News
Do I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesYour 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement · OCR EnforcementAn Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms · OCR Enforcement15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: The MMG Fusion Story · OCR EnforcementOCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateDo I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesYour 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement · OCR EnforcementAn Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms · OCR Enforcement15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: The MMG Fusion Story · OCR EnforcementOCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule Update

Rule Update

Patient Rights Under HIPAA — A Practical Guide for Healthcare Providers

TL;DR

The HIPAA Privacy Rule grants patients eight specific rights over their Protected Health Information. The right of access — allowing patients to obtain copies of their records — is the most actively enforced by OCR. Covered entities must have documented processes for responding to each patient right request within required timeframes and must never deny rights requests without a legally recognized reason.

The HIPAA Privacy Rule grants patients eight specific rights over their Protected Health Information. The right of access — allowing patients to obtain copies of their records — is the most actively enforced by OCR. Covered entities must have documented processes for responding to each patient right request within required timeframes and must never deny rights requests without a legally recognized reason.

A complete guide to all eight patient rights under the HIPAA Privacy Rule — what each right requires, how to respond correctly, and the timelines your practice must meet.

medcomply.ai editorial teamPublished May 11, 2026Updated May 11, 20268 min read

The HIPAA Privacy Rule grants patients specific rights over their Protected Health Information. These rights are not theoretical — they are actively enforced by OCR, and failure to honor them is one of the most frequent sources of HIPAA complaints and enforcement actions.

This guide covers all eight patient rights, what each requires in practice, the timelines you must meet, and how to handle common scenarios.

Right 1: Right to receive a Notice of Privacy Practices

45 CFR §164.520

Every covered entity must provide patients with a Notice of Privacy Practices that explains how their PHI may be used and disclosed, their privacy rights, and your legal duties.

What this requires:

  • Post the NPP in a clear and prominent location at your facility
  • Make the NPP available on your website if you have one
  • Provide the NPP to new patients at their first service delivery
  • Make a good-faith effort to obtain written acknowledgment that the patient received the NPP — though you can provide care even if the patient does not sign

2026 update: HHS published updated model NPPs in early 2026 incorporating Part 2 substance use disorder record requirements. If your NPP was last updated before 2026 review it against the updated model.

Common mistakes: Posting an outdated NPP, not providing the NPP to telehealth patients at first service, not having NPPs available in languages spoken by a significant portion of your patient population.

Right 2: Right of access to PHI

45 CFR §164.524

The right of access is the most actively enforced patient right under HIPAA. Patients have the right to inspect and obtain a copy of their PHI in a designated record set for as long as that PHI is maintained.

What this requires:

  • Respond to access requests within 30 days of receipt
  • One 30-day extension is permitted with written notice to the patient before the initial deadline
  • Provide records in the format requested if you can readily produce them in that format
  • Charge only a reasonable cost-based fee
  • Direct records to patient-designated third parties including apps and other providers upon request

Timeline: 30 days from the date of the written request. This clock does not restart if you need more information from the patient — it runs from the date the request was received.

Fees: You may charge a reasonable cost-based fee covering labor for copying, supplies for paper copies, and postage. For electronic records the fee should be minimal. You cannot charge per-page fees for electronic records or charge fees designed to discourage requests.

Grounds for denial: Limited to specific circumstances including psychotherapy notes, information compiled in anticipation of civil or criminal litigation, and situations where a licensed professional determines access would endanger the patient or another person. All denials must be in writing and must inform the patient of their right to request review of the denial.

Warning

OCR's Right of Access Initiative has produced dozens of enforcement actions and penalties ranging from $3,500 to $240,000 for a single complaint. This is the highest-enforcement patient right. Every practice must have a documented access request process with clear deadline tracking.

Right 3: Right to request amendment

45 CFR §164.526

Patients may request amendments to their PHI if they believe it is inaccurate or incomplete.

What this requires:

  • Respond to amendment requests within 60 days of receipt
  • One 30-day extension permitted with written notice before the deadline
  • If you accept the amendment: make the amendment in the record, inform the patient, and notify others who have the PHI and who may have relied on it
  • If you deny the amendment: provide written denial stating the basis, inform the patient of their right to submit a statement of disagreement, and append any statement of disagreement to the record

Grounds for denial: You may deny an amendment if the PHI was not created by you, is not part of the designated record set, would not be available for access under the right of access rules, or is accurate and complete.

Common scenario: A patient disputes a diagnosis in their records. You may deny the amendment if the diagnosis is accurate in your professional judgment — but you must document your denial and append any patient disagreement statement to their record.

Right 4: Right to an accounting of disclosures

45 CFR §164.528

Patients may request an accounting of certain disclosures of their PHI made in the prior six years.

What this requires:

  • Respond within 60 days of a written request
  • One 30-day extension permitted
  • Provide an accounting for disclosures not made for treatment, payment, or healthcare operations — including disclosures to health oversight agencies, public health authorities, law enforcement, and others
  • You are not required to account for disclosures made for treatment, payment, or healthcare operations, or disclosures to the patient themselves

Recordkeeping: You must maintain records of disclosures subject to accounting for six years. Each record must include: the date of disclosure, the name and address of the recipient, a brief description of the PHI disclosed, and a brief statement of the purpose.

Right 5: Right to request restrictions

45 CFR §164.522(a)

Patients may request that you restrict certain uses or disclosures of their PHI.

