regulation of Medicine


The HIPAA Toolkit

July 31, 2019

Individual rights under HIPAA

What rights do individuals have with respect to their protected health information?

Individuals have the right to

  • Access their medical records and other information
  • Request changes or amendments to their PHI
  • Request an accounting of disclosures of their PHI
  • Request certain restrictions on the use and disclosure of their PHI
  • Request that they be contacted at different places or via different means than the provider might otherwise contact them. 

Does a healthcare provider have to accommodate a patient's request to amend his/her medical record?

No. Although the HIPAA Privacy Rule gives individuals the right to request an amendment of their PHI that is contained within the designated record set, it does not require the healthcare provider to honor all such requests. A healthcare provider may deny an amendment request if it determines that the PHI or record that is the subject of the request:

  • Was not created by the healthcare provider (though the provider may amend a record that it did not create if the originator is no longer available to act on the request)
  • Is not part of the Designated Record Set
  • Would not be available for inspection
  • Is accurate and complete.

Is there a deadline for responding to an amendment request?

Yes. Covered entities must act on the individual’s request within 60 days of receiving the request. The 60 day period may be extended by an additional 30 days, but only one such extension is allowed. If a covered entity needs to extend the time for acting on the request, it must notify the patient in writing, and the notice must provide a reason for the delay and the date by which the amendment request will be processed.

The titles of the persons or offices responsible for receiving and processing requests for amendments by individuals must be documented and the documentation must be retained for a period of at least six years from the later of the date of its creation or the date when it last was in effect. 

Can a covered entity require patients to make amendment requests in writing?

Yes. Covered entities may require that patients provide a reason to support the amendment, so long as their Notice of Privacy Practices advises patients of these requirements.

Can a covered entity deny a request to amend if the covered entity believes the amendment would be inappropriate?

Yes, but certain requirements must be followed when denying an amendment request. If a covered entity denies the requested amendment, in whole or in part, it must provide the individual with a timely, written denial. The denial must use plain language and must contain:

  • The basis for the denial.
  • The individual’s right to submit a written statement disagreeing with the denial and how the individual may file such a statement.
    • The individual must be permitted to submit a written statement disagreeing with the denial and the basis of such disagreement. However, the covered entity may reasonably limit the length of such statement. If the individual does submit a written statement of disagreement, the covered entity may prepare a written rebuttal, a copy of which must be provided to the individual. If the individual submits a statement of disagreement, the individual's request for an amendment, the covered entity's denial of the request, the individual's statement of disagreement, and the covered entity's rebuttal, if any, all must be included with any subsequent disclosure of the PHI to which the disagreement relates. Alternatively, the covered entity may include an accurate summary of any such information.
    • If the individual does not submit a written statement of disagreement, the individual’s request for amendment and the covered entity's denial, or an accurate summary of such information, must be included with any subsequent disclosure of the protected health information, but only if the individual has requested that this information be included with subsequent disclosures. 
  • A statement that, if the individual does not submit a statement of disagreement, s/he may request that the covered entity provide the individual's request for amendment and the denial with any future disclosures of the protected health information that is the subject of the amendment.
  • A description of how the individual may complain to the covered entity or to HHS. This description must include the name, or title, and telephone number of the contact person or office.

Covered entities must identify the record or PHI in the designated record set that is the subject of the disputed amendment and append or otherwise link to the designated record set: (1) the individual’s request for an amendment; (2) the covered entity's denial of the request; (3) the individual’s statement of disagreement, if any; and (4) any rebuttal.

What must a covered entity do if it accepts an amendment request?

If a covered entity accepts the requested amendment, in whole or in part, it must do the following:

  • Make the appropriate amendment to the PHI or record that is the subject of the request by, at a minimum, identifying the records in the designated record set that are affected by the amendment and appending or otherwise providing a link to the location of the amendment.
  • Timely inform the individual that the amendment is accepted and obtain the individual’s identification of – and agreement to have you notify – the relevant persons with whom the amendment needs to be shared.
  • Make reasonable efforts to inform – and provide the amendment within a reasonable time to – those persons the individual has identified as having received PHI about the individual and needing the amendment; and other persons, including business associates, whom the covered entity knows are in possession of the PHI that is the subject of the amendment and that may have relied, or could foreseeably rely, on such information to the detriment of the individual.  

