Under HIPAA, an Individual Has the Right to Request Access, Amendments, Restrictions, and an Accounting of Disclosures

You have clear, enforceable rights over your Protected Health Information (PHI). This guide explains how to request access, ask for health information amendments, seek restrictions on disclosure, obtain an accounting of disclosures, and use your Notice of Privacy Practices to exercise these rights with confidence and efficiency.

Request Access to Health Records

What you can access

• PHI in the “designated record set,” such as medical and billing records, enrollment and case management files, and other records used to make decisions about you.
• Access does not include psychotherapy notes or information compiled for legal proceedings.

How to submit your request

• Use the instructions in the provider’s or health plan’s Notice of Privacy Practices to contact the privacy office.
• State that you are requesting access to your PHI and specify the dates, providers, and types of records to streamline fulfillment.
• Indicate the format you prefer (paper or electronic) and where to send it—at your direction, a copy may be sent to a third party.
• Be prepared to verify your identity and sign any required form for Privacy Rule Compliance.

Format, timing, and fees

• Records must be provided in the requested form and format if readily producible; otherwise, you and the entity should agree on an alternative.
• Access must be provided promptly, generally within 30 days, with one 30‑day extension if you receive a written explanation.
• Any charge must be a reasonable, cost‑based fee limited to labor for copying, supplies, and postage (for mailed copies).

If access is denied

• You must receive a written denial explaining the basis, your right to have certain denials reviewed, and how to file a complaint.

Request Amendments to Health Information

When to request a change

Use Health Information Amendments when information about you is inaccurate or incomplete in the designated record set. An amendment corrects the record used to make decisions about you; it does not erase the original entry.

How to request an amendment

• Write to the privacy office (see the Notice of Privacy Practices) identifying the record and the precise change you seek, with a brief reason.
• The entity must act within 60 days (one 30‑day extension allowed with written notice).

If your request is accepted

• The entity adds or links your amendment to the record and, upon request, informs others who received or rely on the information.

If your request is denied

• You will receive a written denial stating the reason (for example, the record is accurate or was not created by the entity).
• You may submit a statement of disagreement, and the entity may provide a rebuttal; both become part of the record moving forward.

Request Restrictions on Disclosure

What you can ask to restrict

• You may request restrictions on uses or disclosures for treatment, payment, and health care operations.
• Covered entities are not required to agree, except they must honor a restriction not to disclose to a health plan if you pay in full out‑of‑pocket for a specific item or service, unless disclosure is required by law.

How to request and manage restrictions

• Submit your request in writing, describing the PHI, the recipients, the purpose, and the time period.
• If a restriction is accepted, the entity must abide by it except in emergencies or where disclosure is legally required.
• You can revoke a restriction prospectively; similarly, revoking an Individual Authorization stops future authorized disclosures.

Request Accounting of Disclosures

What an accounting includes

• A written list of certain PHI disclosures made without your authorization and not for treatment, payment, or health care operations.
• Each entry generally shows the date, recipient, a brief description of the PHI disclosed, and the purpose (or a copy of the request requiring disclosure).

Time frame, delivery, and fees

• You may request an accounting covering up to six years prior to your request date.
• The entity must provide it within 60 days (one 30‑day extension allowed with written notice).
• You are entitled to one accounting free in any 12‑month period; reasonable, cost‑based fees may apply for additional requests.

Disclosure Accounting Requirements for entities

• Maintain logs or systems sufficient to produce complete, accurate accountings for the required period.

Understand HIPAA Privacy Rights

HIPAA’s Privacy Rule gives you control and visibility over your PHI. Beyond access, amendments, restrictions, and accounting, you have rights to receive a Notice of Privacy Practices, request confidential communications, authorize or revoke certain uses and disclosures, and file a complaint without retaliation. Together, these rights support Health Information Portability and informed decision‑making.

Exercise Rights under HIPAA

Practical steps

• Locate the privacy contact in the Notice of Privacy Practices for your provider or plan.
• Choose the right pathway: access, amendment, restriction, or accounting—state exactly what you want and why.
• Specify preferred format and destination (mail, portal, encrypted email, or at your direction to a third party).
• Keep dated copies of your requests and any responses to track deadlines and outcomes.
• If needed, escalate through the entity’s complaint process or file a complaint with the appropriate regulator.

Tips for faster results

• Narrow the scope by date range, provider, and document type.
• Confirm identity requirements in advance to avoid delays.
• Ask for electronic copies when available to reduce time and fees.

Comply with HIPAA Requests

Guidance for covered entities and business associates

• Establish clear intake channels (mail, portal, secure email, in‑person) and verify identity consistently.
• Track statutory timelines: access (30 days, plus one 30‑day extension), amendments (60 days, plus one 30‑day extension), and accountings (60 days, plus one 30‑day extension).
• Adopt a written fee schedule limited to reasonable, cost‑based charges; prohibit retrieval or administrative surcharge fees.
• Document decisions, denials, and rationales; maintain Disclosure Accounting Requirements logs for the full retention period.
• Train staff on Privacy Rule Compliance, including when Individual Authorization is required and how to honor self‑pay restrictions.
• Remember: the minimum necessary standard does not apply to disclosures to the individual exercising the access right.
• Coordinate securely with business associates and ensure agreements cover fulfillment workflows for requests involving ePHI.

Conclusion

Under HIPAA, an Individual Has the Right to Request Access, Amendments, Restrictions, and an Accounting of Disclosures. By using the Notice of Privacy Practices, specifying scope and format, and tracking timelines, you can exercise these rights effectively—and covered entities can meet obligations efficiently while safeguarding Health Information Portability and privacy.

FAQs.

What rights does an individual have to access their health records under HIPAA?

You may inspect or receive copies of PHI in the designated record set, in paper or electronic form if readily producible, direct a copy to a third party at your written request, and expect a timely response (generally within 30 days). Reasonable, cost‑based fees may apply, and denials must be explained in writing with review rights where applicable.

How can an individual request amendments to their health information?

Send a written request to the privacy office identifying the record, the amendment you seek, and your reason. The entity must act within 60 days (with a possible 30‑day extension). If accepted, the change is linked to the record and relevant recipients can be notified; if denied, you may submit a statement of disagreement that becomes part of your record.

What are the restrictions an individual can request on disclosures?

You can ask a provider or health plan to restrict uses or disclosures for treatment, payment, and operations. While entities generally are not required to agree, they must agree not to disclose to a health plan about an item or service you paid for in full out‑of‑pocket, unless disclosure is required by law or for treatment.

How is an accounting of disclosures provided under HIPAA?

Upon written request, the entity provides a list of certain disclosures made without your authorization and not for treatment, payment, or operations, covering up to the prior six years. The accounting includes the date, recipient, a description of the PHI disclosed, and the purpose, and is due within 60 days (with one permissible 30‑day extension).