Covered Entity Responsibilities Under HIPAA: What Patients Must Receive

As a covered entity, you have clear, patient-facing duties under HIPAA. This guide explains what patients must receive and how to meet those obligations while protecting Protected Health Information (PHI) and maintaining HIPAA Compliance Documentation.

Notice of Privacy Practices

You must give each patient a Notice of Privacy Practices (NPP) that explains how you use and disclose PHI, the patient’s rights, and your legal duties. Provide the NPP at the first service encounter, post it prominently at your site, and make it available on your website if you maintain one. Make a good-faith effort to obtain written acknowledgment of receipt.

What the NPP must include

• Permitted uses and disclosures of PHI (with examples, when helpful).
• Patient rights: access, amendment, confidential communications, restrictions, accounting of disclosures, and complaint filing.
• Your duties to safeguard PHI, maintain privacy, notify of breaches, and follow the NPP.
• How to file complaints with your organization and with HHS, plus contact details for your Privacy Official.
• The NPP’s effective date and how revisions will be communicated.

Format and updates

Write the NPP in plain language and offer translations as appropriate. When you materially revise it, post the new version and provide it to new patients thereafter; retain prior versions in your HIPAA Compliance Documentation.

Patient Access to Information

Patients have the right to inspect and obtain a copy of PHI in the Designated Record Set—typically medical and billing records and other records used to make decisions about them. You must provide access in the requested form and format if readily producible (for example, via secure portal or electronic copy); otherwise, agree on a readable alternative.

Timelines, third-party direction, and fees

• Respond within 30 calendar days; one 30-day extension is allowed with written notice stating the reason and new deadline.
• Honor a patient’s written direction to send PHI to a third party, consistent with identity verification.
• Charge only a reasonable, cost-based fee for copying (labor, supplies, postage). Do not charge for retrieval, verification, or maintaining systems.

Provide summaries or explanatory notes only if the patient agrees. If you deny access (for example, to psychotherapy notes), give a written denial and describe review and appeal rights where applicable.

Amendment of Health Information

Patients may request amendments to PHI in the Designated Record Set to correct inaccuracies or add information. You must act within 60 days (with one additional 30-day extension if needed, explained in writing).

Approvals, denials, and downstream notice

• If you accept an amendment, add or link the amendment clearly and notify relevant internal systems, Business Associates, and others who should know.
• If you deny the request (for example, you did not create the information, it is not part of the Designated Record Set, or it is accurate and complete), send a written denial with the basis, how to submit a statement of disagreement, and how you will handle future disclosures.
• Maintain the request, your response, and any statements of disagreement as part of your HIPAA Compliance Documentation.

Confidential Communications

Patients can request to receive communications by alternative means or at alternative locations—for instance, at a work address, by secure portal, or via a different phone number. You must accommodate reasonable requests and may not require the patient to explain the basis for the request.

Document how you will handle appointment reminders, billing statements, and test results to respect such requests. Train staff to verify and use the designated methods consistently.

Accounting of Disclosures

Upon request, you must provide an accounting of disclosures of PHI for the prior six years, excluding disclosures for treatment, payment, and health care operations; those made with patient authorization; and other excluded categories (such as to the individual). Track disclosures that require accounting, including those by Business Associates under your Business Associate Agreements.

What the accounting must show and by when

• Provide the accounting within 60 days (one 30-day extension permitted with written notice).
• For each disclosure: date, recipient, a brief description of the PHI disclosed, and the purpose—or a copy of the written request when applicable.
• The first accounting in any 12‑month period is free; subsequent requests may incur a reasonable, cost-based fee with advance notice.

Breach Notification

Under the Breach Notification Rule, you must assess any impermissible use or disclosure of unsecured PHI to determine if it is a breach. Conduct a risk assessment considering the type of PHI, the unauthorized recipient, whether the PHI was actually acquired or viewed, and the extent of mitigation.

Who you must notify and what to include

• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Use first‑class mail (or email if agreed to by the individual).
• If the incident involves 500 or more residents of a state or jurisdiction, also notify prominent media outlets; notify HHS within the same timeframe. For fewer than 500 individuals, log and report to HHS annually.
• Include what happened (including dates), the types of PHI involved, steps individuals should take, what you are doing to mitigate harm and prevent recurrence, and how to contact your organization.
• Business Associates must notify you without unreasonable delay and provide the information you need to complete individual notifications.

Retain your risk assessment, notices, and decisions as part of HIPAA Compliance Documentation.

Safeguarding PHI

You must implement administrative, physical, and technical safeguards to protect PHI and limit disclosures to the minimum necessary. Assign a Privacy Official to oversee policies and procedures and coordinate with your security lead to align privacy and security controls.

Administrative Safeguards and supporting controls

• Perform and document risk analysis and risk management; define role‑based access; train your workforce and apply sanctions for violations.
• Implement contingency planning, incident response, and routine auditing of access and disclosures.
• Execute and manage Business Associate Agreements that define permitted uses/disclosures, safeguard requirements, and breach reporting duties.
• Maintain HIPAA Compliance Documentation: policies, NPP versions, training logs, risk analyses, BAAs, incident logs, and accounting records.

Key takeaways

Meeting Covered Entity Responsibilities Under HIPAA means giving patients clear notices, timely access and amendments, confidential communication options, disclosure accountings when requested, prompt breach notifications, and robust safeguards for PHI. Strong Administrative Safeguards and thorough documentation make these obligations consistent, auditable, and patient‑centered.

FAQs.

What information must be included in the Notice of Privacy Practices?

The NPP must explain permitted uses and disclosures of PHI, describe patient rights and how to exercise them, state your legal duties (including breach notification and safeguarding), provide instructions for filing complaints, list contact information for your Privacy Official, and display an effective date. It must be written in plain language and kept available to patients.

How can patients request amendments to their health records?

Patients submit a written request identifying what PHI in the Designated Record Set should be amended and why. You must act within 60 days (with one 30‑day extension if needed). If approved, update or link the record and notify relevant parties; if denied, issue a written denial explaining the basis and the right to submit a statement of disagreement.

What are a covered entity’s obligations upon discovering a PHI breach?

Assess the incident under the Breach Notification Rule, document your risk assessment, mitigate harm, and notify affected individuals without unreasonable delay and no later than 60 days. For large breaches (500+ individuals in a state/jurisdiction), also notify media and HHS promptly; for smaller breaches, report to HHS annually. Coordinate with any Business Associates involved and retain all notices and decisions in your HIPAA Compliance Documentation.

What rights do patients have regarding the accounting of disclosures?

Patients may request an accounting of certain disclosures made in the prior six years, excluding those for treatment, payment, and health care operations and other exempt categories. You must provide it within 60 days (with one 30‑day extension if needed), include required details for each disclosure, and offer one free accounting every 12 months; reasonable, cost‑based fees may apply to additional requests.