Patient Rights [45 CFR 164.520-534]
Rule: HIPAA grants individuals specific rights regarding their protected health information that covered entities must honor.
Right of Access [§164.524]
| Aspect | Requirement |
|---|
| Scope | Access to PHI in designated record set |
| Format | Paper or electronic, as requested if readily producible |
| Timing | Within 30 days (one 30-day extension permitted) |
| Fees | Reasonable, cost-based (labor, supplies, postage) |
| Denial | Limited grounds, must provide review process |
Grounds for Denial (No Review Required)
- Psychotherapy notes
- Information compiled for legal proceedings
- Information from confidential sources (correctional institutions)
Grounds for Denial (Review Required)
- Endangerment to individual or others
- Reference to another person who may be harmed
- Individual’s personal representative, harm to individual
Right to Amend [§164.526]
| Aspect | Requirement |
|---|
| Scope | PHI in designated record set |
| Timing | Act within 60 days (one 30-day extension) |
| Denial grounds | Accurate and complete, not part of record set, not available for access |
| Process | Must inform individual, allow statement of disagreement |
Right to Accounting of Disclosures [§164.528]
| Aspect | Requirement |
|---|
| Scope | Disclosures made in past 6 years |
| Timing | Within 60 days (one 30-day extension) |
| Content | Date, recipient, description, purpose |
| Exceptions | Treatment, payment, operations, patient request, certain others |
Right to Request Restrictions [§164.522]
| Aspect | Requirement |
|---|
| Scope | Restrictions on uses/disclosures |
| Entity obligation | Not required to agree (with one exception) |
| Mandatory restriction | Disclosure to health plan for service paid out-of-pocket in full |
Right to Confidential Communications [§164.522]
| Aspect | Requirement |
|---|
| Scope | Alternative means or location for communications |
| Health plans | Must accommodate reasonable requests |
| Providers | Must accommodate if reasonable, may require how payment handled |
Right to Notice of Privacy Practices [§164.520]
| Aspect | Requirement |
|---|
| Timing | At first service delivery (providers); at enrollment (plans) |
| Content | Uses/disclosures, rights, duties, contact information |
| Availability | Must provide on request, post on website |
Right to File Complaint
Individuals may file complaints with:
- The covered entity’s privacy officer
- HHS Office for Civil Rights
Covered entities may not retaliate against individuals for filing complaints.
Citation
45 CFR Part 164 Subpart E — Privacy of Individually Identifiable Health Information