Glossary of Patient Rights and Healthcare Legal Terms

This page provides reference definitions for the legal and regulatory terms most frequently encountered in patient rights frameworks across the United States. The terms defined here span federal statutes, administrative regulations, and clinical governance standards issued by agencies including the Department of Health and Human Services (HHS), the Centers for Medicare & Medicaid Services (CMS), and the Office for Civil Rights (OCR). Understanding these terms is foundational to interpreting patient rights protections, navigating disputes, and evaluating institutional obligations under US law.

Definition and scope

A patient rights term is any word, phrase, or concept with a defined legal or regulatory meaning that governs the relationship between a patient, a healthcare provider, a payer, and a regulatory authority. These definitions are not colloquial — they carry statutory or regulatory weight and determine the scope of enforceable protections.

The glossary below covers terms arising from at least 6 distinct federal statutory frameworks, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Emergency Medical Treatment and Labor Act (EMTALA, 42 U.S.C. § 1395dd), the Americans with Disabilities Act (ADA), the Affordable Care Act (ACA), the No Surprises Act (Division BB of the Consolidated Appropriations Act, 2021), and the Nursing Home Reform Act (42 U.S.C. § 1396r). State law adds a parallel layer; 50 jurisdictions maintain independent patient protection statutes that may expand but generally may not contract federal floors.

Core glossary entries:

Advance Directive — A legally executed document in which a patient specifies medical treatment preferences or designates a surrogate decision-maker, effective when the patient lacks decision-making capacity. Governed under the Patient Self-Determination Act of 1990 (42 U.S.C. § 1395cc(f)) and state-specific execution requirements. See also Advance Directives and Living Wills.

Informed Consent — The process by which a clinician discloses material information about a proposed treatment — including risks, benefits, and alternatives — and obtains a voluntary, competent agreement from the patient before proceeding. The legal standard varies between states as either the "professional practice" standard or the "reasonable patient" standard. See Informed Consent Rights.

HIPAA — The Health Insurance Portability and Accountability Act, which establishes federal minimum standards for the privacy and security of protected health information (PHI). The HIPAA Privacy Rule (45 C.F.R. Parts 160 and 164) restricts disclosure of PHI without patient authorization and grants patients rights to access and amend their records. See Patient Privacy Rights – HIPAA.

Protected Health Information (PHI) — Any individually identifiable health information held or transmitted by a covered entity or business associate in any form, as defined under 45 C.F.R. § 160.103 (HHS).

Covered Entity — Under HIPAA, a health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically. Defined at 45 C.F.R. § 160.103.

Grievance — A formal complaint submitted by a patient or authorized representative to a healthcare organization or regulatory body regarding care quality, rights violations, or billing disputes. CMS Conditions of Participation at 42 C.F.R. § 482.13(a) require hospitals to establish a grievance process. See Filing a Patient Grievance.

EMTALA — Emergency Medical Treatment and Labor Act; requires any Medicare-participating hospital with an emergency department to provide a medical screening examination and stabilizing treatment to any individual regardless of insurance status or ability to pay (CMS EMTALA overview). See Emergency Medical Rights – EMTALA.

Surrogate Decision-Maker — An individual authorized to make medical decisions on behalf of a patient lacking capacity. Authority may arise from a healthcare proxy document, durable power of attorney for healthcare, or state statutory hierarchy. See Healthcare Proxy and Durable Power of Attorney.

Prior Authorization — A payer requirement that a provider obtain approval before delivering a specified service for coverage to apply. The ACA and subsequent CMS rulemaking (CMS-0057-F, finalized 2024) impose interoperability and timeline requirements on prior authorization processes for certain payers (CMS).

Surprise Billing — A bill issued by an out-of-network provider when the patient had no reasonable opportunity to select an in-network provider, most commonly in emergency settings or at in-network facilities with out-of-network staff. The No Surprises Act, effective January 1, 2022, caps patient cost-sharing at in-network levels in qualifying scenarios (CMS No Surprises Act). See No Surprises Act Patient Guide.

