Patient Rights Under HIPAA: What Every Provider Must Know

Patient Rights Under HIPAA: A Healthcare Provider’s Guide

Understanding patient rights under HIPAA rules is fundamental for every healthcare provider. The HIPAA Privacy Rule grants people a complete set of rights over their protected health information (PHI). These rights empower patients to control how their health data is used and shared, and they impose corresponding duties on healthcare providers to honor those rights within specified timeframes.

For providers, rule-keeping with patient rights rules is not optional. OCR has made enforcement of patient access rights a specific priority, launching a dedicated Right of Access Initiative that has resulted in numerous settlements against groups that failed to provide timely access to medical records. This guide details each patient right, the provider duties that accompany it, and the timelines you must meet.

Right to Access Records

What the Right Covers

Under 45 CFR 164.524, people have the right to inspect and obtain a copy of their PHI kept in a named record set. The named record set includes medical records, billing records, enrollment records, and any other records used to make decisions about the person.

This right applies to PHI kept in any form, including digital, paper, and other media. Patients may request their records in the format of their choice, and providers must accommodate that request if the records are readily producible in that format.

Provider duties

Healthcare providers must:

• Accept access requests in writing, though they may not require the request to be made on a specific form
• Provide access within 30 calendar days of receiving the request, with a possible 30-day extension if the provider notifies the patient in writing of the reason for the delay
• Provide records in the format requested by the patient, including digital format, if readily producible
• Allow the patient to direct copies to a third party by providing a written, signed request
• Charge only a fair, cost-based fee that covers the cost of copying, supplies, postage, and preparation of a summary if the patient agrees to a summary
• Not require the patient to provide a reason for the access request

Grounds for Denial

Providers may deny access in limited circumstances:

• Psychotherapy notes are excluded from the general access right
• Information compiled for legal proceedings may be withheld in certain circumstances
• PHI kept by research facilities may be withheld during the research period if the patient agreed to the restriction
• PHI obtained from a non-healthcare provider source under a promise of data privacy may be denied if access would reveal the source
• A licensed healthcare professional determines that access is reasonably likely to endanger the life or physical safety of the patient or another person

If access is denied, the provider must issue a written denial explaining the basis for the denial and informing the patient of their right to have the denial reviewed or to file a complaint with OCR.

The OCR Right of Access Initiative

OCR launched its Right of Access Initiative namely to enforce patient access rules. This effort has produced over 45 enforcement actions resulting in settlements ranging from $3,500 to over $200,000. Common breaches include:

• Failing to provide records within the required 30-day timeframe
• Charging excessive fees for record copies
• Refusing to provide records in the digital format requested
• Requiring patients to appear in person to obtain their records
• Failing to respond to access requests entirely

Providers should treat every access request as an enforcement-sensitive duty and track requests through a written down process to ensure timely rule-keeping.

Right to Amend Records

How the Amendment Right Works

Under 45 CFR 164.526, people have the right to request an amendment to their PHI in a named record set. This right recognizes that medical records may contain errors that could affect clinical care, insurance coverage, or other important decisions.

Patients must submit amendment requests in writing and provide a reason for the requested amendment. Providers must act on the request within 60 calendar days, with a possible 30-day extension if the patient is notified in writing.

Provider duties for Amendment Requests

If the amendment is accepted:

• Amend the record by appending or linking the amendment to the existing information, rather than deleting the original entry
• Notify the patient that the amendment has been accepted
• Make fair efforts to inform other parties that the provider knows have received the PHI and that may have relied on it, including business associates and persons identified by the patient

If the amendment is denied:

• Provide a written denial within the required timeframe
• State the basis for the denial clearly
• Inform the patient of their right to submit a written statement of disagreement
• If the patient submits a disagreement, the provider may prepare a written rebuttal
• Append the request, denial, disagreement, and rebuttal (if any) to the named record set
• Include these items with any future shares of the disputed PHI

Grounds for Denying an Amendment

Providers may deny an amendment request if:

• The PHI was not created by the provider (unless the originator is no longer available)
• The PHI is not part of the named record set
• The PHI would not be available for access under the access right
• The PHI is accurate and complete as kept

Right to an Accounting of shares

Scope of the Accounting Right

Under 45 CFR 164.528, people have the right to receive an accounting of shares of their PHI made by a covered group during the six years before the request. This accounting helps patients understand who has received their health information and why.

The accounting must include:

• Date of each sharing
• Name and address of the group or person who received the PHI (if known)
• Brief description of the PHI disclosed
• Purpose of the sharing or a copy of the access rights or written request

Shares Exempt from Accounting

The following shares are not required to be included in an accounting:

• shares for treatment, payment, and healthcare operations
• shares to the person who is the subject of the PHI
• shares made pursuant to a valid access rights signed by the person
• shares for national security or intelligence purposes
• shares to correctional institutions or law enforcement under specific terms
• shares that are part of a limited data set
• shares that occurred before the rule-keeping date of the Privacy Rule

Timeline and Fees

Providers must provide the accounting within 60 calendar days of the request, with a possible 30-day extension upon written notice. The first accounting in any 12-month period must be provided free of charge. For subsequent requests within the same 12-month period, the provider may charge a fair, cost-based fee, but must inform the patient of the fee in advance and give them the chance to withdraw or modify the request.

Right to Request Restrictions

Understanding Restriction Requests

Under 45 CFR 164.522(a), people have the right to request that a provider restrict the uses and shares of their PHI. This right allows patients to ask that their information not be used or disclosed for certain purposes, even if HIPAA would otherwise permit the use or sharing.

Providers are usually not required to agree to a requested restriction. However, there is one important exception: providers must agree to a restriction request if:

• The sharing is to a health plan for payment or healthcare operations purposes (not treatment)
• The PHI pertains to a service for which the patient has paid out of pocket in full

This mandatory restriction gives patients meaningful control over shares to their health insurers when they self-pay for services.