Does a covered entity have to amend a patient’s designated record set if another covered entity amends the patient’s PHI?

Yes. If a covered entity is notified by another covered entity of an amendment to an individual’s PHI, then it must amend the designated record set accordingly. 

Can a patient restrict or limit how a covered entity uses or discloses PHI?

Yes. Under the HIPAA privacy regulations, individuals have a right to request that a covered entity restrict its use or disclosure of PHI in the following circumstances:

  • To carry out treatment, payment, or healthcare operations;
  • To the patient’s family member, other relative, close personal friend, or any other persons who might otherwise receive disclosures of PHI;
  • To notify, or assist in the notification of (including identifying or locating), a patient’s family member, personal representative, or other person responsible for the patient’s health care, about the patient’s location, general condition or death;
  • To make reasonable determinations regarding limited uses and disclosures when the individual is not present;
  • To public or private entities authorized to assist in disaster relief efforts, in order to notify or assist in the notification of (including identifying or locating), a patient’s family member, personal representative or other person responsible for the patient’s health care, about the patient’s location, general condition or death.

Does a covered entity have to comply with a patient’s request for a restriction(s)?

In general, a covered entity is not obligated to agree to a patient’s request for a restriction, nor is it required to cite a reason for refusing to agree to any request for a restriction.

The only exception to this rule is that a covered entity MUST comply with a requested restriction if:

  • Disclosure is to a health plan for purposes of carrying out payment or health care operations (and is not for the purposes of carrying out treatment);
  • The PHI pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full; and
  • The disclosure is not otherwise required by law.

Covered entities must notify patients of this right in their notices of privacy practices. Click here for a sample Notice of Privacy Practices. 

Can a patient restrict what a covered entity discloses to Medicare?

Yes. Medicare beneficiaries have a right to restrict disclosures if they choose not to file a claim with Medicare and to pay for a covered service out of pocket. If a beneficiary refuses to authorize the submission of a bill to Medicare, the covered entity is not required to submit a claim to Medicare for the service.

May a covered entity disclose restricted PHI if the use or disclosure is otherwise permitted under the Privacy Rule?

No. Disclosing PHI for which a covered entity has agreed to a restriction is a violation of the HIPAA Privacy Rule and may subject the covered entity to criminal penalties, civil penalties, and/or corrective action. 

Must restricted health information be kept separate from the rest of the patient’s medical record?

No. Covered entities are not required to maintain separate health records or segregate restricted health information. However, they must “employ some method to flag or make a notation in the record” that disclosure of certain information has been restricted. 

What is an accounting of disclosures?

Subject to certain exceptions, covered entities are required to account for known disclosures of patients’ PHI and patients have a right to request and to receive a report detailing these disclosures of their PHI (an “accounting” of disclosures).

Not all disclosures of PHI must be tracked and included in the accounting, however. An accounting is not required for the following disclosures:

  • Disclosures made to carry out treatment, payment, or operations;
  • Disclosures to the patient or the patient’s personal representative;
  • Disclosures that are incidental to a use or disclosure otherwise permitted or required by HIPAA;
  • Disclosures made to persons involved in a patient’s care or as part of an inpatient directory;
  • Disclosures pursuant to an authorization for release of information signed by the patient or patient’s personal representative;
  • Disclosures for national security or intelligence purposes;
  • Disclosures to correctional institutions or law enforcement officials under certain circumstances;
  • Disclosures made as part of a limited data set, when the recipient has executed a data use agreement
  • Disclosures for research, public health, or certain health care operations purposes; or
  • Disclosures that occurred prior to April 14, 2003.