Right to Refuse Treatment — A competent adult patient's legally recognized right to decline any medical intervention, rooted in common law battery doctrine and constitutional privacy principles, codified in state statutes and upheld in Cruzan v. Director (497 U.S. 261, 1990). See Right to Refuse Treatment.

Restraint — Any physical, chemical, or mechanical method that restricts a patient's freedom of movement and is not a standard treatment for the patient's medical condition. CMS Conditions of Participation (42 C.F.R. § 482.13(e)) govern restraint use in acute care hospitals. See Restraint and Seclusion Rights.

How it works

Patient rights terms function as legal reference points that define enforceable obligations. A term such as "informed consent" is not merely descriptive — it triggers a specific procedural requirement: the clinician must disclose, the patient must comprehend, and the agreement must be voluntary. Failure at any step can constitute battery or negligence under state tort law.

The operation of these terms follows a layered structure:

1. Federal statute establishes the floor (e.g., EMTALA's screening obligation applies to all Medicare-participating hospitals regardless of state law).
2. Federal regulation operationalizes the statute (e.g., 42 C.F.R. § 489.24 specifies EMTALA's procedural requirements).
3. State statute or common law may add protections or set procedural standards (e.g., specific informed consent disclosure checklists mandated by state medical practice acts).
4. Institutional policy translates regulatory requirements into facility-level procedures, subject to CMS Conditions of Participation, Joint Commission accreditation standards, or state licensing requirements.
5. Enforcement action is initiated by OCR (for HIPAA violations), CMS (for Conditions of Participation breaches), state attorney general offices, or private civil litigation under applicable tort law.

HIPAA civil penalties, for example, are structured across 4 tiers based on culpability, with annual maximums reaching $1,919,173 per violation category as adjusted by the Federal Civil Penalties Inflation Adjustment Act (HHS penalty structure).

Common scenarios

Understanding when specific terms become operationally relevant requires examining the clinical and administrative situations in which they arise.

Scenario 1: Consent capacity dispute. A patient arrives in an emergency department in an altered state. Clinicians must determine whether the patient retains decision-making capacity — the ability to understand information, appreciate its consequences, reason about options, and communicate a choice. If capacity is absent, EMTALA's stabilization obligation applies, and the surrogate decision-maker hierarchy under state law governs further treatment decisions.

Scenario 2: Medical records access. A patient requests their complete medical record. Under the HIPAA Privacy Rule (45 C.F.R. § 164.524), the covered entity must act within 30 days of the request (with a single 30-day extension if written notice is provided). Fees are limited to labor, supplies, and postage — not a flat administrative charge. See Access to Medical Records.

Scenario 3: Surprise billing in an in-network hospital. A patient undergoes surgery at an in-network facility but is treated by an out-of-network anesthesiologist. Under the No Surprises Act, the patient's cost-sharing is calculated at the in-network rate; the balance billing amount is prohibited. The Independent Dispute Resolution (IDR) process governs payment disputes between the provider and payer.

Scenario 4: Nursing home restraint. A resident at a Medicare/Medicaid-certified long-term care facility is placed in a vest restraint without documented clinical justification. This constitutes a potential violation of 42 C.F.R. § 483.12, which prohibits physical restraints imposed for purposes of discipline or convenience (CMS Long-Term Care Requirements).

Decision boundaries

Not every clinical or administrative term used in healthcare settings carries legal regulatory weight. Three classification boundaries determine whether a term triggers an enforceable obligation:

Boundary 1 — Statutory vs. policy terms. "Informed consent" is both a statutory and common law concept; "shared decision-making" is a clinical practice model with no equivalent statutory enforcement mechanism at the federal level. Failure to engage in shared decision-making does not itself constitute a federal violation, while failure to obtain informed consent can.

**