Guide to Patient Rights under HIPAA

Patient Rights under HIPAA -

Patient rights under HIPAA include the rights to access health information, request corrections when errors exist, restrict how health information is used, and control who it is disclosed to. Under HIPAA patients have the right to also request an accounting of who health information has been disclosed to, and the right to complain to their healthcare provider and/or HHS’ Office for Human Rights if their patient rights under HIPAA are denied.

When Congress passed HIPAA in 1996, it instructed the Secretary for Health and Human Services (HHS) to make recommendations for the privacy of health information. According to the text of HIPAA, the recommendations had to address at least the following three points:

  • The rights an individual should have over their health information.
  • The procedures that should be established for the exercise of such rights.
  • The uses and disclosures of such information that should be authorized or required.

The recommendations made one year later closely resemble the patient rights under HIPAA that exist today. At the time it was recommended patients have the rights to inspect and copy health information, request amendments, and have access to a “disclosure history” (an accounting of disclosures) of all disclosures except those required for treatment and payment purposes.

It was also recommended that patients have the rights to restrict disclosures of particular information – or disclosures to particular persons – and to control how health information was used and disclosed for non-permitted purposes via a HIPAA authorization form. The procedures for exercising patient rights under HIPAA were not discussed in the recommendations.

Patient Rights under HIPAA in the Privacy Rule

The recommendations were fine-tuned by the time the effective version of the Privacy Rule was published in 2002. The permissible uses for which an authorization is not required and no accounting is necessary was extended to include healthcare operations, and an additional option was added in which patients must be given an opportunity to agree or object (§164.510).

Some procedures were also clarified for patient rights under HIPAA in the Privacy Rule. For example, the minimum content of a HIPAA authorization form was included in §164.508, and an entire section of the Privacy Rule (§164.520) is dedicated to how covered entities must advise individuals how to exercise their patient rights under HIPAA in a Notice of Privacy Practices.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

The HIPAA Rights to Make a Complaint

The HIPAA rights to make a complaint did not feature in the HHS recommendations beyond the comment that procedures should be developed if a complaints process was adopted. However, these HIPAA Rights now appear in two places in the Administrative Simplification Requirements – under §160.306 of the General Requirements and under §164.530 of the Privacy Rule.

Patients must be informed of their HIPAA rights to make a complaint and the process for making a complaint to HHS’ Office for Civil Rights (§160.306) and/or the covered entity /§164.530) in the Notice of Privacy Practices. All complaints received by the covered entity must be documented and responded to in a timely manner to prevent them being escalated to HHS’ Office for Civil Rights.

Under HIPAA Patients’ Rights are Not Absolute

An important point regarding HIPAA rights is that under HIPAA patients’  rights are not absolute. This means that covered entities do not have to – or may not be able to – comply with patients’  requests to exercise their HIPAA rights in all circumstances. Examples include when a state law preempts HIPAA or when a restriction on a disclosure could harm another patient.

It is important not only for covered entities to be aware of the exemptions to patients’ rights, but also that members of the workforce receive HIPAA training on how to explain to patients that their HIPAA rights do not apply in certain circumstances. Where possible, it can also be beneficial to include examples on the Notice of Privacy Practices or on a web page.

Patients’ Reasonable Expectations Under HIPAA

Along with the above patient rights under HIPAA, there are further “rights” that could be more accurately described as reasonable expectations. These include the reasonable expectation that healthcare information will remain private and confidential, and that when healthcare information does not remain private and confidential, the breach is notified in a timely manner.

If health information does not remain private and confidential, patients tend to restrict what they disclose to healthcare providers – potentially impeding the provider’s ability to correctly diagnose and treat a condition. If patients are not notified of a breach in a timely manner, criminals could misuse the information for many types of fraud for a longer period.

The Reasonable Expectation for HIPAA Enforcement

It should also be reasonable for patients to expect HHS Office for Civil Rights to enforce HIPAA. At present, that does not happen as often as it should. According to HHS’ latest Report to Congress, there were 64,592 breaches notified to HHS’ Office for Civil Rights in 2022. The agency initiated investigations into 628 breaches (<1%) and issued fines in just three cases.

In the same year, the agency received 30,435 complaints alleging violations of HIPAA Rules. Approximately 10% were resolved by technical assistance either before or after an investigation, but only eighteen of the complaints were resolved by a fine or settlement and Corrective Action Plan. The agency has asked Congress for more resources to enforce HIPAA, and is also seeking a solution to the HITECH requirement to share HIPAA settlements with the victims of breaches.

Why it is Important to Comply with HIPAA Patient Rights Requirements

It is not only important to comply with the HIPAA patient right requirements to avoid complaints being escalated to HHS Office for Civil Rights and potential penalties for non-compliance. It is also important to comply with HIPAA patient rights requirements to avoid patients perceiving a healthcare provider as non-compliant and restricting what information they disclose.

HIPAA covered entities – and, where appropriate, business associates – need to ensure they have policies and procedures in place to comply with the HIPAA patient rights requirements, that members of the workforce are trained on the policies and procedures, and that as much information as possible is provided to patients to avoid unjustified complaints.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: