Which of These Is Not a Right Under HIPAA? Quick Answer and Examples

Quick answer: HIPAA gives you strong rights over your Protected Health Information held by Covered Entities, but it does not guarantee all forms of access or control. In particular, you do not have a right to (1) access non-medical or non-PHI records, (2) obtain information from non-covered entities, (3) veto all permitted disclosures, (4) access records prepared for civil or criminal proceedings, or (5) access psychotherapy notes. The sections below explain each with clear examples.

• Not a right: access to non-medical or non-PHI data (for example, an employer’s HR file).
• Not a right: access to data held by non-covered entities (for example, many consumer apps).
• Not a right: absolute control over all disclosures—HIPAA allows certain permitted disclosures without authorization.
• Not a right: access to civil and criminal proceedings records compiled for litigation.
• Not a right: access to psychotherapy notes kept separate from the medical record.

Access to Non-Medical Information

HIPAA’s right of access applies to your Protected Health Information (PHI) in a designated record set maintained by Covered Entities (such as most healthcare providers and health plans). It does not extend to non-medical or non-PHI records.

What this means

• Employment records: Files an employer keeps in its role as an employer (e.g., leave paperwork, workplace injury logs, drug-test results stored in HR) are not PHI you can obtain under HIPAA.
• Education records: Student health information maintained by a school subject to FERPA is not accessible via HIPAA.
• De-identified or aggregated data: Information stripped of identifiers is not PHI and isn’t accessible under HIPAA.
• Administrative/operational documents: Business planning, quality improvement, or peer-review notes not used to make decisions about you are outside HIPAA access rights.

Example

If your hospital also employs you and keeps an HR file about your performance, you cannot use HIPAA to demand that HR file. Your HIPAA access right covers your patient chart, not your employment file.

Access to Information Held by Non-Covered Entities

HIPAA regulates Covered Entities and their business associates. Many organizations that hold health-related data are not Covered Entities, so HIPAA rights do not apply to the information they hold.

Common non-covered entities

• Life insurers, disability insurers, and workers’ compensation carriers in their insurance roles.
• Employers acting as employers (outside a group health plan’s designated record set).
• Mobile fitness trackers, diet apps, symptom checkers, and many direct-to-consumer health services that do not provide covered healthcare transactions.
• Personal health websites and platforms that are not processing data on behalf of a Covered Entity.

Example

You cannot invoke HIPAA to access raw data your step-count app stores about you. That app likely is not a Covered Entity, so HIPAA’s access right does not apply.

Limitations on Control Over Disclosures

It is not a HIPAA right to block every disclosure of your PHI. HIPAA allows certain permitted disclosures without your authorization. You may request restrictions, but Covered Entities generally do not have to agree—except in narrow cases.

Permitted disclosures (no authorization required)

• Treatment, payment, and healthcare operations (for example, sharing PHI to coordinate care or to bill your health plan).
• Public health and health oversight activities (such as reporting certain infectious diseases).
• Disclosures required by law or for specified law-enforcement and judicial purposes.

Authorization requirements

Uses and disclosures outside these permitted purposes typically require your written authorization. Examples include most marketing uses, sale of PHI, and many research uses without an approved waiver.

Narrow patient control

You can request that a provider not disclose PHI about a service to your health plan if you pay the full amount out of pocket for that service. Beyond such narrow scenarios, you cannot veto all permitted disclosures.

Example

Your clinic can send your diagnosis codes to your insurer to obtain payment without asking you to sign a HIPAA authorization. That disclosure is permitted; an absolute veto is not a HIPAA right.

Restrictions on Access to Certain Legal Records

HIPAA does not grant a right to access information compiled in reasonable anticipation of, or for use in, civil and criminal proceedings. These legal exceptions protect materials created for litigation or administrative actions.

Records typically excluded

• Civil and criminal proceedings records prepared by risk management or legal counsel.
• Witness statements, attorney correspondence, and strategy memos related to your case.
• Documents created solely for administrative actions or disciplinary hearings.

Example

If you sue a hospital, you cannot use HIPAA to obtain the hospital’s internal litigation file. Your access right covers your medical and billing records, not the hospital’s legal work product.

Rights Regarding Psychotherapy Notes

Psychotherapy notes have special protections. These are a mental health professional’s personal notes documenting or analyzing a counseling session, kept separate from the medical record. Psychotherapy notes restrictions mean you do not have a HIPAA right to access these notes.

What you can and cannot access

• No right of access to psychotherapy notes kept separately.
• Progress notes, diagnoses, medications, and treatment plans in your regular record are PHI and generally accessible.
• Most uses or disclosures of psychotherapy notes require a separate, specific authorization, with limited exceptions (for example, the provider’s own use, certain oversight, or legal defense).

Example

You may request your medication list and treatment plan from a psychiatrist’s record. But you cannot demand the therapist’s private session notes maintained separately; HIPAA does not grant that access.

HIPAA Patient Rights Overview

To separate myths from realities, here is what HIPAA generally does give you regarding your PHI held by Covered Entities.

Core patient rights

• Access: Get copies of your PHI (including an electronic copy if maintained electronically) within a set timeframe; reasonable, cost-based fees may apply.
• Amendment: Request corrections to your record when it is inaccurate or incomplete.
• Accounting of disclosures: Receive a record of certain non-routine disclosures.
• Restrictions: Ask to limit uses/disclosures; providers are not required to agree except in limited cases (for example, out-of-pocket payment for a service).
• Confidential communications: Request alternative contact methods or locations.
• Notice of Privacy Practices: Receive an explanation of how your PHI is used and your rights.
• Complaints: File a complaint with your provider or the appropriate authority if you believe your privacy rights were violated.

Conclusion

• Your HIPAA rights focus on PHI held by Covered Entities—not every piece of information about you.
• You cannot access psychotherapy notes or litigation-prep files, and you cannot block all permitted disclosures.
• When a use falls outside permitted disclosures, Authorization Requirements apply, giving you control through written consent.

FAQs

What rights do patients have under HIPAA?

You have rights to access your PHI, request amendments, receive an accounting of certain disclosures, request reasonable restrictions, choose confidential communications, receive a Notice of Privacy Practices, and file complaints. These rights apply to PHI maintained by Covered Entities and their business associates.

Which information is excluded from HIPAA access rights?

Excluded categories include psychotherapy notes kept separate from the medical record, information compiled for civil or criminal proceedings, employment and education records not treated as PHI, de-identified or aggregated data, and information held solely by non-covered entities.

Can healthcare providers disclose information without patient consent?

Yes. HIPAA permits disclosures without authorization for treatment, payment, and healthcare operations, as well as for specified public health, oversight, and legal purposes. For uses beyond these permitted disclosures, providers generally need your written authorization.

Are psychotherapy notes accessible under HIPAA?

No. Psychotherapy notes are subject to special restrictions and are excluded from the right of access. However, related information in your standard medical record—such as diagnoses, medications, and treatment plans—is typically accessible.