future work opportunities. Alternatively, if the patient pays for health care privately, they may not want their health insurer to know about it because the health insurer may increase the premiums on their coverage or reduce the deductible for future claims.

What are HIPAA rights?

HIPAA rights give patients and health plan members more control over how their Protected Health Information is used and disclosed. They also give patients and health plan members the opportunity to request details of what information is maintained about them, request errors are corrected, and request a copy of their Protected Health Information is sent to another person.

How many basic rights are covered under HIPAA?

There are six basic rights covered under HIPAA. However, Covered Entities and Business Associates can permissibly deny an individual their rights in limited circumstances. If you feel your rights have been denied unjustifiably, you also have the right to request a review of the denial which will be conducted by a designated review official.

What are the six patient rights under the Privacy Rule?

The six patient rights under the Privacy Rule are summarized in the conclusion above. With regards to exercising the six patient rights, it is important to note that limits may be applied to how many times per year an individual can request a copy of their medical records (etc.) without incurring charges beyond those mandated by HHS´ Office for Civil Rights.

What is not a right under HIPAA?

One issue not covered by the patient rights under the Privacy Rule is a right to question why certain information is included in – or omitted from – a designated record set. Although most healthcare providers and group plans will likely volunteer answers to such questions and remove or add information as necessary, they are not required to by HIPAA.