Patient Rights
Patients have rights over their own health information. Know them.
Overview
HIPAA's Privacy Rule grants patients specific rights over their protected health information. These rights create direct obligations for covered entities — and staff who handle patient information must understand both what patients are entitled to and how to respond correctly. Answer the five questions below with the precision expected of someone who could receive a patient rights request at work.
Read before you answer
The HIPAA Privacy Rule grants patients (data subjects) specific, enforceable rights over their protected health information. These rights are not merely ethical commitments — they are legal entitlements backed by the enforcement authority of the HHS Office for Civil Rights (OCR). Covered entities must have processes, designated contacts, and trained staff in place to respond to rights requests correctly and within the prescribed timeframes. Failure to honour patient rights is a HIPAA violation subject to civil monetary penalties.
The most frequently exercised right is the right of access under 45 CFR §164.524 — commonly called a "records request." Patients have the right to inspect and obtain a copy of their PHI maintained in a designated record set (typically medical records and billing records). The covered entity must provide access within 30 calendar days of receiving the request, extendable by a further 30 days with written notice to the patient. The information must be provided in the format requested by the patient if readily producible in that format. Fees may be charged only for the reasonable costs of copying, postage, and preparation — not as a barrier to access. The right to request amendment (§164.526) allows patients to request correction of inaccurate or incomplete PHI; the covered entity has 60 days to act, may deny the request on specified grounds, and must document any denial and allow the patient to submit a statement of disagreement.
Patients also have the right to an accounting of disclosures (§164.528) — a log of certain disclosures the covered entity has made of their PHI without their authorisation, covering the prior six years. This does not include disclosures for treatment, payment, or healthcare operations, nor disclosures the patient authorised. The Notice of Privacy Practices (NPP) must be provided to patients at their first service encounter and describes how the covered entity uses and discloses PHI, patient rights, and how to file a complaint. Patients have the right to request restrictions on uses and disclosures — the covered entity is generally not required to agree, with one important exception: if the patient pays out of pocket in full for a specific service, they have an absolute right to request that information about that service not be disclosed to their health plan, and the covered entity must agree.