Implementing Restrictions

When a provider agrees to a restriction:

• The restriction must be written down and consistently followed
• All team members must be made aware of relevant restrictions
• The restriction applies to uses and shares covered by the agreement, except in emergency treatment situations where the restricted PHI is needed for treatment
• The provider may end a restriction if the patient agrees in writing, or if the provider informs the patient that the restriction is being ended for PHI created or received after the ending

Right to Confidential Communications

What Confidential Communications Means

Under 45 CFR 164.522(b), people have the right to request that a provider communicate with them by alternative means or at alternative locations. This right is especially important for patients in situations involving domestic abuse, personal safety concerns, or other circumstances where standard communications could cause harm.

Healthcare providers must accommodate fair requests for confidential communications. For example:

• A patient may request that appointment reminders be sent to a work email address instead of a home address
• A patient may request that billing statements be sent to a post office box
• A patient may request that the provider call a specific phone number rather than the number on file
• A patient may request that communications be sent in sealed envelopes without the provider’s name visible on the exterior

Provider duties

• Health plans may require the patient to explain how payment will be handled under the alternative arrangement, but providers may not require an explanation for the request
• Providers may not require the patient to explain the reason for the request
• The accommodation must be fair and must not interfere with the group’s ability to provide care or collect payment
• Providers should record the request and ensure that communication systems are configured to honor it

Right to File Complaints

How Patients Exercise This Right

people have the right to file a complaint if they believe their privacy rights have been violated. Complaints may be filed with:

• The covered group’s Privacy Officer or named complaint contact
• The HHS Office for Civil Rights via the OCR complaint portal, by mail, or by email

Providers must:

• Include complaint steps in the Notice of Privacy Practices
• Not retaliate against any person who files a complaint or assists in an review
• Designate a contact person to receive complaints and provide information about the complaint process
• Document and look into internal complaints and take corrective action when warranted

OCR investigates complaints to determine whether a breach occurred and may pursue enforcement action if breaches are identified. Understanding the penalties that can result from complaints underscores the importance of responding properly to patient concerns.

Provider duties and Notice of Privacy Practices

The Notice of Privacy Practices

The cornerstone of patient rights communication is the Notice of Privacy Practices (NPP). Under 45 CFR 164.520, covered groups must provide a clear, written notice that describes:

• How the group uses and discloses PHI
• The person’s rights regarding their PHI
• The group’s legal duties about PHI
• Who to contact for more information or to file a complaint
• Effective date of the notice

Providers with direct treatment relationships must:

• Provide the NPP at the first service encounter (except in emergency treatment situations)
• Make a good faith effort to obtain the patient’s written acknowledgment of receipt
• Post the NPP in a prominent location at the service delivery site
• Make the NPP available on the group’s website if one exists

Timeline Summary for Provider duties

Patient Right	Action Required	Timeline
Access to records	Provide copies	30 days (+ 30-day extension)
Amendment request	Accept or deny	60 days (+ 30-day extension)
Accounting of shares	Provide accounting	60 days (+ 30-day extension)
Restriction request	Respond to request	No specific timeline; prompt response expected
Confidential communications	Accommodate request	fair timeframe
Complaint	Investigate and respond	No specific timeline; prompt action expected

For a broader overview of rule-keeping duties, see our complete HIPAA rule-keeping guide and our guide on HIPAA Privacy Rule rules.

Patient Rights FAQ

Can we charge patients for copies of their medical records?

Yes, but only a fair, cost-based fee. Allowable costs include the labor for copying, supplies, postage (if mailed), and preparation of a summary or explanation if the patient requests and agrees to one. You may not charge for search and retrieval time. Many states impose fee caps that are lower than what HIPAA would permit, so check your state’s medical records fee schedule.

What if a patient requests their records in an digital format we do not use?

If the PHI is kept electronically and the patient requests it in an digital format, you must provide it in the requested format if readily producible. If the requested format is not readily producible, work with the patient to agree on an alternative digital format. If no digital format is agreeable, provide a hard copy.

Can a patient’s family member request their records?

Only if the family member is a personal representative with legal authority to act on the patient’s behalf. For adults, this often requires a healthcare power of attorney, legal guardianship, or other legal written records. For minor children, parents usually serve as personal representatives, with exceptions for certain types of care where state law grants minors privacy rights.

How long must we retain medical records to comply with HIPAA?

HIPAA requires covered groups to retain written records related to their HIPAA rule-keeping actions (policies, steps, risk reviews) for six years. However, HIPAA does not set specific retention periods for medical records themselves. Medical record retention is managed by state law, which varies greatly. Many states require retention of adult medical records for 7 to 10 years, with longer periods for minor patients.

What happens if we miss the 30-day deadline for providing record access?

Failing to provide timely access violates the Privacy Rule and can result in an OCR complaint, review, and enforcement action. The OCR Right of Access Initiative has produced numerous settlements namely targeting providers that failed to meet the 30-day timeline. Implement a tracking system for all access requests and calendar the deadlines right away upon receipt.

Patient Rights Takeaways

Patient rights under HIPAA are not abstract legal concepts. They are enforceable duties that OCR actively monitors and enforces. Healthcare providers that set up clear steps for receiving, tracking, and responding to patient rights requests protect both their patients and their groups from the consequences of non-rule-keeping.

One Guy Consulting helps healthcare providers build patient rights rule-keeping programs that meet every HIPAA rule. From developing access request workflows and training front-desk staff to preparing Notices of Privacy Practices and managing amendment requests, our team ensures your group honors patient rights on time, every time. Contact us today to strengthen your patient rights rule-keeping.