HIPAA Provides for All the Following Patient Rights—Except This One

HIPAA gives you clear, enforceable rights over your health information. In this guide, you’ll see exactly what those rights are, how to use them, and the important limits that apply. You’ll also learn the one thing HIPAA does not grant—a general right to have your medical record deleted—so you can set accurate expectations and advocate effectively.

Access to Medical and Billing Records

You have the right to inspect or get copies of your medical and billing records held by a covered entity (such as your doctor, hospital, or health plan). This “designated record set” includes information used to make decisions about you, like clinical notes, lab reports, medication lists, care plans, and claim files.

Covered entities must respond to your request within a reasonable period (generally 30 days, with one similar extension if they provide a written reason). You may request paper or electronic copies; if the records are readily producible in your preferred format, the provider should honor your choice. A reasonable, cost-based fee may apply for copying, mailing, or creating media.

Important limits apply to access. The Psychotherapy Notes Exclusion means a provider does not have to release a therapist’s separate psychotherapy notes kept for personal use. Information compiled for anticipated or ongoing litigation—Legal Proceedings Information—is also excluded. Some data is outside HIPAA entirely, including employment records maintained by a covered entity in its role as employer (Employment Records Exception) and FERPA Education Records held by schools. De-identified Data, which has been stripped of identifiers so it can’t reasonably identify you, is not subject to access rights because it is no longer PHI.

You may direct a copy of your records to a third party you designate. When you submit the request, be specific about the destination, the format, and the date range to avoid delays.

Request Amendments to Health Information

If something in your record is incomplete or inaccurate, you can ask the provider or health plan to amend it. They typically must respond within 60 days (with one permissible extension). If they agree, the amendment becomes part of your designated record set, and the entity should share it with others who rely on the information.

Amendment is not deletion. HIPAA does not require a provider to erase or rewrite a clinician’s professional judgment. If an amendment is denied, you may submit a statement of disagreement, and the entity must add it to your record so your perspective travels with the information.

Receive Notice of Privacy Practices

Covered entities must provide a Notice of Privacy Practices (NPP) at your first service encounter or enrollment and make it available thereafter. The NPP explains how your information may be used and disclosed, the rights you have under HIPAA, how to exercise them, and whom to contact with questions or complaints.

Read the NPP closely. It outlines common disclosures—such as for treatment, payment, and health care operations—and when authorization is required. It also summarizes circumstances where disclosure may occur without your authorization to meet public health, oversight, or Law Enforcement Disclosures Compliance obligations.

Request Restrictions on Disclosures

You can ask a provider or health plan to restrict certain uses or disclosures of your PHI. While entities are generally not required to agree, there is a key exception: if you pay a provider in full, out of pocket, for a specific service, the provider must honor your request not to disclose that service information to your health plan, unless the disclosure is required by law.

Restrictions never override safety and legal requirements. For example, they do not block disclosures necessary to comply with Law Enforcement Disclosures Compliance or public health reporting. If your information will be sent to business associates, vendors, or across borders, the entity remains responsible for safeguards, but HIPAA does not provide a specific right to veto International Data Sharing; you can still request limits, and the entity should document whether it agrees.

Obtain Accounting of Disclosures

You may request an accounting of certain disclosures of your PHI made in the past six years. The accounting lists when PHI was disclosed, to whom, what was shared, and why. Disclosures for treatment, payment, and health care operations are generally excluded, as are those you authorized in writing.

Expect a response within a reasonable timeframe (commonly 60 days, with one extension if explained). The first accounting in a 12-month period is typically free; reasonable, cost-based fees may apply for additional requests. Note that De-identified Data and information outside HIPAA—like FERPA Education Records or the Employment Records Exception—won’t appear because they are not PHI disclosures governed by HIPAA.

File Complaints with Office for Civil Rights

If you believe your HIPAA rights were violated, you can file a complaint with the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). Complaints are usually due within 180 days of when you knew about the issue, though OCR may allow more time for good cause. Include dates, what happened, who was involved, and any supporting documents. Covered entities are prohibited from retaliating against you for filing a complaint.