The following disclosures, if made without an authorization, must be tracked and included in an accounting of disclosures:

  • Disclosures in response to a subpoena or other judicial or administrative proceeding (if not accompanied by a patient authorization);
  • Disclosures for public health activities, including reports of vital events, public health surveillance, and investigations; communicable disease; adult and child abuse, neglect, or domestic violence; information associated with an FDA-regulated product or activity; and disclosures to an employer to conduct an evaluation relating to medical surveillance of the workplace or to evaluate whether the individual has a work-related illness or injury (and in addition, the employer needs such information to comply with federal or state law, and notice has been given to the individual at the time care is provided or there is a notice at the work site;
  • Disclosures for health oversight activities or law enforcement purposes unless the health oversight or law enforcement agency has provided an official statement to temporarily suspend the individual’s right to receive an accounting for a specified period of time during which such an accounting would impede the agency’s activities
  • Disclosures to coroners, medical examiners, funeral directors, and for cadaveric organ donation purposes
  • Disclosures to avert a serious threat to health or safety and for specialized government functions except national security and intelligence activities and correctional institutions or other law enforcement custodial situations.
  • Disclosures for workers’ compensation purposes pertaining to treatment of potential work-related injuries;
  • Disclosures for research purposes on decedents;
  • Disclosures for research purposes if a waiver of authorization has been obtained from an IRB;
  • Disclosures in error as a result of a misdirected fax, e-mail, postal mail, etc.
  • Disclosures by a Business Associate who has notified the covered entity of the disclosure event.

How must disclosures be tracked and included in an accounting?

Covered entities must log disclosures in real time – that is, as they occur – in a log that is then filed in the patient’s paper or electronic medical record. For each disclosure, the accounting should include:

  • Date the request for disclosure was received
  • Name of entity requesting disclosure and, if known, the address of such person or entity
  • A brief description of the PHI that was disclosed
  • A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure

Covered entities must also include any known disclosures made by their business associates.

Is there a time limit for responding to requests for an accounting of disclosures?

Yes. Covered entities must provide a written accounting no later than 60 days after receipt. If the 60-day deadline cannot be met, the time may be extended once, and by no more than 30 days provided the covered entity sends the individual a written statement of the reasons for the delay and the date by which it will provide the accounting. 

How long do covered entities have to maintain an accounting for a patient?

Covered entities must retain the following for six years from the date of the accounting:

  • The information required to be included in the accounting, and
  • The written accounting provided to the requesting party, if any.

Can covered entities charge for the accounting of disclosures?

   Yes, however, they must provide the first accounting to a patient within a 12-month period without charge. For each subsequent request within the same 12-month period, a reasonable, cost-based fee may be charged, so long as the covered entity has notified the patient of such charges in advance so that the patient has a chance to withdraw or modify the request before incurring the cost. 

A patient has asked for a copy of her medical records - does the covered entity have to provide access?

Yes. Under HIPAA, individuals have a right to obtain copies of or to inspect their health information. Subject to certain limited exceptions, covered entities must provide individuals with access to their PHI if they request such access. 

If a patient requests access to his or her PHI, must the covered entity provide billing records and other financial information in addition to the medical records?

Yes. Covered entities must provide access to PHI contained in the “designated record set,” which includes insurance, billing, and payment information.  

What else is included in a patient's "designated record set"?

A “designated record set” is a group of records maintained by or for a covered entity that includes

  • Medical records
  • Billing and payment records
  • Insurance information
  • Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan
  • Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals (e.g., clinical laboratory test results; medical images, such as X-rays; wellness and disease management program files; and clinical case notes). These records include those that are used to make decisions about any individuals, even if they have not been used to make decisions about the particular individual requesting access.

Records created by or originating from another provider are part of the designated record set if they are used to make health care decisions about a patient.

Does information that is not part of the designated record set have to be provided if it can be easily created?

No. Covered entities are only obligated to provide access to materials already existing in the designated record set. They are not required to create new information, such as explanatory materials or analyses, when responding to a request for access.

Do records that have already been archived or that are stored off-site have to be included?

