The HIPAA Privacy Rule: Patients' Rights

Posted: Jul 01 2014 | Revised: Jul 01 2014

Introduction
The right to receive a notice of privacy practices
a. How do patients get a notice of privacy practices?
b. What does a notice of privacy practices include?
c. Why do health care providers ask patients to sign a form after they receive a notice of privacy practices?
d. Where can a patient ask questions or complain about privacy practices?
The right to access and request a copy of medical records
a. Does this right apply to electronic records?
b. Can a patient request that someone else be given access to her information?
c. Will a patient be charged fees to receive copies of medical records?
d. Can patients still access their records if a physician no longer practices medicine?
e. How long does a covered entity have to deliver a patient's requested records?
f. When can patients be denied access to their medical information?
g. What should patients do when they have trouble accessing or obtaining a copy of their medical records?
The right to request an amendment to medical records
The right to request special privacy protection for PHI
a. Can a patient pay out of pocket to restrict disclosures to insurers?
b. Can an individual make special requests regarding confidential communications about health information?
The right to an accounting of disclosures
a. How much information will an accounting of disclosures include?
b. How long will it take to receive an accounting of disclosures, and will it cost anything?
The right to access a minor child's medical records
a. Do parents have the right to see their minor children's medical records?
b. Can a doctor provide medical information to a child's school without a parent's permission?
c. Are a child's medical records in school files covered under HIPAA?
Resources

1. Introduction

This guide explains the rights that patients have under the HIPAA Privacy Rule. It also answers many questions the Privacy Rights Clearinghouse receives from individuals on a regular basis.

For more information about HIPAA and medical privacy, see Privacy Rights Clearinghouse: Medical Privacy.

2. The right to receive a notice of privacy practices

Patients have the right to receive a notice explaining how a provider or health plan uses and discloses their health information.

a. How do patients get a notice of privacy practices?

Health care providers usually give patients this notice on their first visit and post it in the facility where patients may see it. Health plans (insurers) typically send their notices by mail after patient enrollment.

b. What does a notice of privacy practices include?

A notice of privacy practices (NPP) will often contain jargon that can be difficult for patients to understand. For explanations of commonly used HIPAA terms, see Privacy Rights Clearinghouse Fact Sheet 8a: HIPAA Basics.

A notice of privacy practices (NPP) must:

describe how the HIPAA Privacy Rule allows the covered entity to use and share protected health information (PHI), and state that it will obtain the patient's permission for any other reason;
tell patients about their rights under the HIPAA Privacy Rule;
tell patients how to file a complaint with the covered entity;
tell patients how to file a complaint with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights;
provide information about a patient’s rights to restrict fundraising solicitations; and
explain the need to obtain a patient’s written authorization for marketing or the sale of the patient’s PHI.

For more information about notices of privacy practices, see HHS' website or 45 CFR § 164.520.

For more information about how covered entities such as health care providers and health insurers may use or disclose PHI, see PRC Fact Sheet 8b: The HIPAA Privacy Rule: How May Covered Entities Use and Disclose Health Information.

c. Why do health care providers ask patients to sign a form after they receive a notice of privacy practices?

Health care providers will ask patients to sign a form saying that they received a copy of the notice of privacy practices. The law does not require patients to sign this. However, signing does not waive a patient’s rights under HIPAA, and does not mean that the patient agrees with the privacy policy.

If a patient refuses to sign, it does not prevent a health care provider from using or disclosing information in ways already permitted under HIPAA. A provider may not deny treatment if a patient refuses to sign an acknowledgement of having receive a notice of privacy practices.

d. Where can a patient ask questions or complain about privacy practices?

The notice of privacy practices will provide information about who to contact with privacy questions and how to complain. This is a good place to start when a question arises. If a patient doesn’t have a copy of the notice, there may be one on the provider's or health plan’s website. If there isn’t one online, a covered entity's administrative office will be able to provide the information and a copy of the notice.

3. The right to access and request a copy of medical records

HIPAA gives patients the right to see and receive a copy of their medical records (not the original records). See 45 CFR § 164.524 for exact language.

