What are Patient Rights Under HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) covers healthcare data privacy, but what are patient rights under HIPAA? In this post we explain the key patient rights under HIPAA and how the legislation directly affects you as a patient.

HIPAA Rules must be followed by HIPAA-covered entities, which are healthcare providers, health plans, healthcare clearinghouses, and business associates (vendors) used by HIPAA-covered entities. A healthcare clearinghouse is an entity that converts health data from a non-standard to standard format.

HIPAA places strict controls on the allowable uses and disclosures of health data. Under HIPAA, health data can only be shared for purposes related to treatment, payment for healthcare, or for business reasons necessary to provide healthcare services.  HIPAA-covered entities and their business associates must also implement security measures to ensure health data remains private and confidential.

Patient Rights under HIPAA

There are six main patient rights under HIPAA, as detailed below.

Notification of Privacy Practices

HIPAA-covered entities are required to notify you about how your medical data will be used. This information is provided in a Notice of Privacy Practices or NPP. The NPP should be posted on your provider’s website and should be given to you to sign when you first visit a new healthcare provider or sign up with a health plan.

Right to Obtain a Copy of Your Health Data

One of the most important patient rights under HIPAA is the right to view or obtain a copy of your health data. By obtaining a copy of your health records you can check the data for errors, keep a copy for your own records, and share your health information with whoever you wish.

You can exercise this right by submitting a request in writing. Most healthcare providers will require you to fill in a form. A copy of your medical records must be provided within 30 days. You can specify how you want to receive the information – electronically or a physical copy. A small fee may be charged for providing a copy of health information.

Right to Correct Errors in Your Health Records

After obtaining and checking your health records, you may discover an error such as an allergy that has not been recorded. HIPAA gives patients the right to make changes to their health information to correct mistakes. Any request to change a health record must be submitted in writing.

Right to Find Out Who Has Received Your Health Data

HIPAA includes a right to an accounting of disclosures of health data. If requested, a covered entity is required to provide information about who has received an individual’s health data over the past six years.

Right to Restrict Sharing of your Health Data

Patient have the right to restrict sharing of their health data for certain purposes other than treatment, payment, or healthcare operations. HIPAA covered entities are not permitted to sell your health data or use it for marketing, advertising, or research, without first obtaining authorization to do so in writing.

Patients can also dictate to whom their health information can be shared, such as family members, friends, caregivers, legal representatives, or other entities. They can also request that information is not shared with other individuals or groups.

Right to File a Complaint for a Privacy Violation

If you believe your health data has been accessed by an unauthorized individual, has been impermissibly disclosed, or you believe that any aspect of HIPAA Rules has been violated, you have the right to file a complaint.  It is also possible to file a complaint if patient rights under HIPAA have been denied.

The Department of Health and Human Services’ Office for Civil Rights (OCR) investigates complaints. If OCR determines that HIPAA Rules have been violated, fines can be issued for noncompliance.

HIPAA does not have a private cause of action, which means that it is not possible for an individual to take legal action against a HIPAA-covered entity or business associate for a privacy breach or HIPAA Rule violation.