Patient Rights Are the Heart of the HIPAA Privacy Rule: Explained

Right to Access PHI

You have the right to inspect and obtain copies of your Protected Health Information (PHI) maintained by providers and health plans. Access covers the “designated record set,” including medical and billing records, test results, and case management files used to make decisions about you.

You may choose paper or electronic format. If the information is readily producible in the form and format you request (for example, a PDF or viewable electronic copy), the provider must accommodate. You can also direct the copy to a third party you specify in writing.

How to exercise this right

• Submit a simple written request (portal, email, or form) identifying the records, dates, and preferred format.
• If sending to someone else, include the recipient’s name and address and sign the directive.
• Verify identity as requested; providers may not create unreasonable barriers.

Timelines and fees

• Response due within 30 days; one 30‑day extension requires a written reason and new deadline.
• Only reasonable, cost‑based fees are allowed (copying labor, supplies, postage). No “retrieval” or “membership” fees.
• If you request a summary or explanation, any fee for that must be agreed in advance.

If access is denied

Denials are limited. Some are reviewable by another licensed professional. You must receive a written reason and instructions for appeal or complaint.

Right to Amend PHI

If your record is inaccurate or incomplete, you may submit Amendment Requests to correct it. Amendments add an explanatory addendum; they do not erase original entries, preserving a clear audit trail.

How to request an amendment

• Send a written request identifying the specific entries, proposed corrections, and why they are needed.
• Provide any supporting documents (e.g., lab reports) and list others who should be notified of accepted changes.

Decisions, timelines, and denials

• Decision due within 60 days; one 30‑day extension requires a written explanation.
• If accepted, the entity must append the amendment and inform you and, when appropriate, prior recipients.
• If denied (e.g., the record is accurate, not part of the designated record set, or not created by the entity), you may submit a statement of disagreement that travels with the record. The entity may add a written rebuttal.

Right to Receive Notice of Privacy Practices

Covered entities must give you a Notice of Privacy Practices (NPP) explaining how your PHI may be used or disclosed, your rights, and how to exercise them. You receive the NPP at first service and can request a paper copy at any time.

The NPP identifies contact information for the privacy officer, how to make Restriction Requests or Amendment Requests, how to opt for Confidential Communications, and how to submit Privacy Complaints. Significant changes to practices trigger an updated notice.

Right to Request Restrictions on PHI Use

You may ask a provider or plan to limit PHI uses or disclosures for treatment, payment, or healthcare operations, or to limit disclosures to family or others involved in your care. Restriction Requests should be specific and time‑bound where possible.

What entities must do

• They are not required to agree, but if they do, they must honor the restriction except in emergencies or when law requires disclosure.
• Special rule: If you pay in full out‑of‑pocket for an item or service and request it, the provider must restrict disclosure of that PHI to your health plan, unless another law requires disclosure.

How to make an effective request

• Submit in writing, naming the information, purpose, recipients to be restricted, and duration.
• Ask for written confirmation of any approved restriction and keep a copy for your records.

Right to Request Confidential Communications

You can request that providers or health plans communicate with you by alternative means or at alternative locations—such as a different mailing address, secure email, portal message, or phone number—to protect your privacy.

Standards and practical tips

• Providers must accommodate reasonable requests; health plans must do so when you state that disclosure could endanger you.
• Include the alternative address or method and how you will handle payment issues, if relevant. Entities may require written requests and may condition accommodation on payment arrangements.
• Once approved, the entity should use the specified channel for future communications.

Right to Receive an Accounting of Disclosures

You may obtain an Accounting of Disclosures— a record of certain disclosures of your PHI made by a covered entity during the six years prior to your request. Routine disclosures for treatment, payment, and healthcare operations are generally excluded.

Scope, timing, and costs

• The first accounting in any 12‑month period is free; reasonable fees may apply to additional requests.
• Response is due within 60 days; one 30‑day extension requires written notice and reason.
• The accounting lists date, recipient, a brief description of the PHI disclosed, and the purpose or authority for the disclosure.

Common clarifications

• Access logs that show who viewed your record are different from a formal accounting, which focuses on disclosures outside the entity or outside routine operations.
• Certain disclosures (e.g., to you, for facility directories, national security) may be excluded or delayed by law.

Right to File a Complaint

If you believe your privacy rights were violated, you can submit Privacy Complaints to the covered entity’s privacy officer and/or to the U.S. Department of Health and Human Services Office for Civil Rights (OCR). Retaliation for filing a complaint is prohibited.

How to file and what to include

• Describe what happened, when, where, and who was involved; attach supporting documents.
• File with OCR within 180 days of when you knew or should have known of the violation; explain good cause if later.
• Keep copies of all correspondence and notes of phone calls.

Summary and takeaways

Together, access, amendment, notice, restriction, confidential communication, accounting, and complaint rights give you control over your PHI. Use clear written requests, specify scope and format, track deadlines, and escalate when needed. Patient Rights Are the Heart of the HIPAA Privacy Rule: Explained in practice, these rights help you safeguard privacy while ensuring information flows when and where you choose.

FAQs.

What rights do patients have under the HIPAA Privacy Rule?

You have seven core rights: to access your PHI; to request amendments to inaccurate or incomplete information; to receive a Notice of Privacy Practices; to request restrictions on uses and disclosures; to request confidential communications; to receive an accounting of disclosures; and to file a complaint without fear of retaliation.

How can patients request corrections to their health records?

Send a written Amendment Request to the provider or plan that maintains the record, identifying what is wrong, the correction you seek, and why. The entity must act within 60 days (with one 30‑day extension). If accepted, it appends the amendment and notifies relevant recipients; if denied, you can add a statement of disagreement.

What is an accounting of disclosures under HIPAA?

It is a report listing certain non‑routine disclosures of your PHI made by a covered entity during the prior six years, excluding most treatment, payment, and operations disclosures. It includes the date, recipient, description of PHI, and purpose or legal authority. The first request in a 12‑month period is free.

How can patients file a complaint about a privacy violation?

Submit a detailed Privacy Complaint to the covered entity’s privacy officer and/or to HHS OCR within 180 days of learning of the issue. Include dates, people involved, a description of what occurred, and any evidence. The entity cannot retaliate against you for raising a good‑faith complaint.