HIPAA Privacy Notice (Notice of Privacy Practices): Your Rights and How We Protect Your Health Information

Overview of HIPAA Privacy Rule

The HIPAA Privacy Rule sets national standards for health information privacy. It governs how covered entities—health care providers, health plans, and clearinghouses—and their business associates use and disclose Protected Health Information (PHI) in any form.

PHI includes any information that identifies you and relates to your health, care, or payment. The Rule balances your privacy with permitted information flows for treatment, payment, and health care operations, applying a “minimum necessary” principle for most non-treatment uses.

HIPAA works alongside the Security Rule for electronic PHI and standards for Electronic Health Transactions. Together, these rules promote HIPAA compliance while supporting care coordination and efficient claims, eligibility, and remittance processes.

Requirements for Notice of Privacy Practices

The Notice of Privacy Practices (NPP) explains how an organization may use and disclose your PHI and outlines your rights. You must receive it at your first service or enrollment, and it must be easy to read, prominently posted at service locations, and available on the organization’s website if one exists.

An NPP must include: a clear header, examples of permitted uses and disclosures, a listing of your rights, the entity’s legal duties, how to exercise your rights, how to file a complaint, an effective date, and contact information. It must describe uses that require your written authorization, such as most marketing, sale of PHI, and psychotherapy notes.

Organizations must update the NPP when practices or laws materially change and follow the notice then in effect. They should make a good-faith effort to obtain your acknowledgment of receipt and maintain required documentation for record retention periods.

Individual Rights Under HIPAA

You have strong Patient Rights under HIPAA to understand and control your PHI. Exercising these rights supports your health information privacy and helps you correct or limit what others see.

• Right of access: You can inspect or get copies of your records, including electronic copies when readily producible, generally within 30 days (with one written 30-day extension if needed). Reasonable, cost-based fees may apply.
• Right to request amendments: You may ask to correct or add to your records if you believe something is inaccurate or incomplete. If denied, you can submit a written statement of disagreement.
• Right to an accounting of disclosures: You can request a list of certain disclosures made without your authorization, typically for the prior six years, excluding routine treatment, payment, and operations.
• Right to request restrictions: You may ask to limit certain uses or disclosures. Providers must honor a restriction not to disclose to a health plan for payment or operations when you pay out-of-pocket in full for the service.
• Right to confidential communications: You can request contact by alternative means or at alternative locations to protect your privacy.
• Right to receive a paper copy of the NPP: You can request a paper copy at any time, even if you agreed to receive it electronically.
• Preferences and opt-outs: You can opt out of fundraising communications and, in applicable settings, control inclusion in a facility directory or disclosure to family and friends.

Use and Disclosure of Protected Health Information

Covered entities may use or disclose PHI without your written authorization for core activities known as treatment, payment, and health care operations. For most other purposes, they need your permission or must meet specific legal conditions.

Disclosures that generally do not require authorization

• Public health activities, such as reporting certain diseases, adverse events, or product safety issues.
• Health oversight activities, including audits, inspections, and licensure actions.
• Judicial and administrative proceedings in response to a court order or valid legal process.
• Law enforcement purposes, such as locating a suspect or reporting certain injuries, when legal standards are met.
• To coroners, medical examiners, funeral directors, and for organ, eye, or tissue donation.
• Research under an Institutional Review Board waiver or limited data set with a data use agreement.
• To avert a serious threat to health or safety, or for specialized government functions (e.g., military, national security).
• Workers’ compensation and similar programs as authorized by law.

Disclosures that require your authorization

• Most marketing communications, sale of PHI, and psychotherapy notes (with limited exceptions).
• Other uses not described in the NPP or not otherwise permitted by law. You may revoke an authorization in writing at any time.

The minimum necessary rule applies to most non-treatment uses and disclosures. De-identified data is not PHI, and a limited data set may be used under a data use agreement to support HIPAA compliance while reducing privacy risks.

Obligations of Health Care Providers and Plans

Organizations must implement administrative, physical, and technical safeguards to protect PHI, train their workforce, and enforce sanctions for violations. They must designate a privacy official and a contact person to handle questions and complaints.

Policies and procedures must cover access management, minimum necessary standards, retention, incident response, and mitigation of harmful effects. Business Associate Agreements are required when vendors create, receive, maintain, or transmit PHI on the entity’s behalf.

For electronic PHI, entities must follow the Security Rule—risk analysis, risk management, encryption where appropriate, audit controls, and secure transmission. They must also adhere to standards for Electronic Health Transactions to support accurate claims and eligibility exchanges while safeguarding privacy.

Handling Privacy Breaches

The Breach Notification Rule requires action when unsecured PHI is acquired, accessed, used, or disclosed in a way that compromises privacy or security. Organizations must conduct a risk assessment considering the nature of the data, who received it, whether it was actually viewed, and mitigation steps taken.

• Individual notice: Provide written notice without unreasonable delay and no later than 60 calendar days after discovery, describing what happened, the information involved, steps you should take, actions taken to mitigate harm, and contact information.
• Regulatory notice: Report breaches to the U.S. Department of Health and Human Services as required; if 500 or more individuals in a state or jurisdiction are affected, notify prominent media as well.
• Business associate duties: Business associates must notify the covered entity of breaches they discover, including details needed for individual notices.
• Documentation and prevention: Keep investigation records, apply sanctions as appropriate, and strengthen safeguards. Encrypted PHI that meets recognized standards is generally not considered “unsecured.”

Filing Complaints and Enforcement

If you believe your health information privacy rights were violated, you can file a complaint with the provider or plan’s privacy officer or with the U.S. Department of Health and Human Services Office for Civil Rights. Complaints are typically due within 180 days of when you knew of the issue, with allowance for good cause extensions.

Covered entities may not retaliate against you for filing a complaint or exercising your rights. Enforcement can include investigations, voluntary corrective actions, resolution agreements with monitoring, civil monetary penalties, and, in egregious cases, criminal referrals.

Conclusion

Your HIPAA Privacy Notice explains how your PHI is protected, how it may be used or shared, and how you can exercise your rights. Understanding the NPP, your options, and the organization’s obligations helps you make informed choices and strengthens overall health information privacy.

FAQs

What information is covered by a HIPAA Privacy Notice?

The NPP covers Protected Health Information—data that identifies you and relates to your health, care received, or payment for care. It applies to PHI in any form (paper, electronic, or oral) held by covered entities and their business associates.

How can I request a correction to my health records?

Submit a written request to the provider or plan explaining what you believe is inaccurate or incomplete and why. The organization must respond, usually within 60 days, and if it denies the request, you can add a written statement of disagreement to your record.

What are the obligations of providers under HIPAA?

Providers must safeguard PHI, issue and follow a Notice of Privacy Practices, train staff, implement policies, sign Business Associate Agreements when needed, and respond to privacy incidents. They must also meet Security Rule requirements for electronic PHI and follow the Breach Notification Rule.

How do I file a complaint about a HIPAA privacy violation?

You may file with the provider or plan’s privacy officer or with the U.S. Department of Health and Human Services Office for Civil Rights. Include what happened, when, and who was involved. File within 180 days of learning of the issue unless you have good cause for delay.