What this requires:

  • You are generally not required to agree to a restriction — with one mandatory exception
  • Mandatory restriction: You must agree to a patient's request to restrict disclosure to a health plan for a specific service if the patient paid for that service entirely out of pocket and the restriction is for payment or healthcare operations purposes
  • If you agree to a restriction you must honor it except in emergencies

The mandatory exception in practice: If a patient pays out of pocket for a service and asks that you not bill their insurance or share the record with their health plan, you must honor that request. This is most commonly invoked for mental health, substance use disorder, and reproductive health services.

Right 6: Right to request confidential communications

45 CFR §164.522(b)

Patients may request that you communicate with them about their PHI through alternative means or at alternative locations.

What this requires:

  • Accommodate reasonable requests — you cannot require the patient to explain why they are making the request
  • Examples: a patient who requests that appointment reminders be sent to a specific phone number rather than their home address; a patient who requests that test results be mailed to a P.O. box rather than their home

What is reasonable: You must accommodate requests that are operationally feasible. You may require the patient to specify an alternative address or method and may condition the accommodation on payment information if relevant to billing.

Right 7: Right to receive notification of breach

Patients have the right to be notified when their unsecured PHI is breached. This right is implemented through the Breach Notification Rule rather than the Privacy Rule directly, but it is a fundamental patient right that covered entities must honor.

What this requires:

  • Notify affected individuals within 60 days of discovering a reportable breach
  • Notification must be in plain language and include all required content
  • See the full Breach Notification Rule guide for complete requirements
45 CFR §164.404

Right 8: Right to file a complaint

Patients have the right to file a complaint with you or directly with OCR if they believe you have violated their HIPAA rights.

What this requires:

  • Maintain a process for receiving and responding to patient privacy complaints
  • Document all complaints received and the resolution
  • Never retaliate against a patient for filing a complaint
  • Inform patients of their right to complain to OCR in your Notice of Privacy Practices

Practical implication: When a patient complains to your practice about a privacy issue, take it seriously, document it, and respond promptly. A patient complaint that is not addressed at the practice level frequently becomes an OCR complaint.

Personal representatives — who can exercise these rights

45 CFR §164.502(g)

Personal representatives have the same rights as the patient themselves. Personal representatives include:

  • Parents of minor children — generally, parents are personal representatives of their unemancipated minor children, with exceptions for services the minor can consent to independently under state law
  • Legal guardians — court-appointed guardians for adults who lack decision-making capacity
  • Healthcare power of attorney holders — individuals with durable healthcare POA during periods when the patient cannot make decisions
  • Executors and administrators — for deceased individuals

State law interacts significantly with personal representative rights, particularly for minor patients. Review your state's minor consent laws to understand when parental access may be limited.

Building your patient rights response process

Every practice needs documented processes for each patient right. At minimum your process for each right should include:

  • Who at your practice receives requests of this type
  • How requests are logged with the date received
  • The applicable response deadline and how it is tracked
  • Who is responsible for producing the response
  • How denials are handled and documented

Patient rights are not aspirational — they are enforceable legal obligations with clear deadlines. The practices that avoid OCR right-of-access complaints are those that treat every records request with urgency, track deadlines explicitly, and charge only what HIPAA allows. Build a process before you need it.

Sources & citations

  • 45 CFR §164.520 — Notice of Privacy PracticesOpen
  • 45 CFR §164.524 — Access to PHIOpen
  • 45 CFR §164.526 — Amendment of PHIOpen
  • 45 CFR §164.528 — Accounting of DisclosuresOpen

All content verified against official HHS guidance and the Code of Federal Regulations.

Frequently asked questions

Can a patient request their records in electronic format?
Yes. If a patient requests records in a specific electronic format and you can produce them in that format, you must do so. If you cannot produce records in the requested format, you must provide them in a readable electronic format that the patient agrees to. OCR has also confirmed that patients may request their records be sent to patient-designated apps and third parties.
What can we charge for medical records requests?
HIPAA allows only a reasonable cost-based fee for providing access to records. For electronic records this is typically a small labor fee. OCR has penalized practices for charging per-page fees that it considers excessive for electronic records. You cannot charge fees designed to discourage patients from requesting records.
Can we deny a patient access to their records?
Only in narrow circumstances enumerated in 45 CFR §164.524(a)(2) and (a)(3). These include psychotherapy notes, information compiled in anticipation of litigation, and situations where access would endanger the patient or another person. Outside these specific exceptions, denial is a HIPAA violation. Denial without a legally recognized reason has resulted in OCR penalties ranging from $3,500 to $240,000.
Who has the right to access a patient's records?
The patient themselves has the right of access. Personal representatives — including parents of minor children, legal guardians, and individuals with healthcare power of attorney — generally have the same access rights as the patient. The rules governing personal representative access interact with state law, particularly for minor patients and situations involving domestic abuse.
What is the right to restrict and when must we honor it?
Patients may request restrictions on certain uses and disclosures of their PHI. You are not generally required to agree to restrictions — except in one mandatory situation: you must agree to a patient's request to restrict disclosure to a health plan if the service was paid for out of pocket in full and disclosure is for payment or healthcare operations purposes.

Related intelligence

Rule Update

OCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement

6 min read

Rule Update

OCR Director: The Cost of Doing Nothing Is Very High

4 min read

Rule Update

HIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means

7 min read

Not legal advice. medcomply.ai provides compliance intelligence for educational and operational planning. Consult qualified counsel for legal interpretation.