HIPAA Rights for Patients: A Practical Guide
The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, established national standards for the protection of health information. While HIPAA is often discussed in the context of healthcare provider compliance, it also creates important rights for patients regarding the privacy and security of their medical information. Understanding these rights can help you take control of your health information and hold covered entities accountable for violations.
What HIPAA Protects
HIPAA's Privacy Rule protects "protected health information" (PHI), which includes any individually identifiable health information created, received, maintained, or transmitted by a covered entity. PHI includes:
Medical records and billing information
Health insurance claims and enrollment records
Lab results, imaging reports, and diagnostic information
Prescription records
Mental health and substance abuse treatment records (with additional protections under 42 CFR Part 2)
Conversations between healthcare providers about your care
Information in your patient portal
Who Must Comply with HIPAA?
Covered entities:
Healthcare providers (doctors, dentists, hospitals, clinics, pharmacies, nursing homes)
Health plans (insurance companies, HMOs, employer-sponsored health plans, Medicare, Medicaid)
Healthcare clearinghouses (entities that process health information)
Business associates:
Third parties that handle PHI on behalf of covered entities (billing companies, IT vendors, cloud storage providers, attorneys, accountants)
Who is NOT covered by HIPAA:
Employers (regarding employee health information they receive directly)
Life insurance companies
Schools (student health records are covered by FERPA, not HIPAA)
Law enforcement agencies
Most mobile health apps and fitness trackers
Social media companies
Your Rights Under HIPAA
1. Right to Access Your Records
You have the right to inspect and obtain a copy of your medical records
The provider must respond within 30 days (extendable by 30 days with notice)
You can request records in electronic format if they are maintained electronically
Fees for copies must be reasonable and cost-based
Very few exceptions allow a provider to deny access (e.g., psychotherapy notes, information compiled for legal proceedings)
2. Right to Request Amendments
If you believe your medical records contain errors, you can request an amendment
The provider must respond within 60 days
If the provider denies your request, they must explain why and you can submit a statement of disagreement to be included in your file
3. Right to an Accounting of Disclosures
You can request a list of disclosures of your PHI made by the covered entity
This covers disclosures made for purposes other than treatment, payment, and healthcare operations
The accounting must cover the six years prior to your request
4. Right to Request Restrictions
You can ask a provider to restrict how your PHI is used or disclosed
The provider is not generally required to agree, with one important exception: if you pay for a service out of pocket in full, you can require the provider not to disclose that information to your health plan
5. Right to Confidential Communications
You can request that your provider communicate with you by alternative means or at alternative locations (e.g., calling your cell phone instead of your home phone)
The provider must accommodate reasonable requests
6. Right to Notice of Privacy Practices
Every covered entity must provide you with a notice describing how your PHI may be used and disclosed
You should receive this notice at your first visit or enrollment
When PHI Can Be Shared Without Your Consent
HIPAA allows covered entities to use or disclose PHI without your authorization in certain circumstances:
Treatment, payment, and healthcare operations: Your doctor can share your records with a specialist for referral purposes, or with your insurance company for payment
Public health activities: Reporting communicable diseases, vital statistics, and FDA-related adverse events
Abuse and neglect reporting: Required reporting of child abuse, elder abuse, or domestic violence
Law enforcement: Response to court orders, subpoenas, and certain law enforcement requests
Judicial proceedings: In response to a court order or subpoena with appropriate safeguards
Serious threats to health or safety: Disclosure to prevent or lessen a serious and imminent threat
Workers' compensation: Disclosures required by workers' compensation laws
Filing a HIPAA Complaint
If you believe your HIPAA rights have been violated:
File a complaint with the provider first — many issues can be resolved at the organizational level through the provider's privacy officer
File with the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services — complaints can be filed online at hhs.gov/hipaa/filing-a-complaint
Complaints must be filed within 180 days of when you knew or should have known about the violation (OCR may waive this deadline for good cause)
OCR investigates complaints and can impose corrective actions and civil monetary penalties on violators
You are protected from retaliation for filing a HIPAA complaint — your provider cannot refuse to treat you or take other adverse actions because you filed a complaint
Common Misconceptions
HIPAA does not prevent your family from learning about your care if you are present and do not object, or if the provider determines it is in your best interest
HIPAA does not give you the right to sue — there is no private right of action under HIPAA, though state privacy laws may provide such remedies
HIPAA does not apply to everything — your employer, social media, and consumer health apps are generally not covered
Disclaimer: This guide provides general information about HIPAA. Medical privacy laws vary by state, and some states provide additional protections beyond HIPAA. Consult a healthcare attorney for advice specific to your situation.