Yes. The right to access also exists regardless of how or where the information is maintained (paper or electronic systems; onsite, remotely, or archived); or where the PHI originated (the covered entity, another provider, the individual, etc.).

Do covered entities have to honor access requests made by former patients?

Yes. The right to access exists for as long as the covered entity (or a business associate on its behalf) maintains the PHI, regardless of the date the information was created. 

What records are excluded from an individual’s right to access?

Psychotherapy notes and information that is compiled in anticipation of, or for use in, a civil, criminal, or administrative action or proceeding are expressly excluded from the right of access.  Also excluded from the right of access is any PHI that is not part of the designated record set. Information generated from and including an individual’s PHI is not part of the designated record set, and thus not subject to the right of access, if it is not used to make decisions about individuals. For example, the right of access does not apply to:

  • Certain quality assessment or improvement records
  • Individual safety activity records
  • Business planning, development, and management record
  • Practitioner or provider performance evaluations
  • Credentialing records
  • Peer review files
  • Internal grievance reports
  • Information contained in employee records
  • Financial reports used for health care operations (e.g., inventory control or purchasing activities)
  • Coding queries
  • Internal compliance reports and audits
  • Administrative records
  • Attorney-client privileged records, or any other record that is subject to privilege under state and/or federal laws and regulations
  • Public health records and statistical data
  • Any other record that is not used to make health care decisions about the patient

Does a parent have a right to access his or her minor child’s PHI?

Yes, if the parent is deemed to be the child’s “personal representative.” The Privacy Rule requires covered entities to treat an individual’s personal representative as the individual with respect to uses and disclosures of the individual’s protected health information, as well as with respect to the individual’s rights under the Rule (access, amendment, restriction). In short, under the Privacy Rule, an individual’s personal representative “stands in the shoes” of the individual.

Generally speaking, HIPAA deems a parent, guardian, or other person acting in loco parentis (hereinafter, “parent”) to be the personal representative of a minor child. As the minor child’s personal representative, the parent may exercise the minor’s rights with respect to the minor’s PHI. This is because the parent usually has the authority to make health care decisions about his or her minor child.

There are, however, certain circumstances in which the parent is not deemed to be the minor child’s “personal representative.”  

  • When state or other law allows a minor to obtain a particular health care service without parental consent and the minor consents to the health care service;
  • When someone other than the parent is authorized by law to consent to the provision of a particular health service to a minor and provides such consent (for example, when a court grants authority to make healthcare decisions for the minor to itself, to another adult, or to the minor); or
  • When a parent agrees to a confidential relationship between the minor and a health care provider.

In these situations, the parent does not control the minor’s health care decisions, and thus does not control the protected health information related to that care.

A provider may also refuse to treat a parent as the minor child’s personal representative if the provider reasonably believes that the parent is abusing or neglecting a child. If the provider, in the exercise of his or her professional discretion, refuses to treat the parent as the personal representative, the provider does not to give the parent access to the child’s medical record.

Must covered entities comply with state laws that prohibit healthcare providers from disclosing a minor's PHI to a parent?

Yes. The Privacy Rule defers to state laws that expressly address the ability of a parent to obtain health information about a minor child. The Privacy Rule thus allows covered entities to disclose a minor child’s PHI to a parent when and to the extent such disclosure is permitted or required by state law. If access/disclosure to the parent is permitted or required under state law, then the covered entity may disclose or provide access, even if the parent would not be considered the child’s personal representative (that is, one of the three exceptions above exists) under HIPAA.

On the other hand, the Privacy Rule prohibits covered entities from disclosing a minor child’s protected health information to a parent, or providing a parent with access to such information, when and to the extent access or disclosure to the parent is prohibited under state law.

If a state does not have any laws about parental access to PHI, then covered entities have discretion to provide or deny a parent access to a minor child’s PHI if:

  • there is no state law(s) expressly addressing parental access to a minor’s protected health information; and
  • the parent is not the personal representative of a minor child based on one of the circumstances described above.