Tip: To find out how to request access to a medical record, look at the notice of privacy practices. Patients can always request a copy of the notice, which should provide instructions for requesting records as well as contact information for asking questions or filing complaints.

a. Does this right apply to electronic records?

Yes. Patients have the right to access both paper and electronic records. An individual may request information in a specific format, and the covered entity must comply with the request if the data is readily producible. If the data is not readily producible in the patient’s specified format, the covered entity and individual can agree on another format. If they can’t reach agreement, the covered entity will produce a hard copy.

For example, a patient might ask her doctor’s office to provide her records on an external portable storage device such as a USB drive. If the doctor’s office doesn’t agree to use the USB drive because it believes it is a security risk, the office and patient may reach agreement about another format. If they don’t agree, the doctor may provide a hard copy.

To learn more about the right to access information in an electronic health environment, see HHS’ publication: The HIPAA Privacy Rule’s Right of Access and Health Information Technology.

b. Can a patient request that someone else be given access to her information?

Yes. Often patients want providers to send their health information to third parties such as another doctor, a relative, or an attorney. To do this, the patient should sign a request that clearly identifies which records to send, the designated person, and where to send the records.

c. Will a patient be charged fees to receive copies of medical records?

Most likely. HIPAA allows covered entities to charge a “reasonable, cost-based fee.” The covered entity can charge for supplies, staff time for copying and processing, and mailing (if applicable).

The covered entity may charge for the time staff spends copying and processing the record. However, it may not charge for the time a staff member spends searching for the record. In addition, the covered entity should not adopt a policy of charging a flat fee or charging a patient to view a record.

Note that state law may limit a covered entity’s ability to charge for records.

The HIPAA Rule provides the following example. If state law limits costs to 25 cents a page and the actual cost is only four cents per page, then the covered entity may charge only four cents. If the cost is 30 cents per page and state law allows for 25 cents, then the covered entity may charge no more than 25 cents. In short, the consumer is charged the lesser amount.

d. Can patients still access their records if a physician no longer practices medicine?

According to the American Health Information Management Association, state and federal law will dictate how long a physician must retain records (HIPAA does not include a record retention period).

Patients may be able to find their records by contacting:

the physician’s partners;
the health information manager or privacy officer at a hospital or facility where the physician practices;
a local medical society;
the state medical association; or
the state department of health.

e. How long does a covered entity have to deliver a patient's requested records?

A covered entity must produce records 30 days from the date of request. HIPAA allows a covered entity one 30-day extension if it provides written notice to the patient stating the reason for the delay and the expected date. This applies to both paper and electronic records.

f. When can patients be denied access to their medical information?

A covered entity may deny a patient's request for access under certain circumstances. Typically the covered entity must issue a written denial letter, and in some cases, an individual may be able to appeal a denial.

As a general rule, patients do not have the right to access their own psychotherapy notes or information a covered entity compiled for legal proceedings.

Individuals may be denied access to their protected health information (PHI) without the right to review the denial in the following situations:

Correctional institutions may deny an inmate's request for a copy of PHI if it jeopardizes the health, safety, security, custody, or rehabilitation of the individual or other inmates. It may also deny a request that jeopardizes the safety of any person at the correctional institution or those responsible for transporting the inmate.
If a covered health care provider obtains or creates PHI in the course of research, it may temporarily suspend access while the research is in process. This applies if the individual agreed to the denial when he or she decided to participate in a study and understands that the right will be reinstated when the research is complete.
If a record that contains PHI is subject to the Privacy Act there are certain circumstances where an individual may not be able to access the record.
If the PHI was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would likely reveal the source of the information, and individual may not be able to access the information.
45 CFR § 164.524(a)(2)(i)-(v)

Sometimes individuals have the right to have denials of access reviewed by a licensed healthcare professional. If so, the patient should receive instructions telling him or her how to appeal the denial. The covered entity will designate a reviewing official who did not participate in the original decision to deny access. See 45 CFR § 164.524(a)(3) for exact language.

g. What should patients do when they have trouble accessing or obtaining a copy of their medical records?

