HIPAA Requirements: What Covered Entities Must Provide Patients, Explained

Under the HIPAA Privacy Rule, covered entities—health care providers, health plans, and health care clearinghouses—must give you clear information and meaningful control over your Protected Health Information (PHI). This guide explains what you are entitled to receive, how to ask for it, and the timelines and formats you can expect.

Notice of Privacy Practices

What the NPP is

The Notice of Privacy Practices (NPP) is a plain‑language document that explains how your PHI may be used and disclosed, your privacy rights, and the covered entity’s legal duties. You must be able to get it on your first visit (or at enrollment for health plans), on request at any time, and by viewing it where services are delivered. If the entity has a website, the NPP should be posted there as well.

What the NPP must include

• Permitted uses and disclosures of PHI, including examples for treatment, payment, and health care operations.
• Your rights: access, copies, Accounting of Disclosures, Amendment Request, request for restrictions, and Confidential Communications.
• The entity’s duties to safeguard PHI, follow HIPAA, and notify you if a breach of unsecured PHI occurs (Breach Notification).
• How to exercise your rights, file complaints, and contact the privacy official.
• Whether uses like marketing, fundraising, or sale of PHI require authorization and your right to opt out of fundraising communications.
• The effective date and a statement that the NPP can change, with instructions on how you can obtain the latest version.

Access to Health Information

Your right to inspect and obtain copies

You have the right to access and obtain a copy of PHI in your “designated record set,” which typically includes medical and billing records and other records used to make decisions about you. This right applies to both paper and electronic records, regardless of where the information is maintained.

Limitations and denials

Certain information is excluded, such as psychotherapy notes and information compiled for legal proceedings. A denial must be in writing and, for some types of denials, you can request a review by another licensed professional not involved in the original decision.

Fees

Entities may charge a reasonable, cost‑based fee for copies that covers labor for copying, supplies, and postage. They cannot charge retrieval fees, and for electronic copies they may not use per‑page pricing.

Requesting Access Procedures

How to make a request

• Submit a written request (paper, portal, or email if accepted). Be specific about what you want—dates, types of records, and whether you want inspection, copies, or both.
• Specify the form and format (for example, PDF by secure email, paper, or download via patient portal).
• If you want your records sent to a third party, include the recipient’s name and address and your signed direction.
• If requesting unencrypted email, acknowledge you understand the associated risks.

Identity and representation

Covered entities may verify your identity. A personal representative (for example, a parent for a minor, or someone with a valid health care power of attorney) generally has the same access rights you do, unless law or special circumstances limit that access.

Timeliness of Access

The Timely Access Requirement

HIPAA requires covered entities to provide access to PHI no later than 30 calendar days after receiving your request. If they cannot meet the 30‑day deadline, they may take one 30‑day extension, but only if they send you a written notice within the initial 30 days that explains the reason for delay and the date when access will be granted.

Practical expectations

Most requests should be fulfilled more quickly when records are readily available, especially if you ask for electronic copies. If only part of your request is ready, you can ask the entity to provide the completed portion while finishing the rest.

Form and Format of Provided PHI

Form and format you request

You are entitled to receive PHI in the form and format you request if it is readily producible that way (for example, PDF, machine‑readable files, or paper). If not readily producible, you must be offered an alternative, readable format you agree to.

Electronic copies and transmission

• For electronic health records, you can receive an electronic copy and, if you choose, direct the entity to transmit it to a designated third party.
• Covered entities should use secure methods. At your request, they may send unencrypted email after warning you of the risks.
• Summaries or explanations may be provided if you agree and, where applicable, pay any reasonable, agreed‑upon fee for the summary.

Accounting of Disclosures

Your right to an accounting

You may receive an accounting of certain disclosures of your PHI made by a covered entity in the six years prior to your request. This generally excludes disclosures for treatment, payment, and health care operations, disclosures you authorized, and incidental disclosures.

What the accounting includes

• The date of each disclosure, the recipient (name and address), a brief description of what was disclosed, and the purpose—or a copy of the request that prompted it.
• For repeated disclosures to the same recipient for the same purpose, a summary entry may be used.

Timing and cost

The entity must act on your request within 60 days (with one 30‑day extension if they provide written notice). You are entitled to one free accounting in any 12‑month period; reasonable, cost‑based fees may apply to additional requests.

Amendment and Restriction Rights

Amendment Request

If you believe your PHI is inaccurate or incomplete, you can request an amendment. The covered entity must act within 60 days (with one 30‑day extension if it sends a written delay notice). If approved, the entity must make the amendment and inform relevant parties who rely on the information.

If an amendment is denied

Denials must be in writing and state the reasons (for example, the record is accurate and complete or was not created by the entity). You can submit a statement of disagreement, and the entity must append it—or a summary—to future disclosures where relevant.

Requesting restrictions

You may ask an entity to restrict certain uses or disclosures of your PHI. Entities are not required to agree, except they must comply with your request to restrict disclosure to a health plan about a specific item or service if you paid for it in full out of pocket and the disclosure is solely for payment or operations for that item or service.

Confidential Communications

You can request to receive communications by alternative means or at an alternative location (for example, a P.O. box or a different phone number). Providers must accommodate reasonable requests; health plans must accommodate requests if you state that disclosure could endanger you.

In short, HIPAA gives you clear, enforceable rights to understand how your PHI is used, to see and get copies of it promptly, to receive it in the format you choose, to track certain disclosures, and to correct or limit sharing when appropriate. Knowing these rules helps you get what you need without delay.

FAQs

What information must be included in the Notice of Privacy Practices?

The NPP must explain permitted PHI uses/disclosures; list your rights (access, copies, amendments, restrictions, confidential communications, and an accounting of disclosures); describe the entity’s privacy duties; identify how to contact the privacy official and file complaints; state that other uses/disclosures require your authorization; note your right to be notified following a breach of unsecured PHI; and show the effective date and how to obtain updated versions.

How long do covered entities have to provide access to PHI?

They must provide access within 30 calendar days of your request. If they cannot meet that deadline, they may take one 30‑day extension by sending you a written notice within the first 30 days that explains the delay and gives a firm date when access will be provided.

Can patients request amendments to their health information?

Yes. Submit a written amendment request identifying what you want changed and why. The entity must act within 60 days (with one 30‑day written extension). If approved, the amendment is added and relevant parties are notified. If denied, you can submit a statement of disagreement that must accompany future relevant disclosures.

What are the requirements for breach notification under HIPAA?

When unsecured PHI is breached, covered entities must notify affected individuals without unreasonable delay and no later than 60 days after discovery. The notice must describe what happened, the types of PHI involved, steps you should take, what the entity is doing to mitigate harm, and contact information. Entities must also notify the Department of Health and Human Services, and for breaches affecting 500 or more residents of a state or jurisdiction, notify prominent media outlets.