Patient Rights Under HIPAA
Patient rights under HIPAA include the ability to access and request corrections to their health information, receive notifications about how their information is used and shared, make decisions on specific information sharing, and file complaints if they believe their rights are violated or their information is mishandled.
HIPAA introduced a number of HIPAA rights relating to the portability of health coverage, the continuation of health coverage between jobs, and the coverage of employees with preexisting conditions. However, many more HIPAA rights were added in the HIPAA Privacy Rule, and the failure to comply with Privacy Rule HIPAA rights is one of the leading reasons for complaints to HHS’ Office for Civil Rights.
It is important to be aware of the patient rights under HIPAA because, by exercising their rights, patients can take more responsibility for their healthcare, be alerted to inaccurate billing, and identify medical identity theft. It is well chronicled that medical identity theft can result in treatment delays, misdiagnoses, and unnecessary costs for both patients and healthcare providers.
The HIPAA Privacy Rule Rights for Patients
The HIPAA rights most people are familiar with – the right to health information privacy and the right to access and correct health information – are mentioned in the text of HIPAA (Section 264), but only in the context of the recommendations the Secretary for Health & Human Services was tasked with preparing in the event that Congress did not pass a privacy law within three years.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
As Congress did not pass a privacy law, the HIPAA Privacy Rule was introduced to establish patients’ rights under HIPAA. These can be found between 45 CFR § 164.508 and 45 CFR § 164.528 in the HIPAA Administration Simplification provisions. However, as the HIPAA Administrative Simplification provisions are complex, we have provided a synopsis of the most important HIPAA Privacy Rule rights below.
Rights under the HIPAA Privacy Rule
Information for which individuals have rights under the HIPAA Privacy Rule is known as Protected Health Information or PHI. In addition to information relating to a patient’s past, present, or future physical or mental condition being protected – including the provision of treatment and healthcare services – past, present, or future payment information is also protected under the HIPAA Privacy Rule.
45 CFR § 164.508 – Uses and disclosures of PHI for which an authorization is required
HIPAA covered entities and business associates are allowed to use or disclose PHI to carry out selected treatment, payment, or healthcare operations. All other uses and disclosures require the prior authorization of a patient. Patients have the right to request a copy of the authorization to keep, and the right to revoke the authorization at any time.
45 CFR § 164.520 – Notice of Privacy Practices for PHI
Patients have the right to receive a HIPAA Notice of Privacy Practices. The Notice must explain what uses and disclosures of PHI are allowed, and when an authorization is required for other uses and disclosures. The Notice must also list the patient’s other rights, how to exercise them, and how to make a complaint if their privacy rights are violated.
45 CFR § 164.522 – Right to request privacy protection for PHI
Two of the HIPAA rights listed in the HIPAA Notice of Privacy Practices are that patients can request restrictions on certain uses and disclosures of PHI – for example not informing a health plan when a patient receives treatment and pays for the treatment privately – and that they can request how covered entities communicate with them when a communication involves a disclosure of PHI.
45 CFR § 164.524 – Access of individuals to PHI
The right in this standard should also be included in a HIPAA Notice of Privacy Practices inasmuch as it explains a patient’s right to inspect and receive a copy of their PHI within 30 days (currently under review). Patients can also stipulate how they want to receive a copy of their PHI – for example, by email, on a USB drive, or in paper format.
45 CFR § 164.526 – The right to amend PHI
Patients have the right to request corrections to their medical records if, on obtaining a copy of their PHI, it is found to be inaccurate or incomplete. There are several scenarios in which a covered entity can decline to comply with this request, including in these days of interoperability between covered entities, that the covered entity to whom the request is made did not create the PHI.
45 CFR § 164.528 – Accounting of disclosures of PHI
The right to access an accounting of disclosures – which explains who the patient’s PHI has been disclosed to and why over the past six years – is one of the most complicated HIPAA rights standards because there are so many exclusions allowed. It is also possible for this right to be suspended if a suspension is requested by a law enforcement officer or public health official.
The Importance of Patients’ Rights to Medical Records
Patients are encouraged to exercise their HIPAA Privacy Rule rights – especially the HIPAA patients’ rights to medical records required by 45 CFR § 164.524 – to improve their knowledge of their health and engage in their own care. The “sense of ownership” is believed to reduce misdiagnoses and medical mistakes by patients alerting healthcare providers to inaccuracies and omissions.
In addition to identifying any inaccuracies and omissions in their medical records, individuals exercising their patient rights under HIPAA can also help prevent fraud and abuse in the healthcare system by raising concerns about treatments that appear on their medical records they have not received. These indicate a third party has used the patient’s PHI to commit medical identity theft.
Rights under the HIPAA Breach Notification Rule
In addition to the rights granted by the HIPAA Privacy Rule, individuals also have HIPAA rights under the Breach Notification Rule – a Rule that specifies the process for reporting breaches of unsecured PHI. The Rule was extended in the Final Omnibus Rule in 2013 to include business associate data breaches, and further changes are being considered in response to the Safe Harbor Act 2021.
At present, patients have the right to be notified of any breach of unsecured PHI when there is reason to believe the PHI has been accessed, acquired, used, or disclosed without authorization. The notification must explain how the breach happened, the nature of the PHI that was breached, and what steps individuals should take to protect themselves from harm as a result of the breach.
In addition, covered entities must describe what they are doing to investigate the breach, mitigate harm to individuals, and protect against further breaches. Covered entities must also provide contact details – which should include a toll-free number – where affected individuals can seek help or ask further questions. These procedures apply regardless of how many patients are affected.
