Patient Rights Under HIPAA: A Guide for Every Provider

Practical guidance for healthcare teams and business associates

Patient rights under HIPAA - healthcare provider guide

\n

Patient Rights Under HIPAA: A Healthcare Provider’s Guide

\n

Understanding patient rights under HIPAA rules is fundamental for every healthcare provider. The HIPAA Privacy Rule grants people a complete set of rights over their protected health information (PHI). These rights empower patients to control how their health data is used and shared.

They impose corresponding duties on healthcare providers to honor those rights within specified timeframes.

\n

For providers, rule-keeping with patient rights rules is not optional. OCR has made enforcement of patient access rights a specific priority, launching a dedicated Right of Access Initiative — learn how the OCR audit program works — that has resulted in numerous settlements against groups that failed to provide timely access to medical records. This guide details each patient right, the provider duties that accompany it, and the timelines you must meet.

\n

Right to Access Records

\n

Patient Rights: Accessing Records is what this image beneath the header says.

\n

What the Right Covers

\n

Under 45 CFR 164.524, people have the right to inspect and obtain a copy of their PHI kept in a named record set. The named record set includes medical records, billing records, enrollment records.

Any other records used to make decisions about the person.

\n

This right applies to PHI kept in any form, including digital, paper.

Other media. Patients may request their records in the format of their choice, and providers must accommodate that request if the records are readily producible in that format.

\n

Provider duties

\n

Healthcare providers must:

\n
    \n
  • Accept access requests in writing, though they may not require the request to be made on a specific form
  • \n
  • Provide access within 30 calendar days of receiving the request, with a possible 30-day extension if the provider notifies the patient in writing of the reason for the delay
  • \n
  • Provide records in the format requested by the patient, including digital format, if readily producible
  • \n
  • Allow the patient to direct copies to a third party by providing a written, signed request
  • \n
  • Charge only a fair, cost-based fee that covers the cost of copying, supplies, postage.
  • Preparation of a summary if the patient agrees to a summary
  • \n
  • Not require the patient to provide a reason for the access request
  • \n
\n

Grounds for Denial

\n

Providers may deny access in limited circumstances:

\n
    \n
  • Psychotherapy notes are excluded from the general access right
  • \n
  • Information compiled for legal proceedings may be withheld in certain circumstances
  • \n
  • PHI kept by research facilities may be withheld during the research period if the patient agreed to the restriction
  • \n
  • PHI obtained from a non-healthcare provider source under a promise of data privacy may be denied if access would reveal the source
  • \n
  • A licensed healthcare professional determines that access is reasonably likely to endanger the life or physical safety of the patient or another person
  • \n
\n

If access is denied, the provider must issue a written denial explaining the basis for the denial and informing the patient of their right to have the denial reviewed or to file a complaint with OCR.

\n

The OCR Right of Access Initiative

\n

OCR launched its Right of Access Initiative namely to enforce patient access rules. This effort has produced over 45 enforcement actions resulting in settlements ranging from $3,500 to over $200,000. Common breaches include:

\n
    \n
  • Failing to provide records within the required 30-day timeframe
  • \n
  • Charging excessive fees for record copies
  • \n
  • Refusing to provide records in the digital format requested
  • \n
  • Requiring patients to appear in person to obtain their records
  • \n
  • Failing to respond to access requests entirely
  • \n
\n

Providers should treat every access request as an enforcement-sensitive duty and track requests through a written down process — see HIPAA documentation requirements — to ensure timely rule-keeping.

\n

Right to Amend Records

\n

Patient Rights: Amend Records is what image says.

\n

How the Amendment Right Works

\n

Under 45 CFR 164.526, people have the right to request an amendment to their PHI in a named record set. This right recognizes that medical records may contain errors that could affect clinical care, insurance coverage, or other important decisions.

\n

Patients must submit amendment requests in writing and provide a reason for the requested amendment. Providers must act on the request within 60 calendar days, with a possible 30-day extension if the patient is notified in writing.

\n

Provider duties for Amendment Requests

\n

If the amendment is accepted:

\n
    \n
  • Amend the record by appending or linking the amendment to the existing information, rather than deleting the original entry
  • \n
  • Notify the patient that the amendment has been accepted
  • \n
  • Make fair efforts to inform other parties that the provider knows have received the PHI and that may have relied on it, including business associates and persons identified by the patient
  • \n
\n

If the amendment is denied:

\n
    \n
  • Provide a written denial within the required timeframe
  • \n
  • State the basis for the denial clearly
  • \n
  • Inform the patient of their right to submit a written statement of disagreement
  • \n
  • If the patient submits a disagreement, the provider may prepare a written rebuttal
  • \n
  • Append the request, denial, disagreement, and rebuttal (if any) to the named record set
  • \n
  • Include these items with any future shares of the disputed PHI
  • \n
\n

Grounds for Denying an Amendment

\n

Providers may deny an amendment request if:

\n
    \n
  • The PHI was not created by the provider (unless the originator is no longer available)
  • \n
  • The PHI is not part of the named record set
  • \n
  • The PHI would not be available for access under the access right
  • \n
  • The PHI is accurate and complete as kept
  • \n
\n

Right to an Accounting of shares

\n

Scope of the Accounting Right

\n

Under 45 CFR 164.528, people have the right to receive an accounting of shares of their PHI made by a covered group during the six years before the request. This accounting helps patients understand who has received their health information and why.

