Share this article on:
The Health Insurance Accountability and Portability Act (HIPAA) introduced multiple HIPAA rights. Some of the rights were introduced directly via the text of the Act, but the majority followed later in the Privacy Rule. Unfortunately, the failure to comply with Privacy Rule HIPAA rights is one of the leading reasons for complaints to the HHS Office for Civil Rights.
When HIPAA was enacted in 1996, references to individuals´ rights mostly focused on the original purpose of the Act – to enable employees to carry forward insurance coverage from one employer to another after a break, to prevent the denial of coverage – or additional premiums for coverage – on the grounds of a pre-existing condition, and to guarantee renewability in multiemployer plans.
The HIPAA rights most people are familiar with – the right to health information privacy and the right to access and correct health information – are mentioned in the text of HIPAA (Section 264), but only in the context of the recommendations the Secretary for Health & Human Services was tasked with preparing in the event Congress did not pass a privacy law within three years.
As Congress did not pass a privacy law, the Privacy Rule was introduced to establish patients´ rights under HIPAA. These can be found between 45 CFR § 164.508 and 45 CFR § 164.528 in the HIPAA Administration Simplification provisions. However, as the HIPAA Administrative Simplification provisions are complex, we have provided a synopsis of the most important HIPAA rights below.
Rights under the Privacy Rule
Information for which individuals have rights under the Privacy Rule is known as Protected Health Information or PHI. In addition to information relating to a patient´s past, present, or future physical or mental condition being protected – including the provision of treatment and healthcare services – past, present, or future payment information is also protected under the Privacy Rule.
45 CFR § 164.508 – Uses and disclosures of PHI for which an authorization is required
HIPAA Covered Entities and Business Associates are allowed to use or disclose PHI to carry out selected treatment, payment, or health care operations. All other uses and disclosures require the prior authorization of a patient. Patients have the right to request a copy of the authorization to keep, and the right to revoke the authorization at any time.
45 CFR § 164.520 – Notice of Privacy Practices for PHI
Patients have the right to receive a Notice of Privacy Practices. The Notice must explain what uses and disclosures of PHI are allowed, and when an authorization is required for other uses and disclosures. The Notice must also list the patient´s other rights, how to exercise them, and how to make a compliant if their privacy rights are violated.
45 CFR § 164.522 – Right to request privacy protection for PHI
Two of the HIPAA rights listed in the Notice of Privacy Practices are that patients can request restriction on certain uses and disclosures of PHI – for example not informing a health plan when a patient receives treatment and pays for the treatment privately – and that they can request how Covered Entities communicate with them when a communication involves a disclosure of PHI.
45 CFR § 164.524 – Access of individuals to PHI
The right in this standard should also be included in a Notice of Privacy practices inasmuch as it explains a patient´s right to inspect and receive a copy of their PHI within 30 days (currently under review). Patients can also stipulate how they want to receive a copy of their PHI – for example, by email, on a USB drive, or in paper format.
45 CFR § 164.526 – The right to amend PHI
Patients have the right to request corrections to their medical record if, on obtaining a copy of their PHI, it is found to be inaccurate or incomplete. There are several scenarios in which a Covered Entity can decline to comply with this request, including in these days of interoperability between Covered Entities, that the Covered Entity to whom the request is made did not create the PHI.
45 CFR § 164.528 – Accounting of disclosures of PHI
The right to access an accounting of disclosures – which explains who the patient´s PHI has been disclosed to and why over the past six years – is one of the most complicated HIPAA rights standards because there are so many exclusions allowed. It is also possible for this right to be suspended if a suspension is requested by a law enforcement officer or public health official.
Rights under the Breach Notification Rule
In addition to the rights granted by the Privacy Rule, individuals also have HIPAA rights under the Breach Notification Rule – a Rule which specifies the process for reporting breaches of unsecured PHI. The Rule was extended in the Final Omnibus Rule in 2013 to include Business Associate data breaches, and further changes are being considered in response to the Safe Harbor Act 2021.
At present, patients have the right to be notified of any breach of unsecured PHI when there is reason to believe the PHI has been accessed, acquired, used, or disclosed without authorization. The notification must explain how the breach happened, the nature of the PHI that was breached, what steps individuals should take to protect themselves from harm as a result of the breach.
In addition, Covered Entities must describe what they are doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches. Covered Entities must also provide contact details – which should include a toll-free number – where affected individuals can seek help or ask further questions. These procedures apply regardless of many patients are affected.
Noncompliance with HIPAA Rights
As mentioned in the introduction to this article, the failure to comply with Privacy Rule HIPAA rights is one of the leading reasons for complaints to the HHS Office for Civil Rights (OCR) and subsequent enforcement action. In recent years, complaints about patients´ rights of access have among the top five complaints investigated by OCR that have resulted in corrective action and/or a civil penalty.
In November 2021, OCR released the results of five investigations into non-compliance with HIPAA rights that resulted in corrective action and/or a civil penalty. It is important to note that the settlements of up to $160,000 involved smaller practices as well as larger organizations. Therefore, it is important that every Covered Entity is aware of – and complies with – patients´ HIPAA rights.
HIPAA Rights FAQs
Why might a patient not want their health plan informed they have received treatment?
When a patient receives medical treatment and pays for it privately, the patient has the right to withhold this information from their insurance provider in case the provider subsequently increases the insurance premium, limits the benefits of the plan, or refuses future coverage. While decisions such as these are often appealed successfully, the appeal process can be particularly stressful while recovering from medical treatment.
Why does it matter how a Covered Entity communicates with a patient?
Face-to-face communications are usually exempt from this standard because they are likely to relate to the provision of treatment. However, remote communications (i.e., a telephone call to work) could be intercepted by third parties (i.e., work colleagues) who the patient may not wish to share their personal information with. This standard allows patients to request a preferred communication channel, location, and time.
Do Covered Entities have to comply with the Breach Notification Rule if a breach affects just one patient?
This depends on the outcome of a risk assessment. If the risk assessment demonstrates a low probability that unsecured PHI has been compromised due to the unauthorized access, acquisition, use, or disclosure, Covered Entities do not have to notify patients (although they may still wish to do so). In all other cases, unauthorized disclosures of unsecured PHI have to be notified to affected individuals even if only one patient is affected.
How can Covered Entities avoid penalties for noncompliance with patients´ HIPAA rights?
In many cases, noncompliance with patients´ HIPAA rights is attributable to a lack of understanding. Therefore, to mitigate the risk of noncompliance, Covered Entities should develop policies and procedures to meet the requirements of the Privacy and Breach Notification Rules, train members of the workforce on the policies and procedures, and organize periodic refresher training to maximize retention of the policies and procedures.
What exclusions apply to the accounting of disclosures right?
When a patient requests an accounting of disclosures, Covered Entities do not have to include disclosures for treatments, payments, or health care operations, any disclosures made to the patient, any disclosures previously authorized by the patient, and disclosures to law enforcement. In addition, incidental disclosures, disclosures of PHI in a limited data set, and disclosures of de-identified PHI do not have to be included in the accounting of disclosures.