We recommend to start a complaint process by first contacting the health care provider’s designated privacy of HIPAA compliance officer. Doing so documents the complaint, and also indicates that the individual has made a good faith effort to resolve the problem.

In addition, there are ten HHS/OCR Regional Offices located throughout the country with staff counselors available to answer patient questions.

If there are further problems or the provider ignores a complaint, the individual may want to proceed with an HHS complaint. Although government agencies cannot represent individuals, consumer complaints often alert agencies to HIPAA violations. HIPAA says people cannot be denied treatment because of a complaint.

HIPAA does not prevent states from passing laws that enhance protections. George Washington University also has a guide, Health Information and the Law, which includes information on state laws.

4. The right to request an amendment to medical records

When patients access a medical record and find information they believe is inaccurate, they may file a written request that the record be corrected. The covered entity must respond to the request within 60 days. It may decide to take an additional 30 days, but must provide the individual with a written explanation for the delay and a date by which it will complete the action.

If the covered entity denies the request, it must provide the patient with the following information in writing:

the basis for the denial (for example, the covered entity did not create the record, the information is not part of the designated record set, the individual is not allowed to access the record under another HIPAA provision, or the record is accurate and complete);
that the individual has a right to submit a written statement disagreeing with the denial;
that the individual may request that the covered entity provide the request for amendment and the denial with any future disclosures that pertain to the request; and
how the individual may complain.

For more information see 45 CFR §164.526.

5. The right to request special privacy protection for PHI

Under HIPAA, covered entities must allow an individual to make specific privacy requests. While an individual has the right to make a request, in most situations the covered entity is not required to agree.

If a covered entity agrees to honor an individual's privacy request, it must comply unless the individual needs emergency treatment and the restricted PHI is necessary to provide the treatment. In an emergency situation where the covered entity must disclose information it agreed to restrict, it must request that the information not be further disclosed. See 45 CFR § 164.522(a).

Tip: Make any special privacy requests in writing and keep a signed copy if the covered entity agrees to follow it.

a. Can a patient pay out of pocket to restrict disclosures of protected health information?

A covered entity such as a doctor must agree to an individual's request to restrict disclosure of her PHI to a health plan if:

the disclosure is for the purpose of carrying out payment or health care operations and is not required by law; and
the PHI only pertains to an item or service for which the individual has paid in full.

What is an example of a disclosure required by law? A provider may be required by law to report to a health plan even if a patient pays in full. For example, providers must report Medicare claims. A patient can pay out of pocket and decline to approve a claim submitted to Medicare. In this situation a claim will not be submitted and a doctor can charge the patient no more than the allowed Medicare payment.

Is a provider responsible for notifying other doctors about restricted information? Although HHS encourages providers to notify others such as pharmacies or other doctors if feasible, they are not required to do so. HHS also encourages providers to engage with patients to make sure they understand that it is ultimately the patient's responsibility to request a restriction.

Is it possible to pay out-of-pocket for one condition only? This is an issue patients should discuss with their providers. HHS says a provider should accommodate a patient's request to "unbundle" services when possible. For a detailed discussion of the right to request a restriction, see 78 Federal Register 5566, January 25, 2013, pp 5626-5630.

Another helpful resource is the World Privacy Forum's in-depth report titled "Paying out of Pocket to Protect Health Privacy: A New but Complicated HIPAA Option; A Report on the HIPAA Right to Restrict Disclosure."

b. Can an individual make special requests regarding confidential communications about health information?

A health care provider must accommodate an individual's reasonable request to receive communications by alternative means or at alternative locations. For example, an individual might request that a provider contact her via her cell phone or a P.O. Box rather than a home address.

A health care provider may not require that the individual provide an explanation as to why she is making the request. 45 CFR § 164.522(b)(2)(iii).

A health plan must accommodate reasonable requests to receive communications from the health plan by alternative means or at alternative locations if the individual clearly states that the disclosure of the information could endanger him or her. 45 CFR § 164.522(b)(2)(iv).