In these cases, any parental access must be consistent with other applicable law, and the decision to grant or deny access must be made by a licensed healthcare professional in the exercise of his or her professional judgment.

Can a covered entity require patients to submit access requests in writing?

Yes. Covered entities may require individuals to request access in writing. They may also require individuals to use a supplied form. However, any method or manner a covered entity requires may not create a barrier to or unreasonably delay the individual from obtaining access to his PHI.

Can covered entities require patients to submit access requests via e-mail or secure web portal?

No. Covered entities may offer individuals the option of using electronic means (e.g., e-mail, secure web portal, etc.) to make requests for access, but they cannot require individuals to use such means. This would be considered an “unreasonable barrier” to access. 

Unreasonable barriers to an individual’s access include, for example, requiring an individual who wants a copy of her medical record mailed to her home address to physically come to the covered entity's office to request access and provide proof of identity in person; requiring an individual to use a web portal to request access; or requiring an individual to submit a request via mail. 

Must a covered entity verify that the person requesting the information has a right to it?

No. No particular form of verification is required, but covered entities must take reasonable steps to verify the identity of an individual making a request for access. Verification may be done orally or in writing. Often times, the type of verification will depend on how the individual is requesting and/or receiving access – whether in person; by phone (if permitted by the covered entity); by faxing or e-mailing the request on the covered entity’s supplied form; by secure web portal, etc.  Although it is up to the covered entity to determine the type and manner of verification, any verification processes and measures it does employ may not create barriers to or unreasonably delay the individual from obtaining access to her PHI. 

If a patient requests access to his or her records, and the records are kept electronically, must the records be provided electronically, or can the covered entity print the records and provide hard copies?

Covered entities must provide the individual with access to the PHI in the form and format requested, if readily producible in that form and format. Generally speaking, if the PHI is not readily available in the requested format, the covered entity must provide it in readable hard copy form or other form and format as agreed to by the covered entity and the  individual.  There are a number of caveats to this general rule.

Requests for Electronic Access to Electronically Stored PHI. If an individual specifically requests electronic access to PHI that the covered entity maintains electronically, then the covered entity must provide the individual with access to the information in the requested electronic form and format. If for some reason the PHI is not readily producible in electronic form and format, then the covered entity must provide it in an agreed upon alternative, readable electronic format. HHS has indicated that while a covered entity is not required to purchase new software or equipment in order to accommodate every possible individual request, it must be able to provide some form of electronic copy of PHI maintained electronically. If the individual refuses to accept any of the electronic formats that are readily producible by the covered entity, then the covered entity may provide the individual with a readable hard copy of the PHI.

  • Requests for Paper Copies of Electronically Stored PHI. If an individual requests a paper copy of PHI maintained electronically, then the covered entity must provide the individual with the paper copy requested.
  • Requests for Electronic Access of PHI Maintained Only in Hard Copy. If an individual requests an electronic copy of PHI maintained only on paper, then the covered entity must provide the individual with an electronic copy if the paper record can be readily scanned into electronic format. If the paper record is not readily producible in electronic format, then the covered entity must produce it in a readable alternative electronic format or in hard copy format as agreed to by you and the individual.

    A patient has asked to come in and review her records, which are stored electronically in an EMR. Does the covered entity have to accommodate this request?

    Yes. In addition to providing PHI in the form and format requested, covered entities must provide access in the manner requested. Therefore, if the individual asks to inspect the PHI, then the covered entity must arrange with the individual for a convenient time and place for inspection. If the individual asks that the PHI be mailed or e-mailed, then the covered entity must mail or e-mail the PHI. HHS has taken the position that all covered entities are expected to have the capability to transmit PHI by mail or e-mail, and that transmitting PHI via mail or e-mail does not present unacceptable security risks to covered entities’ systems. Accordingly, a covered entity may not require an individual to travel to its physical location to retrieve a copy of her PHI if the individual requests that the copy be mailed or e-mailed.

    May a covered entity provide a summary of the PHI requested instead of the records?

