HIPAA patient rights are the individual rights under the HIPAA Privacy Rule that give a person control over how protected health information is used and disclosed, require transparency through privacy notices, allow access to and correction of protected health information, provide accounting and communication options, and allow complaints to the provider and the U.S. Department of Health and Human Services, with breach notifications provided under the HIPAA Breach Notification Rule when unsecured protected health information is compromised.
A person has the right to receive a Notice of Privacy Practices from many healthcare providers and health plans and to request a paper copy in settings where the notice requirement applies. A person has the right to inspect and obtain a copy of protected health information maintained in a designated record set, subject to limited grounds for denial and procedural protections when denial rights apply. Requests for access require action within the required timeframe, and copies may be provided in the form and format requested when readily producible, including electronic formats. A provider may charge a permitted, cost based fee for copies in accordance with HIPAA Privacy Rule requirements.
A person has the right to request an amendment of protected health information in a designated record set, and the provider must act on the request within the required timeframe, granting the amendment or issuing a written denial that meets HIPAA Privacy Rule content requirements. A person has the right to receive an accounting of disclosures of protected health information for disclosures that fall within the accounting requirement, with defined exclusions such as disclosures for treatment, payment, and healthcare operations. A person also has the right to request restrictions on certain uses and disclosures, and a provider must comply with specific restriction requests for disclosures to a health plan when the individual has paid out of pocket in full for the applicable item or service and the restriction conditions are met.
A person has the right to request confidential communications, including receiving communications at an alternative location or by an alternative means, when the request meets HIPAA Privacy Rule standards. A person has the right to complain to the provider and to the U.S. Department of Health and Human Services if the person believes HIPAA requirements were not met, and the provider must not retaliate for filing a complaint. A person has the right to authorize uses and disclosures not otherwise permitted or required by the HIPAA Privacy Rule, and the person may revoke an authorization in writing subject to defined limits. When a breach of unsecured protected health information occurs and notification is required, the HIPAA Breach Notification Rule provides the right to receive a breach notice containing specified information within required timelines.