Understanding the HIPAA Privacy Rule: Patient Rights, Permitted Uses, Enforcement

Patient Rights under HIPAA

Right of access to Protected Health Information (PHI)

You have the right to inspect and obtain copies of your medical records and other Protected Health Information held by a provider or health plan. This right supports health information portability by letting you receive PHI in the format you prefer when feasible, including electronic copies or secure transmissions to a third party you designate.

Amendments and corrections

If you believe information is incomplete or inaccurate, you may request an amendment. Covered entities must review the request, act on it within a reasonable time, and either make the change or explain why they decline. Even when a request is denied, your statement of disagreement can be added to the record.

Confidential communications and restrictions

You may request Confidential Communications, such as receiving mail at an alternative address or contact via a different phone number. You can also ask a provider or plan to restrict certain uses or disclosures of PHI, including limiting disclosure to a health plan when you pay in full out of pocket for a service.

Accounting of disclosures

You can obtain an accounting of certain disclosures of your PHI made without your authorization. This record helps you understand when and why information left the organization, reinforcing transparency and Privacy Rule Compliance.

Notice and complaint rights

You are entitled to a Notice of Privacy Practices explaining how your information is used and your options. You may file a complaint with the provider or plan and with federal authorities if you believe your privacy rights were violated, without fear of retaliation.

Permitted Uses and Disclosures

Treatment, payment, and health care operations (TPO)

Covered entities may use and disclose PHI for treatment, payment, and health care operations without obtaining your written authorization. These core activities—coordinating care, obtaining reimbursement, and running the practice—are foundational to the HIPAA Privacy Rule.

Authorization and sensitive information

Uses and disclosures outside the permitted categories generally require your written authorization. Marketing, most sales of PHI, and many uses of psychotherapy notes need explicit permission, reflecting heightened protections for sensitive data.

Public interest and Health Information Disclosure Exceptions

The Privacy Rule allows limited disclosures for public health reporting, health oversight, certain law enforcement needs, judicial proceedings, and to avert serious threats to health or safety. These Health Information Disclosure Exceptions are narrowly tailored and subject to conditions designed to protect privacy.

Minimum Necessary Standard and de-identification

Except for treatment and a few other situations, covered entities must follow the Minimum Necessary Standard—sharing only what is reasonably needed for the purpose. Information that has been properly de-identified is not PHI and may be used or disclosed without restriction; limited data sets require a data use agreement.

Enforcement of the Privacy Rule

Office for Civil Rights Enforcement

The U.S. Department of Health and Human Services’ Office for Civil Rights Enforcement investigates complaints, conducts compliance reviews, and resolves cases through corrective action or settlement agreements. OCR can also initiate investigations based on reported breaches or patterns of noncompliance.

Civil and criminal consequences

When violations occur, OCR may impose civil monetary penalties scaled to the nature and extent of the issue and the organization’s culpability. In egregious cases involving knowing misuse of PHI, matters may be referred for criminal enforcement, which can include fines and imprisonment.

Driving Privacy Rule Compliance

Regulators expect risk-based programs: policies and procedures, workforce training, role-based access, and ongoing monitoring. Demonstrable Privacy Rule Compliance—supported by documentation and timely remediation—can mitigate exposure and improve outcomes during investigations.

Filing Complaints and Legal Recourse

Where to report and what to include

You can submit a complaint directly to OCR or to the provider’s or plan’s privacy office. Include who was involved, what happened, when it occurred, and any supporting documents. Clear, specific details help investigators assess the incident quickly.

Timelines and outcomes

File as soon as possible after learning of a potential violation; extensions may be available for good cause. Outcomes may include corrective action plans, systemic fixes, and, when warranted, monetary penalties or resolution agreements.

Private lawsuits and state remedies

HIPAA does not create a private right of action for damages. However, you may have remedies under state privacy, consumer protection, or negligence laws, and state attorneys general can pursue actions related to HIPAA violations on behalf of residents.

HIPAA Privacy Notices

What the Notice of Privacy Practices covers

The notice explains permitted uses and disclosures, your rights, how to exercise them, the entity’s duties, and how to raise concerns. It must be written in clear, accessible language so you can understand how your PHI may be handled.

Delivery and acknowledgment

Providers typically present the notice at the first service encounter and make it available thereafter, including on request. Health plans distribute the notice at enrollment and periodically remind members of its availability and any material updates.

Protection of Health Information

Administrative, technical, and physical safeguards

Organizations protect PHI through policies, training, and access controls; secure transmission and storage; device and facility protections; and incident response plans. Applying the Minimum Necessary Standard and monitoring access reduces risk across daily operations.

Business associates and data sharing

Vendors that handle PHI on behalf of covered entities must sign business associate agreements that define permitted uses, safeguards, and breach duties. De-identification and limited data sets further enable useful sharing while preserving privacy.

Security vs. privacy; health information portability

The Security Rule focuses on electronic safeguards, while the Privacy Rule governs when PHI may be used or disclosed. Together they promote confidentiality and health information portability—allowing data to move where care requires it without sacrificing protections.

Roles of Covered Entities

Who is a covered entity?

Covered entities include health plans, health care clearinghouses, and health care providers that transmit certain transactions electronically. These organizations, along with their business associates, are directly responsible for protecting PHI.

Business associates and agreements

When services such as billing, analytics, or cloud hosting involve PHI, business associates must implement safeguards and support Privacy Rule Compliance. Contracts specify responsibilities, including reporting incidents and cooperating in investigations.

Operational responsibilities

Covered entities designate a privacy official, maintain policies and procedures, train staff, and manage patient requests promptly. They also evaluate new technologies and workflows to ensure compliance while supporting care coordination and health information portability.

Conclusion

The HIPAA Privacy Rule balances the flow of health information with strong patient rights. By honoring permitted uses, applying the Minimum Necessary Standard, and maintaining robust safeguards, covered entities enable trustworthy care and responsible innovation.

FAQs.

What are patient rights under the HIPAA Privacy Rule?

You have rights to access and obtain copies of your PHI, request amendments, receive Confidential Communications, seek restrictions on certain uses and disclosures, obtain an accounting of disclosures, and receive a clear Notice of Privacy Practices. You may also file complaints without retaliation.

How does HIPAA regulate permitted uses and disclosures?

HIPAA permits uses and disclosures for treatment, payment, and health care operations, as well as limited public interest purposes, without authorization. Most other uses require written authorization, and the Minimum Necessary Standard applies to most disclosures outside of treatment.

What penalties exist for HIPAA Privacy Rule violations?

Regulators can require corrective actions and impose civil monetary penalties that scale with the severity and intent of the violation. In serious cases, matters may be referred for criminal enforcement. The Office for Civil Rights Enforcement leads investigations and settlements.

How can patients file complaints about privacy breaches?

Submit a detailed complaint to your provider’s or plan’s privacy office and to OCR, including who was involved, what occurred, and when. File promptly, keep copies of all submissions, and be prepared to provide additional information during the review.