The HIPAA Privacy Rule: Patients' Rights

This guide explains the rights that patients have under the HIPAA Privacy Rule. It also answers many questions the Privacy Rights Clearinghouse receives from individuals on a regular basis.

For more information about HIPAA and medical privacy, see Privacy Rights Clearinghouse: Medical Privacy.

2. The right to receive a notice of privacy practices

Patients have the right to receive a notice explaining how a provider or health plan uses and discloses their health information.

a. How do patients get a notice of privacy practices?

Health care providers usually give patients this notice on their first visit and post it in the facility where patients may see it. Health plans (insurers) typically send their notices by mail after patient enrollment.

b. What does a notice of privacy practices include?

A notice of privacy practices (NPP) will often contain jargon that can be difficult for patients to understand. For explanations of commonly used HIPAA terms, see Privacy Rights Clearinghouse Fact Sheet 8a: HIPAA Basics.

For more information about notices of privacy practices, see HHS' website or 45 CFR § 164.520.

For more information about how covered entities such as health care providers and health insurers may use or disclose PHI, see PRC Fact Sheet 8b: The HIPAA Privacy Rule: How May Covered Entities Use and Disclose Health Information.

c. Why do health care providers ask patients to sign a form after they receive a notice of privacy practices?

Health care providers will ask patients to sign a form saying that they received a copy of the notice of privacy practices. The law does not require patients to sign this. However, signing does not waive a patient’s rights under HIPAA, and does not mean that the patient agrees with the privacy policy.

If a patient refuses to sign, it does not prevent a health care provider from using or disclosing information in ways already permitted under HIPAA. A provider may not deny treatment if a patient refuses to sign an acknowledgement of having receive a notice of privacy practices.

d. Where can a patient ask questions or complain about privacy practices?

The notice of privacy practices will provide information about who to contact with privacy questions and how to complain. This is a good place to start when a question arises. If a patient doesn’t have a copy of the notice, there may be one on the provider's or health plan’s website. If there isn’t one online, a covered entity's administrative office will be able to provide the information and a copy of the notice.

3. The right to access and request a copy of medical records

HIPAA gives patients the right to see and receive a copy of their medical records (not the original records). See 45 CFR § 164.524 for exact language.

Tip : To find out how to request access to a medical record, look at the notice of privacy practices. Patients can always request a copy of the notice, which should provide instructions for requesting records as well as contact information for asking questions or filing complaints.

a. Does this right apply to electronic records?

Yes. Patients have the right to access both paper and electronic records. An individual may request information in a specific format, and the covered entity must comply with the request if the data is readily producible. If the data is not readily producible in the patient’s specified format, the covered entity and individual can agree on another format. If they can’t reach agreement, the covered entity will produce a hard copy.

For example, a patient might ask her doctor’s office to provide her records on an external portable storage device such as a USB drive. If the doctor’s office doesn’t agree to use the USB drive because it believes it is a security risk, the office and patient may reach agreement about another format. If they don’t agree, the doctor may provide a hard copy.

To learn more about the right to access information in an electronic health environment, see HHS’ publication: The HIPAA Privacy Rule’s Right of Access and Health Information Technology.

b. Can a patient request that someone else be given access to her information?

Yes. Often patients want providers to send their health information to third parties such as another doctor, a relative, or an attorney. To do this, the patient should sign a request that clearly identifies which records to send, the designated person, and where to send the records.

c. Will a patient be charged fees to receive copies of medical records?

Most likely. HIPAA allows covered entities to charge a “reasonable, cost-based fee.” The covered entity can charge for supplies, staff time for copying and processing, and mailing (if applicable).

The covered entity may charge for the time staff spends copying and processing the record. However, it may not charge for the time a staff member spends searching for the record. In addition, the covered entity should not adopt a policy of charging a flat fee or charging a patient to view a record.

Note that state law may limit a covered entity’s ability to charge for records.