\n

The accounting must include:

\n
    \n
  • Date of each sharing
  • \n
  • Name and address of the group or person who received the PHI (if known)
  • \n
  • Brief description of the PHI disclosed
  • \n
  • Purpose of the sharing or a copy of the access rights or written request
  • \n
\n

Shares Exempt from Accounting

\n

The following shares are not required to be included in an accounting:

\n
    \n
  • shares for treatment, payment, and healthcare operations
  • \n
  • shares to the person who is the subject of the PHI
  • \n
  • shares made pursuant to a valid access rights signed by the person
  • \n
  • shares for national security or intelligence purposes
  • \n
  • shares to correctional institutions or law enforcement under specific terms
  • \n
  • shares that are part of a limited data set
  • \n
  • shares that occurred before the rule-keeping date of the Privacy Rule
  • \n
\n

Timeline and Fees

\n

Providers must provide the accounting within 60 calendar days of the request, with a possible 30-day extension upon written notice. The first accounting in any 12-month period must be provided free of charge. For subsequent requests within the same 12-month period, the provider may charge a fair, cost-based fee. However, must inform the patient of the fee in advance and give them the chance to withdraw or modify the request.

\n

Right to Request Restrictions

\n

Understanding Restriction Requests

\n

Under 45 CFR 164.522(a), people have the right to request that a provider restrict the uses and shares of their PHI. This right allows patients to ask that their information not be used or disclosed for certain purposes, even if HIPAA would otherwise permit the use or sharing.

\n

Providers are usually not required to agree to a requested restriction. However, there is one important exception: providers must agree to a restriction request if:

\n
    \n
  • The sharing is to a health plan for payment or healthcare operations purposes (not treatment)
  • \n
  • The PHI pertains to a service for which the patient has paid out of pocket in full
  • \n
\n

This mandatory restriction gives patients meaningful control over shares to their health insurers when they self-pay for services.

\n

Implementing Restrictions

\n

When a provider agrees to a restriction:

\n
    \n
  • The restriction must be written down and consistently followed
  • \n
  • All team members must be made aware of relevant restrictions
  • \n
  • The restriction applies to uses and shares covered by the agreement, except in emergency treatment situations where the restricted PHI is needed for treatment
  • \n
  • The provider may end a restriction if the patient agrees in writing, or if the provider informs the patient that the restriction is being ended for PHI created or received after the ending
  • \n
\n

Right to Confidential Communications

\n

What Confidential Communications Means

\n

Under 45 CFR 164.522(b), people have the right to request that a provider communicate with them by alternative means or at alternative locations. This right is especially important for patients in situations involving domestic abuse, personal safety concerns, or other circumstances where standard communications could cause harm.

\n

Healthcare providers must accommodate fair requests for confidential communications. For example:

\n
    \n
  • A patient may request that appointment reminders be sent to a work email address instead of a home address
  • \n
  • A patient may request that billing statements be sent to a post office box
  • \n
  • A patient may request that the provider call a specific phone number rather than the number on file
  • \n
  • A patient may request that communications be sent in sealed envelopes without the provider’s name visible on the exterior
  • \n
\n

Provider duties

\n
    \n
  • Health plans may require the patient to explain how payment will be handled under the alternative arrangement. However, providers may not require an explanation for the request
  • \n
  • Providers may not require the patient to explain the reason for the request
  • \n
  • The accommodation must be fair and must not interfere with the group’s ability to provide care or collect payment
  • \n
  • Providers should record the request and ensure that communication systems are configured to honor it
  • \n
\n

Right to File Complaints

\n

How Patients Exercise This Right

\n

people have the right to file a complaint if they believe their privacy rights have been violated. Complaints may be filed with:

\n\n

Providers must:

\n
    \n
  • Include complaint steps in the Notice of Privacy Practices
  • \n
  • Not retaliate against any person who files a complaint or assists in an review
  • \n
  • Designate a contact person to receive complaints and provide information about the complaint process
  • \n
  • Document and look into internal complaints and take corrective action when warranted
  • \n
\n

OCR investigates complaints to determine whether a breach occurred and may pursue enforcement action if breaches are identified. Understanding the penalties that can result from complaints underscores the importance of responding properly to a HIPAA complaint — our step-by-step guide covers exactly what to do when a complaint is filed.

