Guide to Patient Rights under HIPAA
Patient rights under HIPAA include the rights to access health information, request corrections when errors exist, restrict how health information is used, and control who it is disclosed to. Under HIPAA patients have the right to also request an accounting of who health information has been disclosed to, and the right to complain to their healthcare provider and/or HHSโ Office for Human Rights if their patient rights under HIPAA are denied.
When Congress passed HIPAA in 1996, it instructed the Secretary for Health and Human Services (HHS) to make recommendations for the privacy of health information. According to the text of HIPAA, the recommendations had to address at least the following three points:
- The rights an individual should have over their health information.
- The procedures that should be established for the exercise of such rights.
- The uses and disclosures of such information that should be authorized or required.
The recommendations made one year later closely resemble the patient rights under HIPAA that exist today. At the time it was recommended patients have the rights to inspect and copy health information, request amendments, and have access to a โdisclosure historyโ (an accounting of disclosures) of all disclosures except those required for treatment and payment purposes.
It was also recommended that patients have the rights to restrict disclosures of particular information – or disclosures to particular persons โ and to control how health information was used and disclosed for non-permitted purposes via a HIPAA authorization form. The procedures for exercising patient rights under HIPAA were not discussed in the recommendations.
Patient Rights under HIPAA in the Privacy Rule
The recommendations were fine-tuned by the time the effective version of the Privacy Rule was published in 2002. The permissible uses for which an authorization is not required and no accounting is necessary was extended to include healthcare operations, and an additional option was added in which patients must be given an opportunity to agree or object (ยง164.510).
Some procedures were also clarified for patient rights under HIPAA in the Privacy Rule. For example, the minimum content of a HIPAA authorization form was included in ยง164.508, and an entire section of the Privacy Rule (ยง164.520) is dedicated to how covered entities must advise individuals how to exercise their patient rights under HIPAA in a Notice of Privacy Practices.
The HIPAA Rights to Make a Complaint
The HIPAA rights to make a complaint did not feature in the HHS recommendations beyond the comment that procedures should be developed if a complaints process was adopted. However, these HIPAA Rights now appear in two places in the Administrative Simplification Requirements โ under ยง160.306 of the General Requirements and under ยง164.530 of the Privacy Rule.
Patients must be informed of their HIPAA rights to make a complaint and the process for making a complaint to HHSโ Office for Civil Rights (ยง160.306) and/or the covered entity /ยง164.530) in the Notice of Privacy Practices. All complaints received by the covered entity must be documented and responded to in a timely manner to prevent them being escalated to HHSโ Office for Civil Rights.
Under HIPAA Patientsโ Rights are Not Absolute
An important point regarding HIPAA rights is that under HIPAA patientsโย rights are not absolute. This means that covered entities do not have to โ or may not be able to โ comply with patientsโย requests to exercise their HIPAA rights in all circumstances. Examples include when a state law preempts HIPAA or when a restriction on a disclosure could harm another patient.
It is important not only for covered entities to be aware of the exemptions to patientsโ rights, but also that members of the workforce receive HIPAA training on how to explain to patients that their HIPAA rights do not apply in certain circumstances. Where possible, it can also be beneficial to include examples on the Notice of Privacy Practices or on a web page.
Patientsโ Reasonable Expectations Under HIPAA
Along with the above patient rights under HIPAA, there are further โrightsโ that could be more accurately described as reasonable expectations. These include the reasonable expectation that healthcare information will remain private and confidential, and that when healthcare information does not remain private and confidential, the breach is notified in a timely manner.
If health information does not remain private and confidential, patients tend to restrict what they disclose to healthcare providers โ potentially impeding the providerโs ability to correctly diagnose and treat a condition. If patients are not notified of a breach in a timely manner, criminals could misuse the information for many types of fraud for a longer period.
The Reasonable Expectation for HIPAA Enforcement
It should also be reasonable for patients to expect HHS Office for Civil Rights to enforce HIPAA. At present, that does not happen as often as it should. According to HHSโ latest Report to Congress, there were 64,592 breaches notified to HHSโ Office for Civil Rights in 2022. The agency initiated investigations into 628 breaches (<1%) and issued fines in just three cases.
In the same year, the agency received 30,435 complaints alleging violations of HIPAA Rules. Approximately 10% were resolved by technical assistance either before or after an investigation, but only eighteen of the complaints were resolved by a fine or settlement and Corrective Action Plan. The agency has asked Congress for more resources to enforce HIPAA, and is also seeking a solution to the HITECH requirement to share HIPAA settlements with the victims of breaches.
Why it is Important to Comply with HIPAA Patient Rights Requirements
It is not only important to comply with the HIPAA patient right requirements to avoid complaints being escalated to HHS Office for Civil Rights and potential penalties for non-compliance. It is also important to comply with HIPAA patient rights requirements to avoid patients perceiving a healthcare provider as non-compliant and restricting what information they disclose.
HIPAA covered entities โ and, where appropriate, business associates โ need to ensure they have policies and procedures in place to comply with the HIPAA patient rights requirements, that members of the workforce are trained on the policies and procedures, and that as much information as possible is provided to patients to avoid unjustified complaints.