The HIPAA Rule provides the following example. If state law limits costs to 25 cents a page and the actual cost is only four cents per page, then the covered entity may charge only four cents. If the cost is 30 cents per page and state law allows for 25 cents, then the covered entity may charge no more than 25 cents. In short, the consumer is charged the lesser amount.

d. Can patients still access their records if a physician no longer practices medicine?

According to the American Health Information Management Association, state and federal law will dictate how long a physician must retain records (HIPAA does not include a record retention period).

Patients may be able to find their records by contacting:

e. How long does a covered entity have to deliver a patient's requested records?

A covered entity must produce records 30 days from the date of request. HIPAA allows a covered entity one 30-day extension if it provides written notice to the patient stating the reason for the delay and the expected date. This applies to both paper and electronic records.

f. When can patients be denied access to their medical information?

A covered entity may deny a patient's request for access under certain circumstances. Typically the covered entity must issue a written denial letter, and in some cases, an individual may be able to appeal a denial.

As a general rule, patients do not have the right to access their own psychotherapy notes or information a covered entity compiled for legal proceedings.

Individuals may be denied access to their protected health information (PHI) without the right to review the denial in the following situations:

Sometimes individuals have the right to have denials of access reviewed by a licensed healthcare professional. If so, the patient should receive instructions telling him or her how to appeal the denial. The covered entity will designate a reviewing official who did not participate in the original decision to deny access. See 45 CFR § 164.524(a)(3) for exact language.

g. What should patients do when they have trouble accessing or obtaining a copy of their medical records?

We recommend to start a complaint process by first contacting the health care provider’s designated privacy of HIPAA compliance officer. Doing so documents the complaint, and also indicates that the individual has made a good faith effort to resolve the problem.

In addition, there are ten HHS/OCR Regional Offices located throughout the country with staff counselors available to answer patient questions.

If there are further problems or the provider ignores a complaint, the individual may want to proceed with an HHS complaint. Although government agencies cannot represent individuals, consumer complaints often alert agencies to HIPAA violations. HIPAA says people cannot be denied treatment because of a complaint.

HIPAA does not prevent states from passing laws that enhance protections. George Washington University also has a guide, Health Information and the Law, which includes information on state laws.

4. The right to request an amendment to medical records

When patients access a medical record and find information they believe is inaccurate, they may file a written request that the record be corrected. The covered entity must respond to the request within 60 days. It may decide to take an additional 30 days, but must provide the individual with a written explanation for the delay and a date by which it will complete the action.

If the covered entity denies the request, it must provide the patient with the following information in writing:

For more information see 45 CFR §164.526.

5. The right to request special privacy protection for PHI

Under HIPAA, covered entities must allow an individual to make specific privacy requests. While an individual has the right to make a request, in most situations the covered entity is not required to agree.

If a covered entity agrees to honor an individual's privacy request, it must comply unless the individual needs emergency treatment and the restricted PHI is necessary to provide the treatment. In an emergency situation where the covered entity must disclose information it agreed to restrict, it must request that the information not be further disclosed. See 45 CFR § 164.522(a).

Tip : Make any special privacy requests in writing and keep a signed copy if the covered entity agrees to follow it.

a. Can a patient pay out of pocket to restrict disclosures of protected health information?

A covered entity such as a doctor must agree to an individual's request to restrict disclosure of her PHI to a health plan if:

What is an example of a disclosure required by law? A provider may be required by law to report to a health plan even if a patient pays in full. For example, providers must report Medicare claims. A patient can pay out of pocket and decline to approve a claim submitted to Medicare. In this situation a claim will not be submitted and a doctor can charge the patient no more than the allowed Medicare payment.

Is a provider responsible for notifying other doctors about restricted information? Although HHS encourages providers to notify others such as pharmacies or other doctors if feasible, they are not required to do so. HHS also encourages providers to engage with patients to make sure they understand that it is ultimately the patient's responsibility to request a restriction.

Is it possible to pay out-of-pocket for one condition only? This is an issue patients should discuss with their providers. HHS says a provider should accommodate a patient's request to "unbundle" services when possible. For a detailed discussion of the right to request a restriction, see 78 Federal Register 5566, January 25, 2013, pp 5626-5630.

b. Can an individual make special requests regarding confidential communications about health information?

A health care provider must accommodate an individual's reasonable request to receive communications by alternative means or at alternative locations. For example, an individual might request that a provider contact her via her cell phone or a P.O. Box rather than a home address.

A health care provider may not require that the individual provide an explanation as to why she is making the request. 45 CFR § 164.522(b)(2)(iii).

A health plan must accommodate reasonable requests to receive communications from the health plan by alternative means or at alternative locations if the individual clearly states that the disclosure of the information could endanger him or her. 45 CFR § 164.522(b)(2)(iv).

6. The right to an accounting of disclosures

HIPAA enables patients to learn to whom the covered entity has disclosed their PHI. This is called an “accounting of disclosures.” The accounting will cover up to six years prior to the individual's request date and will include disclosures to or by business associates of the covered entity. See 45 CFR § 164.528.

a. How much information will an accounting of disclosures include?

For each disclosure, the accounting must state:

The accounting does not include information about disclosures the covered entity made:

b. How long will it take to receive an accounting of disclosures, and will it cost anything?

Within 60 days of receiving a request for an accounting, a covered entity must:

A covered entity must provide the first accounting (during any 12 month period) free of charge. If an individual requests more than one accounting during a year, the covered entity may impose a cost-based fee on subsequent requests. However, if it is going to charge, the covered entity must inform the individual of the fee in advance and give him an opportunity to withdraw or modify the request.

There have been changes proposed regarding the requirements for an accounting of disclosures that would, for example, include disclosures made for the purposes of treatment, payment, or healthcare operations. There has been no final agreement on the format and information a covered entity must account for in response to a patient's request. For more information and updates, see HHS' Office of the National Coordinator for Health Information Technology's (ONC) website.

7. The right to access a minor child's medical records

a. Do parents have the right to see their minor children's medical records?

Yes, in most situations. Under the HIPAA Privacy Rule, a covered entity can disclose a minor child's PHI to a parent acting as a child's "personal representative" as long as it is consistent with state and other law. See 45 CFR §164.502(g).

HHS provides the following examples of situations where a parent may not access a minor's medical record:

The HHS website provides additional information about access to a minor's health records.

The Guttmacher Institute has a guide to relevant state laws: Minors and the Right to Consent to Health Care.

b. Can a doctor provide medical information to a child's school without a parent's permission?

Generally a health provider must have written authorization to disclose any information that HIPAA doesn't specifically allow.

However, there is an exception for school immunization records. According to HHS, most states have "school entry laws" which prohibit a child from attending school without proof of immunization. Therefore health care providers may provide immunization records to a school upon oral agreement by a parent, guardian, or person acting in the place of a parent.

c. Are a child's medical records in school files covered under HIPAA?

No. Medical records maintained by schools are subject to another federal law, the Family Education Rights and Privacy Act (FERPA). The U.S. Department of Education enforces FERPA which has published a guide with HHS that explains how FERPA and HIPAA apply.

To learn more about medical records and schools, see PRC Fact Sheet 29: Privacy in Education: Guide for Parents and Adult Age Students and the Department of Education website.

8. Resources

Additional Privacy Rights Clearinghouse materials


Federal Laws and Regulations

Omnibus Rule, 78 Federal Register, January 25, 2013

Filing a HIPAA Complaint

U.S. Department of Health and Human Services (HHS)

Office of Civil Rights

200 Independence Avenue, S.W.

Room 509F HHH Building

Washington, D.C. 20201

Toll free: 1-877-696-6557

U.S. Department of Health and Human Services – Consumer Information

World Privacy Forum

Patient Privacy Rights