Noncompliance with HIPAA Patient Rights
As mentioned in the introduction to this article, the failure to comply with Privacy Rule HIPAA rights is one of the leading reasons for complaints to HHS’ Office for Civil Rights (OCR) and subsequent enforcement action. In recent years, complaints about patients’ rights of access have been among the top five complaints investigated by OCR that have resulted in corrective action and/or a civil penalty.
As of December 2025, OCR has issued fines or reached settlement agreements with 55 covered entities for noncompliance with the HIPAA rights. It is important to note that the settlements of up to $200,000 involved smaller practices as well as larger organizations. Therefore, it is important that every covered entity is aware of – and provides HIPAA training on – patients’ HIPAA rights.
HIPAA Rights FAQs
Why might a patient not want their health plan informed they have received treatment?
When a patient receives medical treatment and pays for it privately, the patient has the right to withhold this information from their insurance provider in case the provider subsequently increases the insurance premium, limits the benefits of the plan, or refuses future coverage. While decisions such as these are often appealed successfully, the appeal process can be particularly stressful while recovering from medical treatment.
Why does it matter how a covered entity communicates with a patient?
Face-to-face communications are usually exempt from this standard because they are likely to relate to the provision of treatment. However, remote communications (i.e., a telephone call to work) could be intercepted by third parties (i.e., work colleagues) who the patient may not wish to share their personal information with. This standard allows patients to request a preferred communication channel, location, and time.
Do covered entities have to comply with the Breach Notification Rule if a breach affects just one patient?
This depends on the outcome of a risk assessment. If the risk assessment demonstrates a low probability that unsecured PHI has been compromised due to the unauthorized access, acquisition, use, or disclosure, covered entities do not have to notify patients (although they may still wish to do so). In all other cases, unauthorized disclosures of unsecured PHI have to be notified to affected individuals even if only one patient is affected.
How can covered entities avoid penalties for noncompliance with patients’ HIPAA rights?
In many cases, noncompliance with patients’ HIPAA rights is attributable to a lack of understanding. Therefore, to mitigate the risk of noncompliance, covered entities should develop policies and procedures to meet the requirements of the HIPAA Privacy and Breach Notification Rules, train members of the workforce on the policies and procedures, and organize periodic refresher training to maximize retention of the policies and procedures.
What exclusions apply to the accounting of disclosures right?
When a patient requests an accounting of disclosures, covered entities do not have to include disclosures for treatments, payments, or health care operations, any disclosures made to the patient, any disclosures previously authorized by the patient, and disclosures to law enforcement. In addition, incidental disclosures, disclosures of PHI in a limited data set, and disclosures of de-identified PHI do not have to be included in the accounting of disclosures.
How many basic rights are covered under HIPAA?
As mentioned in the introduction to this article, HIPAA introduced multiple rights – including the rights of individuals to carry forward health insurance coverage, the rights of individuals not to be discriminated against due to a pre-existing condition, and the rights of individuals to have guaranteed health insurance renewability in multiemployer plans.
With regards to the rights to health information privacy and to access and correct health information (etc.), these are not “basic rights” in the sense that they are absolute or fundamental rights. Covered entities can disclose health information without patient authorization and deny an individual their right to access and correct health information in certain circumstances.
How many patient privacy rights are there?
Strictly speaking, there are six patient privacy rights mandated by the HIPAA Privacy Rule. However, once you include patients’ rights under the Breach Notification Rule and the right to request a review if a request to access or correct health information is denied – or a request for an accounting of disclosures is denied – it could be argued that there are eight patient privacy rights.
Are all healthcare providers required to comply with the standards for HIPAA patient rights?
No, because not all healthcare providers are covered entities under HIPAA, and healthcare providers that do not qualify as covered entities are not required to comply with the HIPAA Privacy Rule and the standards for HIPAA patient rights. However, even when healthcare providers are not required to comply with the standards for HIPAA patient rights, they may be required to comply with state privacy laws that have similar requirements to HIPAA.
For the record, only healthcare providers that conduct electronic transactions for which the Department of Health and Human Services has developed standards are covered entities. Covered electronic transactions include patient eligibility requests, treatment authorizations, and claims for payments. Therefore, if a healthcare provider conducts these transactions non-electronically or bills patients directly, the healthcare provider is not a HIPAA covered entity.
Do the standards for HIPAA privacy rights apply to pharmacies?
Although you might not think of a pharmacy as a healthcare provider, the HIPAA Administrative Simplification Regulations define health care as including “the sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.”
Consequently, provided the pharmacy conducts electronic transactions for which the Department of Health and Human Services has published standards and it sells or dispenses drugs in accordance with a prescription, it is a covered entity and the standards for HIPAA privacy rights apply.
One grey area relates to marijuana dispensaries. Strictly speaking, they are not covered entities under HIPAA because – unless they use a third-party service provider to conduct transactions on their behalf – they do not conduct covered transactions.
However, because of the sensitive nature of PHI collected by marijuana dispensaries, the Department of Health and Human Services has taken an interest in how HIPAA privacy rights are applied – notwithstanding that state privacy, security, and licensing laws may also dictate whether privacy rights similar to those stipulated by HIPAA apply to marijuana dispensaries.
What are HIPAA Special Enrollment Rights?
HIPAA special enrollment rights allow individuals to enroll in a health plan as a result of a special enrollment event such as the loss of other health insurance coverage, the acquisition of a dependent through marriage, birth, or adoption, or becoming eligible for a Medicaid or premium assistance subsidy.
The events eligible for special enrollment – and the requirements for special enrollment periods – can vary according to each State’s insurance licensing laws. To explain what events are eligible for special enrollment and how long individuals have to apply for special enrollment, health plans (and, in some cases, employers) are required to provide a HIPAA Notice of Special Enrollment Rights.
