HIPAA Privacy Laws: What Are Patient Rights Under HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is instrumental in safeguarding patients' privacy rights and offering them control over their health information. What's great about HIPAA is that it gives patients certain rights that allow them to have a say in how their health information is used and shared.

In this blog post, we'll dive into these basic patient rights granted by HIPAA and explore the provisions of HIPAA privacy laws.

Patient Rights Under HIPAA

Under HIPAA, patients have the right to do all the following:

  1. Access Health Information: Patients can inspect and obtain a copy of their health or billing records held by health plans and healthcare providers. These may include medical and billing records, lab reports, and X-rays. A few exceptions include psychotherapy notes and information compiled for legal proceedings.
  2. Rectify Records: If patients believe the information in their records is incorrect or incomplete, they may ask the healthcare provider or health plan to fix it. The requesting individual must provide a reason supporting the request.
  3. Request Privacy Protection: Patients can request confidential communication about medical matters. They can ask healthcare providers to mail information to a different address or use another phone number.
  4. Accounting of Disclosure: Patients can request a report of certain types of disclosures of their health information made by the healthcare provider.
  5. File a Complaint: If patients believe their HIPAA rights have been violated, they can file complaints with their provider or the U.S. Department of Health and Human Services Secretary.

Understanding HIPAA Individual Rights

Notably, HIPAA individual rights diverge from the traditional concept of complete medical secrecy. The law allows certain parties to access and exchange health information without an individual's express consent. However, sharing medical information without consent must be "necessary and cannot reasonably be accomplished by less intrusive means."

For instance, a primary care physician may refer a patient to a specialist and share relevant medical history without needing explicit consent from the patient. This is done to facilitate timely, efficient care. HIPAA law states that patients can expect their information to be shared only when necessary and under strict permissions.

What Is Not a Patient Right Under HIPAA?

While HIPAA grants several rights to patients, there are certain aspects that do not fall within the scope of patient rights under this federal law. For example, patients do not have the right to access health information held by organizations not covered by HIPAA, like life insurers, employers, and most schools and school districts. They also do not have the right to assess certain forms of psychotherapy notes or information for a lawsuit. Many queries about HIPAA patient rights can be answered through extensive resources from the HHS.

Things that are not a patient's right under HIPAA:

  • Access to Non-Medical Information: Patients do not have the right to obtain non-medical information like employment records or education records.
  • Access to Information Held by Non-Covered Entities: HIPAA does not give patients the right to access their health information held by organizations not covered by HIPAA. Some examples include life insurers, employers, and most schools and school districts.
  • Complete Control Over Disclosures: Although HIPAA provides patients with many rights related to their health information, it does not give patients a say in every instance their information is disclosed. Providers can disclose patients' health information without consent for treatment, payment, and healthcare operations activities.
  • Access to Certain Records in a Lawsuit: Patients may not have the right to access certain information compiled in reasonable anticipation of, or use in, a civil, criminal, or administrative action or proceeding.
  • Right to Access Psychotherapy Notes: Patients generally do not have the right to access a healthcare provider's psychotherapy notes.

These restrictions reflect a balance within the law between protecting patient privacy and assuring that health information is accessible when needed for patient care.

HIPAA Privacy Laws and Violations

It's critical to understand that the unauthorized, unnecessary, or unconsented release of health information is a HIPAA violation with potential legal ramifications. If you believe your health information privacy rights or HIPAA Privacy Rules have been violated, you may file a complaint using the complaint portal on the HHS's website.

We must remember that while HIPAA allows sharing of health information to facilitate effective treatment, healthcare providers must always be respectful of patient privacy and share as little information as possible.

Some of the top 10 HIPAA violations include:

  1. Unauthorized access to patient records: Employees accessing patients' healthcare records without authorization is a common violation, sometimes resulting in termination of employment or legal consequences.
  2. Failure to perform an organization-wide risk analysis: Organizations must regularly perform risk analyses to identify vulnerabilities in PHI confidentiality, integrity, and availability.
  3. Failure to manage identified risks: Known risks to PHI must be addressed and prioritized in a reasonable timeframe.
  4. Denying patients access to their health records: Patients have the right to access their medical records. Denying access, overcharging, or taking over 30 days to provide records violates HIPAA.
  5. Failure to have compliant business associate agreements: HIPAA requires having compliant business associate agreements with all vendors that have access to PHI.
  6. Failure to implement ePHI access controls: HIPAA Security Rule mandates covered entities and business associates to limit ePHI access to authorized individuals.
  7. Failure to safeguard PHI with encryption or equivalent measures: Adequate security measures must be in place for PHI and ePHI, such as encryption or an alternative equivalent solution.
  8. Delayed breach notifications: The Breach Notification Rule mandates organizations to issue breach notifications within 60 days. Exceeding this timeframe is a violation of HIPAA.
  9. Unpermitted PHI disclosures: Disclosing protected health information not allowed under the HIPAA Privacy Rule can attract financial penalties.
  10. Improper disposal of PHI/ePHI: Organizations must securely and permanently destroy physical and electronic PHI when they are no longer required, and retention periods have expired.

Not all HIPAA violations result in financial penalties. Many are resolved through guidance, technical assistance, or corrective action plans. However, businesses and healthcare providers must remain vigilant about HIPAA compliance to avoid the costly consequences of these common violations.


When it comes to HIPAA compliance and patient rights, education—for both healthcare providers and patients—is key. Healthcare providers need to focus on the privacy rights granted to patients under HIPAA, while patients should be proactive in understanding what HIPAA guarantees them. By cultivating this mutual understanding, we can ensure a more trustworthy and efficient healthcare system.

Has it been a while since you underwent HIPAA training? Many laws have changed in recent years, and a refresher course could be in order. Sign up today!

HIPAA for Health Care Workers

HIPAA for Medical Office Staff