Individuals have certain rights under the HIPAA Privacy Rule regarding the use and disclosure of their protected health information (PHI) in whatever form it exists—oral, written, or electronic. Covered entities and business associates alike must ensure that they are prepared to properly address individuals exercising those rights.

1.      Right to Request Access

Regulations under HIPAA have always recognized the importance of providing individuals with the ability to access and obtain a copy of their health information.  With limited exceptions, the HIPAA Privacy Rule provides individuals with a legal, enforceable right to see and receive copies upon request of the information in their medical and other health records maintained by their health care providers and business associates.

2.      Right to Request an Accounting of Disclosures

Individuals have the right to request a listing of all disclosures that were not associated with treatment, payment, or healthcare operations. The accounting of disclosures must contain the following for each disclosure:

  • the date of the disclosures;
  • the name and address that received the protected health information;
  • what information was disclosed; and
  • the reason for the disclosure.

3.      Right to Request an Amendment

The HIPAA Privacy Rule provides individuals with the right to request an amendment of their PHI within the designated record set. The rule specifies the processes covered entities must follow in responding to such a request. Covered entities may require individuals to make requests for amendment in writing and to provide a reason to support the amendment, provided that it informs individuals in advance of such requirements.

4.      Right to File Privacy Complaints

The individual has a right to file a complaint related to a privacy policy to the organization without alleging a violation of their rights. Also, any person who believes that a covered entity is not complying with the HIPAA Privacy Rule may file a complaint with the Office for Civil Rights (OCR), an agency of the Department of Health and Human Services (HHS). Individuals do not have to be a patient or resident of the healthcare provider or a beneficiary of a health insurance plan to file a complaint.

5.      Right to Request Confidential Communications

Individuals have the right to request restrictions on how and where their PHI is communicated.  To comply with the HIPAA Privacy Rule regarding confidential communications, the organization must permit individuals to request to receive communications of PHI by alternative means or at alternative locations.

6.      Right to Request Restrictions

Under HIPAA, individuals have the right to request that a covered entity restrict the use of their PHI. In those cases, disclosure of the restricted information is limited to be allowable under specific situations, such as emergencies.

For patients, the HIPAA Privacy Rule means being able to make informed choices when seeking care and reimbursement based on how personal health information may be used. For organizations, it’s their responsibility to protect a patient’s right to ensure that their health information is accurate and used only for authorized and allowable purposes.

Know What You Need to Know…