Patient Privacy Rights Under HIPAA

HIPAA — the Health Insurance Portability and Accountability Act — reshaped the relationship between patients and their medical information when Congress passed it in 1996, and its Privacy Rule, finalized by the Department of Health and Human Services in 2002, remains the floor standard for health data protection across the United States. This page covers what those privacy rights actually are, how they function in practice, where they apply, and where they stop. Understanding the mechanics matters because violations carry civil penalties reaching $1.9 million per violation category per year (HHS Civil Money Penalties) — and patients who know their rights are better positioned to notice when those rights have been crossed.

Definition and scope

The HIPAA Privacy Rule establishes federal protections for protected health information (PHI) — a term defined precisely by HHS to mean individually identifiable health information that is created, received, maintained, or transmitted by a covered entity (45 CFR § 160.103). PHI covers 18 specific identifiers, from a patient's name and birth date to IP addresses and device serial numbers. The rule is not symbolic. It establishes affirmative patient rights and binding obligations on covered entities.

Those covered entities fall into three categories:

1. Health plans — insurers, HMOs, employer-sponsored group plans covering 50 or more participants
2. Healthcare clearinghouses — entities that process health data from nonstandard to standard formats
3. Healthcare providers — any provider who transmits health information electronically in connection with covered transactions, including hospitals, clinics, pharmacies, and individual physicians

Business associates — third-party vendors who handle PHI on behalf of covered entities, such as billing companies or cloud storage providers — also carry direct liability under the HITECH Act of 2009. A hospital's billing contractor is not an invisible actor under this framework.

The rule does not cover employers accessing employee records in a non-health-plan capacity, life insurance companies, or most law enforcement databases. That gap matters: an employer can, under certain circumstances, access information a health insurer cannot share with them without authorization. The right to privacy and confidentiality in healthcare is broader than HIPAA alone.

How it works

The Privacy Rule grants patients six core rights. These are not aspirational guidelines — they are legally enforceable entitlements:

1. Right to access PHI — patients can request copies of their medical records in the format they choose (paper or electronic) within 30 days of request, extendable once by 30 additional days with written notice (45 CFR § 164.524)
2. Right to request amendment — patients may ask covered entities to correct inaccurate or incomplete records; the entity may deny the request but must document the denial and allow a statement of disagreement
3. Right to an accounting of disclosures — patients can obtain a list of non-routine disclosures of their PHI for the six years preceding the request
4. Right to request restrictions — patients may ask providers to limit how PHI is used or disclosed, though providers are generally not required to agree except when a patient self-pays in full and requests that the information not be shared with their health plan
5. Right to request confidential communications — patients can ask to receive communications at an alternate address or phone number
6. Right to a Notice of Privacy Practices — covered entities must provide written notice of their privacy policies at the first point of service contact

The right to access medical records operates within this framework but extends into state law territory where state protections exceed federal minimums. For telehealth encounters specifically, access and disclosure rules carry additional complexity — the telehealth patient rights page covers those distinctions in detail.

Common scenarios

The Privacy Rule permits certain disclosures without patient authorization. Treatment, payment, and healthcare operations — collectively called "TPO" — are the most common. A radiologist sharing imaging with a treating surgeon does not need a signed release. A hospital billing department sharing a claim with Medicare does not either.

Outside TPO, the rule carves out disclosures required by law (mandatory disease reporting to public health authorities), disclosures to prevent serious threats to health or safety, and disclosures to law enforcement under narrow conditions. These are not patient-elected disclosures — they are permitted over patient objection.

Where things get genuinely complicated: psychotherapy notes receive higher protection than standard PHI and generally cannot be released even for TPO purposes without explicit authorization. This distinction becomes critical in mental health patient rights contexts, where the legal separation between psychotherapy process notes and a general psychiatric record is frequently misunderstood by both patients and providers.

Marketing uses of PHI — sharing patient data with pharmaceutical companies for promotional campaigns, for example — require written authorization in nearly all circumstances. That line has generated significant enforcement activity.

Decision boundaries

HIPAA privacy rights are not absolute, and the rule establishes a tiered disclosure hierarchy that determines when patient control yields to other interests:

• Highest protection: psychotherapy notes, HIV-related information (in states with additional protections), substance use disorder treatment records (governed separately under 42 CFR Part 2)
• Standard PHI: subject to HIPAA minimums and state law maximums — see state patient rights laws for jurisdictions where state rules go further
• De-identified data: once PHI meets either the "Safe Harbor" standard (removal of all 18 identifiers) or the "Expert Determination" standard, HIPAA protections no longer apply at all

The minimum necessary standard runs through every permitted disclosure: covered entities must make reasonable efforts to disclose only the PHI actually needed for a given purpose. A request for a patient's allergy list does not authorize transmission of their complete psychiatric history.

Patients who believe their rights have been violated can file complaints directly with the HHS Office for Civil Rights within 180 days of the violation (HHS OCR Complaint Portal). The how to file a patient rights complaint page covers that process in detail, including what documentation typically strengthens a complaint. The federal agencies enforcing patient rights page situates OCR within the broader enforcement landscape — because HIPAA is enforced by one agency, but the ecosystem of patient privacy protection spans several.