    Yes. Covered entities may provide a summary of the PHI requested, in lieu of providing access to the PHI, or they may provide an explanation of the PHI to which access has been provided in addition to that PHI, so long as the individual in advance: (1) chooses to receive the summary or explanation (including in the electronic or paper form being offered by the covered entity); and (2) agrees to any fees that may be charged by the covered entity for the summary or explanation. 

    Is there a time limit for responding to requests for PHI?

    Yes. Covered entities must provide access to the PHI as soon as possible, but in no case later than 30 days from the date the request was received. If the covered entity is unable to provide access within 30 calendar days – for example, if the PHI is archived offsite and must be retrieved – it may extend the time, but by no more than an additional 30 days. In order to do this, the covered entity must, within the initial 30 day period, inform the individual in writing of the reasons for the delay and the date by which it will provide access. The response time may only be extended once per access request.

    If state law requires that access to PHI be provided to an individual in a shorter time frame than that required by the Privacy Rule, the covered entity must provide such access within the shorter time frame in accordance with state law. On the other hand, state laws that have lesser requirements (that is, they do not require or specify a timeframe for responding) are preempted by the HIPAA 30-day rule. 

    Can covered entities charge for copies of medical records?

    Yes. A reasonable, cost-based fee may be charged if the individual requests a copy of the PHI (or agrees to receive a summary or explanation of the information).  The fee may include only the cost of:

    • The labor associated with copying the PHI, whether in paper or electronic form
    • Supplies for creating the paper copy or electronic media (e.g., CD or USB drive)
    • Postage, when the individual requests that the copy, or the summary or explanation, be mailed
    • Preparation of an explanation or summary of the PHI 

    The fee may not include costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed above even if such costs are authorized by state law.

    State laws that prohibit covered entities from charging fees, or that allow lower fees than authorized by the Privacy Rule, must be followed. 

    Are there situations in which a covered entity may deny a request for access to PHI?

    Yes. Covered entities may deny access in the following situations:

    • The request is for psychotherapy notes;
    • The request is for information compiled in reasonable anticipation of, or for use in, a legal proceeding;
    • The covered entity is a correctional institution or healthcare provider acting under the direction of a correctional institution and an inmate requests a copy of his PHI held by a covered entity that is a correctional institution but providing the copy would jeopardize the health, safety, security, custody, or rehabilitation of the inmate or other inmates, or the safety of correctional officers, employees, or other person at the institution or responsible for the transporting of the inmate. The inmate does, however, retain the right to inspect his PHI;
    • The requested PHI is in a designated record set that is part of a research study that includes treatment (e.g., clinical trial) and is still in progress, provided the individual agreed to the temporary suspension of access when consenting to participate in the research.  The individual’s right of access is reinstated upon completion of the research;
    • The requested PHI is in Privacy Act protected records (i.e., certain records under the control of a federal agency, which may be maintained by a federal agency or a contractor to a federal agency), if the denial of access is consistent with the requirements of the Act;
    • The requested PHI was obtained by someone other than a healthcare provider (e.g., a family member of the individual) under a promise of confidentiality, and providing access to the information would be reasonably likely to reveal the source of the information.  

    The decision to deny access in the above situations is not reviewable. There are, however, situations in which the denial of access is reviewable by a licensed healthcare provider who is part of the organization but who was not involved in the initial decision to deny access. These “reviewable grounds” for denial include situations where the healthcare professional who denied access determined in the exercise of professional judgment that:

    • Disclosure to the individual is reasonably likely to endanger the life or physical safety of the individual or another person
    • Disclosure to the individual is reasonably likely to cause substantial harm to a person (other than a healthcare provider) referenced in the PHI
    • Disclosure to the individual’s personal representative is reasonably likely to cause substantial harm to the individual or another person.

    If access is denied, in whole or in part, the individual must be notified within 30 calendar days of the request. The notification must be in writing, in plain language, and must describe the reason(s) for the denial and the individual’s right to have the denial decision reviewed (if applicable). The notification must also advise the individual of his or her right to submit a complaint to the covered entity or to OCR.


    The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.