The HIPAA Privacy Rule does more than restrict how organizations use health information; it gives individuals concrete rights over their own protected health information (PHI). For covered entities, honoring these rights promptly is both a legal duty and a frequent focus of enforcement.
The right of access
The right to inspect and obtain a copy of one's own PHI in a designated record set is among the most important and most enforced rights. Key points:
- Individuals can request records in the form and format they prefer, if readily producible.
- Covered entities must generally act on a request within 30 days, with one possible 30-day extension if the individual is notified.
- Fees must be reasonable and cost-based; they may cover labor for copying, supplies, and postage, but not searching or retrieving records.
The right to amend
Individuals may request that a covered entity amend PHI they believe is inaccurate or incomplete. The entity may deny certain requests, for example if it did not create the record or the information is accurate and complete, but it must follow a process and explain a denial, allowing the individual to submit a statement of disagreement.
Accounting of disclosures
Individuals have the right to receive an accounting of certain disclosures of their PHI made by the covered entity. Many routine disclosures, such as those for treatment, payment, and operations, are excluded, but the right still covers a meaningful set of disclosures and requires organizations to keep adequate records.
Requesting restrictions
Individuals may request restrictions on how their PHI is used or disclosed. Generally, a covered entity is not required to agree, with one notable exception: it must agree to restrict disclosure to a health plan for payment or operations when the individual pays out of pocket in full for the item or service and asks that the plan not be told.
Confidential communications
Individuals may ask to receive communications by alternative means or at alternative locations, for example by phone at work rather than home, or to a specific address. Providers must accommodate reasonable requests.
Notice of privacy practices
Individuals have the right to receive a notice describing how their information may be used and disclosed and what their rights are. Providers with a direct treatment relationship must make a good-faith effort to obtain written acknowledgment of receipt.
| Right | Typical timeframe / condition |
|---|---|
| Access | Act within 30 days (one 30-day extension possible) |
| Amendment | Act within 60 days (one 30-day extension possible) |
| Accounting | Covers certain disclosures over a defined lookback period |
| Restriction | Optional except the out-of-pocket payment scenario |
Making rights real
To honor these rights consistently, organizations should designate who handles requests, train front-line staff to route them correctly, track deadlines, and document responses. Treating patient rights as a core workflow rather than an exception is the surest way to stay compliant and maintain trust.
Access in the digital age
The right of access increasingly plays out through electronic records and patient portals. Where an individual requests an electronic copy of PHI maintained electronically, the covered entity must generally provide it in the electronic form and format requested if readily producible, or in a readable alternative the parties agree on. Individuals may also direct that a copy be sent to a third party of their choice, subject to specific requirements. Portals can satisfy much of the access right, but they do not eliminate it: if a patient wants information the portal does not provide, or wants it in a different format, the underlying obligation still applies. Designing access processes that work both inside and outside the portal avoids gaps.
Common pitfalls to avoid
Several recurring mistakes generate complaints and enforcement attention. Charging more than reasonable, cost-based fees, or imposing per-page charges that exceed actual cost, is a frequent issue. So is requiring individuals to appear in person, mail a form, or explain why they want their records as a condition of access. Delays beyond the permitted timeframe, and refusing to send records to a third party the patient designated, also draw scrutiny. Reviewing your request forms, fee schedules, and staff scripts against the current HHS access guidance is a practical way to keep these workflows compliant.