Patient Rights Under HIPAA: What You Can Access, Correct, Restrict, and Report

Knowing your patient rights under HIPAA empowers you to see, correct, and control how your protected health information (PHI) is used and shared. The rules apply to covered entities—health care providers, health plans, and clearinghouses—and, through contracts, many of their business associates.

Right to Access Health Information

You have the right to inspect and obtain a copy of your PHI in a designated record set. That typically includes medical and billing records, clinical notes, imaging and lab reports, care plans, and other records a provider or health plan uses to make decisions about you.

What you can access

• Paper and electronic records, including an electronic copy of your electronic health record (EHR) if maintained electronically.
• Billing statements, claims records, and care coordination notes held by covered entities.
• Information directed to a third party at your written request (for example, to another provider or caregiver).

Common exclusions

• Psychotherapy notes kept separately by a mental health professional.
• Information compiled for, or in reasonable anticipation of, a legal proceeding.
• Certain limited records restricted by other laws. These do not affect your access to most treatment and billing information.

How to request access

• Submit a written request to the provider’s or health plan’s privacy office. You do not need to explain why you want the records.
• Specify form and format (for example, PDF by secure portal, mailed paper copy, or encrypted email). If your requested format is readily producible, it must be honored; otherwise, you and the entity should agree on an alternative readable format.
• You may ask that copies be sent directly to a designated person or address you identify in writing.

Timing, fees, and delivery

• Response time: generally within 30 days, with a one-time 30‑day extension if you are notified in writing of the delay and reason.
• Fees: only a reasonable, cost‑based fee for copying (labor, supplies, and postage). Fees cannot include costs to search for or retrieve records.
• Security: if you request unencrypted email after being advised of the risk, your provider may send it as directed.

Right to Request Amendments

If you believe your PHI is inaccurate or incomplete, you can make amendment requests to have it corrected or clarified. An amendment changes or adds to the record; it rarely means deleting original entries.

How to submit amendment requests

• Write to the privacy officer, identify the specific entries to change, state why, and attach supporting documentation (for example, lab results or discharge summaries).
• The covered entity must act within 60 days, with a one‑time 30‑day extension allowed if you receive a written explanation.

If your request is approved

• The entity amends the record and makes reasonable efforts to notify others who have the information and may rely on it (such as another provider or your health plan).
• You receive confirmation of the changes.

If your request is denied

• Permitted reasons include: the record was not created by the entity (and the creator is available), is not part of the designated record set, is not available for inspection (for example, psychotherapy notes), or is accurate and complete.
• You may submit a written statement of disagreement. The entity may respond with a rebuttal, but must include your statement (or a summary) with future disclosures of the disputed information.

Right to Request Restrictions

You may ask a covered entity to restrict certain uses and disclosures of your PHI—for example, limiting sharing for payment or health care operations, or restricting access by specific individuals involved in your care.

When a restriction must be honored

• If you pay a provider out of pocket in full for a specific item or service and request that related information not be disclosed to your health plan for payment or operations, the provider must agree unless disclosure is required by law.

When a restriction may be declined

• Covered entities do not have to agree to other requested restrictions. If they do agree, they must document and follow them, except in emergencies.
• Entities may use restricted PHI for emergency treatment and should request that other providers honor the restriction afterward.

How to request and manage restrictions

• Submit a clear written request describing the specific PHI, the type of use or disclosure to restrict, and to whom the restriction applies.
• Keep a copy for your records, and confirm in writing any accepted restriction. You may revoke a restriction in writing.

Right to Request Confidential Communications

You can ask to receive communications about your care or billing by alternative means or at alternate locations to protect your privacy and safety. These are called confidential communications.

Examples of confidential communications

• Directing bills or appointment reminders to a different mailing address or secure email.
• Asking that voicemail messages avoid clinical details or be left at a specific number only.
• Requesting portal-only messaging or encrypted email for sensitive topics.

Obligations of covered entities

• Health care providers must accommodate reasonable requests without requiring you to explain why.
• Health plans must accommodate reasonable requests if you state that disclosure could endanger you. They may ask how you will handle premium payments or to specify an alternate address.

Tips for effective requests

• Put your request in writing and be specific about the method, address, or number to use.
• Update your instructions promptly if your contact details change, and keep confirmation of acceptance.

Right to an Accounting of Disclosures

You may obtain an accounting of disclosures—a record of certain non‑routine ways your PHI was shared by a covered entity. This promotes transparency beyond day‑to‑day treatment, payment, and health care operations.

What is included

• Disclosures required by law or for public health reporting, health oversight, judicial or administrative proceedings, and certain research under a waiver.
• Disclosures to law enforcement or medical examiners where permitted, and to the Department of Health and Human Services for compliance investigations.

What is excluded

• Most disclosures for treatment, payment, and operations.
• Disclosures to you, those made with your valid authorization, and certain incidental disclosures.

Scope, content, and timing

• Timeframe: up to six years prior to your request date.
• Each entry should include the date, recipient, a brief description of PHI disclosed, and the purpose (or a copy of the request).
• Response time: generally within 60 days, with one 30‑day written extension allowed. You are entitled to one free accounting in any 12‑month period; reasonable fees may apply to additional requests.

Right to File Complaints

If you believe your HIPAA rights were violated—such as an improper denial of access, unreasonable fees, or impermissible disclosure—you can file complaints.

Where to complain

• Internally: contact the provider’s or health plan’s privacy officer and describe what happened, when, and how you were affected.
• Externally: file with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). Complaints generally must be filed within 180 days of when you knew of the issue; OCR may extend for good cause.

What to include

• Names of the covered entity and people involved, dates, a clear description of the incident, copies of correspondence, and what resolution you seek.

Protections and outcomes

• HIPAA prohibits retaliation for filing a complaint or exercising your rights.
• OCR may investigate, require corrective action, and, in some cases, impose civil penalties.

Key takeaways: You can access and get copies of your PHI, submit amendment requests when records are wrong or incomplete, ask for restrictions and confidential communications to protect your privacy, review an accounting of disclosures, and report concerns to the Office for Civil Rights. Using these rights promptly and in writing helps you safeguard your health information and ensure it is accurate and appropriately shared.

FAQs

What health information can patients access under HIPAA?

You can access PHI in your designated record set, including medical and billing records and an electronic copy of your EHR if kept electronically. You may request specific formats and direct copies to a third party. Common exclusions include psychotherapy notes and information prepared for legal proceedings.

How can patients request corrections to their medical records?

Send a written amendment request to the privacy officer identifying the entries to change, why they are inaccurate or incomplete, and any supporting documents. The entity must act within 60 days (with one 30‑day extension). If approved, it will amend the record and notify relevant parties; if denied, you can add a statement of disagreement that travels with future disclosures.

Can covered entities deny requests for restrictions on disclosures?

Yes. Covered entities may decline most restriction requests, but a provider must honor your request not to share PHI with your health plan when you pay out of pocket in full for a specific item or service, unless disclosure is required by law. Any accepted restriction must be documented and followed, except in emergencies.

How do patients file complaints about HIPAA violations?

First, consider complaining to the provider’s or plan’s privacy office. You can also file with the U.S. Department of Health and Human Services, Office for Civil Rights, generally within 180 days of learning about the issue. Include who was involved, what happened, when, and supporting evidence. HIPAA bars retaliation for making a good‑faith complaint.