\n

Provider duties and Notice of Privacy Practices

\n

The Notice of Privacy Practices

\n

The cornerstone of patient rights communication is the Notice of Privacy Practices (NPP). Under 45 CFR 164.520, covered groups must provide a clear, written notice that describes:

\n
    \n
  • How the group uses and discloses PHI
  • \n
  • The person’s rights regarding their PHI
  • \n
  • The group’s legal duties about PHI
  • \n
  • Who to contact for more information or to file a complaint
  • \n
  • Effective date of the notice
  • \n
\n

Providers with direct treatment relationships must:

\n
    \n
  • Provide the NPP at the first service encounter (except in emergency treatment situations)
  • \n
  • Make a good faith effort to obtain the patient’s written acknowledgment of receipt
  • \n
  • Post the NPP in a prominent location at the service delivery site
  • \n
  • Make the NPP available on the group’s website if one exists
  • \n
\n

Timeline Summary for Provider duties

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Patient RightAction RequiredTimeline
Access to recordsProvide copies30 days (+ 30-day extension)
Amendment requestAccept or deny60 days (+ 30-day extension)
Accounting of sharesProvide accounting60 days (+ 30-day extension)
Restriction requestRespond to requestNo specific timeline; prompt response expected
Confidential communicationsAccommodate requestfair timeframe
ComplaintInvestigate and respondNo specific timeline; prompt action expected
\n

For a broader overview of rule-keeping duties, see our complete HIPAA rule-keeping guide and our guide on HIPAA Privacy Rule rules.

\n

Patient Rights FAQ

\n

FAQ is what text says on this image

\n

Can we charge patients for copies of their medical records?

\n

Yes, but only a fair, cost-based fee. Allowable costs include the labor for copying, supplies, postage (if mailed).

Preparation of a summary or explanation if the patient requests and agrees to one. You may not charge for search and retrieval time. Many states impose fee caps that are lower than what HIPAA would permit, so check your state’s medical records fee schedule.

\n

What if a patient requests their records in an digital format we do not use?

\n

If the PHI is kept electronically and the patient requests it in an digital format, you must provide it in the requested format if readily producible. If the requested format is not readily producible, work with the patient to agree on an alternative digital format. If no digital format is agreeable, provide a hard copy.

\n

Can a patient’s family member request their records?

\n

Only if the family member is a personal representative with legal authority to act on the patient’s behalf. For adults, this often requires a healthcare power of attorney, legal guardianship, or other legal written records. For minor children, parents usually serve as personal representatives, with exceptions for certain types of care where state law grants minors privacy rights.

\n

How long must we retain medical records to comply with HIPAA?

\n

HIPAA requires covered groups to retain written records related to their HIPAA rule-keeping actions (policies, steps, risk reviews) for six years. However, HIPAA does not set specific retention periods for medical records themselves. Medical record retention is managed by state law.

This varies greatly. Many states require retention of adult medical records for 7 to 10 years, with longer periods for minor patients.

\n

What happens if we miss the 30-day deadline for providing record access?

\n

Failing to provide timely access violates the Privacy Rule and can result in an OCR complaint, review.

Enforcement action. The OCR Right of Access Initiative has produced numerous settlements namely targeting providers that failed to meet the 30-day timeline. Implement a tracking system for all access requests and calendar the deadlines right away upon receipt.

\n

Patient Rights Takeaways

\n

Patient rights under HIPAA are not abstract legal concepts. They are enforceable duties that OCR actively monitors and enforces. Healthcare providers that set up clear steps for receiving, tracking.

Responding to patient rights requests protect both their patients and their groups from the consequences of non-rule-keeping.

\n

One Guy Consulting helps healthcare providers build patient rights rule-keeping programs that meet every HIPAA rule. From developing access request workflows and training front-desk staff to preparing Notices of Privacy Practices and managing amendment requests, our team ensures your group honors patient rights on time, every time. Contact us today to strengthen your patient rights rule-keeping.

Key stat: OCR launched the Right of Access Initiative in 2019 and has since issued over 45 enforcement actions specifically for failing to provide patients with timely access to their medical records. Settlements have ranged from $3,500 to $240,000. The 30-day response deadline under 164.524 is the most strictly enforced timeline in all of HIPAA.

Frequently Asked Questions

What are the patient rights under HIPAA?

The patient rights under HIPAA include six enforceable rights: the right to access their medical records (45 CFR 164.524), the right to request amendments to their records (164.526), the right to an accounting of disclosures (164.528), the right to request restrictions on uses and disclosures (164.522), the right to request confidential communications (164.522), and the right to receive a Notice of Privacy Practices (164.520). Providers must respond to access requests within 30 calendar days.

Can a patient request all their medical records under HIPAA?

Yes. Under the HIPAA Right of Access, patients can request a copy of any protected health information maintained in a designated record set. This includes medical records, billing records, insurance records, and clinical lab results. Providers may charge a reasonable cost-based fee for copies but cannot deny access based on an unpaid bill for services. OCR has settled over 40 Right of Access enforcement actions since 2019.

Sources

Related Reading