HIPAA enforcement is administrative. While OCR can investigate, require corrective action, and impose penalties, HIPAA itself does not give a private right of action for damages in court. You may have other remedies under state law, but those are separate from HIPAA.

Understand Exceptions to Patient Rights

HIPAA balances individual rights with important societal functions. Knowing the boundaries helps you plan your requests and anticipate when a provider can say no.

The “except this one” right: no general right to deletion

HIPAA gives you access, amendment, restriction requests, an accounting of disclosures, and complaint pathways—but it does not grant a broad, GDPR-style right to be forgotten. You cannot require a provider to delete or expunge primary medical records. Instead, you use the amendment process to add clarifications, and your statement of disagreement must be included if an amendment is denied.

Common content exclusions and carve-outs

• Psychotherapy Notes Exclusion: Separate psychotherapy notes maintained for a therapist’s personal use are excluded from the access right and typically require special authorization.
• Legal Proceedings Information: Materials compiled in anticipation of or for use in litigation are excluded from access and may be protected until proceedings conclude.
• Employment Records Exception: Records a covered entity keeps in its role as employer (e.g., ADA accommodations, FMLA documentation) are not PHI and are outside HIPAA.
• FERPA Education Records: Student education records held by schools and universities are governed by FERPA, not HIPAA; the HIPAA access right does not apply.
• De-identified Data: Information stripped of identifiers so it cannot reasonably identify you is not PHI and is not subject to HIPAA rights or restrictions.
• Law Enforcement Disclosures Compliance: Providers may disclose limited PHI without authorization to comply with certain court orders, warrants, subpoenas, or to report specific injuries or locate a suspect, consistent with HIPAA rules.
• International Data Sharing: HIPAA is a U.S. law. When PHI is shared with overseas business associates or for international services, HIPAA safeguards and contracts still apply to the covered entity, but HIPAA does not provide a specific right to block cross-border transfers; other countries’ laws may also apply.

Practical takeaways

• Ask for what you need in a clear scope and format, and cite your right of access.
• Use amendment to correct facts or add context, not to remove clinician judgment.
• Request restrictions when they matter most—especially for services you pay for in full out of pocket.
• Monitor disclosures with an accounting request if you’re concerned about how PHI is shared.

Conclusion

HIPAA equips you with strong, actionable rights: to access, amend, understand privacy practices, request limits, track certain disclosures, and seek enforcement. The notable gap is the absence of a general right to deletion. By using the rights HIPAA does provide—and understanding the exclusions and lawful disclosures—you can protect your privacy while ensuring your information supports safe, coordinated care.

FAQs

What patient rights does HIPAA guarantee?

HIPAA guarantees the right to access your medical and billing records, request amendments, receive a Notice of Privacy Practices, ask for restrictions on certain uses and disclosures (with a mandatory restriction when you pay in full out of pocket), obtain an accounting of certain disclosures, and file complaints with the Office for Civil Rights without retaliation.

Which health information is excluded from HIPAA access rights?

Psychotherapy notes kept separately for a therapist’s personal use and information compiled for litigation are excluded. Also outside HIPAA are employment records a covered entity maintains as an employer, FERPA education records held by schools, and De-identified Data. These exclusions mean you cannot use HIPAA to access those materials.

How can patients file complaints regarding HIPAA violations?

Submit a complaint to the Office for Civil Rights within about 180 days of learning of the issue. Provide details about what happened, when, who was involved, and any supporting documentation. You can also notify the provider’s or health plan’s privacy officer. Retaliation for filing a complaint is prohibited.

What are common exceptions to HIPAA patient rights?

Common exceptions include disclosures required by law or permitted for public health, health oversight, and Law Enforcement Disclosures Compliance; the Psychotherapy Notes Exclusion; Legal Proceedings Information; the Employment Records Exception; FERPA Education Records; and the treatment of De-identified Data outside HIPAA. HIPAA also lacks a general right to deletion, so records are not erased on request. International Data Sharing remains subject to HIPAA safeguards but is not vetoable under a specific HIPAA right.