6. The right to an accounting of disclosures

HIPAA enables patients to learn to whom the covered entity has disclosed their PHI. This is called an “accounting of disclosures.” The accounting will cover up to six years prior to the individual's request date and will include disclosures to or by business associates of the covered entity. See 45 CFR § 164.528.

a. How much information will an accounting of disclosures include?

For each disclosure, the accounting must state:

the date of the disclosure;
the name of the entity or person who received the PHI, and, if known, the address;
a brief description of the PHI disclosed; and
a brief statement of the purpose of the disclosure

The accounting does not include information about disclosures the covered entity made:

to carry out treatment, payment, or health care operations;
to the individual for information about him or her;
incident to a use or disclosure that HIPAA permits or requires;
that the individual authorized;
for a facility's directory or persons involved in the individual's care;
for national security or intelligence purposes;
to correctional institutions or law enforcement officials;
as part of a limited data set that excludes a number of identifiers and is disclosed for research, public health, or health care operations; or
that occurred prior to the date by which the covered entity had to comply.

b. How long will it take to receive an accounting of disclosures, and will it cost anything?

Within 60 days of receiving a request for an accounting, a covered entity must:

provide the accounting; or
extend the time by no more than 30 days as long as it provides the individual with a written statement of the reasons for the delay and date by which it will provide the accounting.

A covered entity must provide the first accounting (during any 12 month period) free of charge. If an individual requests more than one accounting during a year, the covered entity may impose a cost-based fee on subsequent requests. However, if it is going to charge, the covered entity must inform the individual of the fee in advance and give him an opportunity to withdraw or modify the request.

There have been changes proposed regarding the requirements for an accounting of disclosures that would, for example, include disclosures made for the purposes of treatment, payment, or healthcare operations. There has been no final agreement on the format and information a covered entity must account for in response to a patient's request. For more information and updates, see HHS' Office of the National Coordinator for Health Information Technology's (ONC) website.

7. The right to access a minor child's medical records

a. Do parents have the right to see their minor children's medical records?

Yes, in most situations. Under the HIPAA Privacy Rule, a covered entity can disclose a minor child's PHI to a parent acting as a child's "personal representative" as long as it is consistent with state and other law. See 45 CFR §164.502(g).

HHS provides the following examples of situations where a parent may not access a minor's medical record:

a minor consents to care, and law does not require parental consent;
a court or person appointed by the court directs a minor to obtain care; and
a parent agrees that the minor and health care provider may have a confidential relationship.

The HHS website provides additional information about access to a minor's health records.

The Guttmacher Institute has a guide to relevant state laws: Minors and the Right to Consent to Health Care.

b. Can a doctor provide medical information to a child's school without a parent's permission?

Generally a health provider must have written authorization to disclose any information that HIPAA doesn't specifically allow.

However, there is an exception for school immunization records. According to HHS, most states have "school entry laws" which prohibit a child from attending school without proof of immunization. Therefore health care providers may provide immunization records to a school upon oral agreement by a parent, guardian, or person acting in the place of a parent.

c. Are a child's medical records in school files covered under HIPAA?

No. Medical records maintained by schools are subject to another federal law, the Family Education Rights and Privacy Act (FERPA). The U.S. Department of Education enforces FERPA which has published a guide with HHS that explains how FERPA and HIPAA apply.

To learn more about medical records and schools, see PRC Fact Sheet 29: Privacy in Education: Guide for Parents and Adult Age Students and the Department of Education website.

8. Resources

Additional Privacy Rights Clearinghouse materials

Medical Privacy and California Medical Privacy Fact Sheets

Federal Laws and Regulations

Health Information for Technology for Economic and Clinical Health Act (HITECH), Title XIII, Pub. Law 111-5, 123 Stat. 226, February 17, 2009

Omnibus Rule, 78 Federal Register, January 25, 2013

Accounting of Disclosures, proposed rule, August 1, 2011

HIPAA Privacy Rule of 2003

Filing a HIPAA Complaint

U.S. Department of Health and Human Services (HHS)

Office of Civil Rights