HIPAA gives every patient in the United States legal control over their own health data. Under the HIPAA Privacy Rule, you have the right to access your medical records, request corrections, control who sees your health information, and file a complaint if your data is misused.
These rights apply to hospitals, clinics, insurers, and most healthcare providers.
Here are 5 things patients can do under HIPAA rights:
- Access and download their own medical records
- Request corrections to wrong information in their files
- See who accessed or received their health data
- Restrict how their information is shared with others
- File a formal complaint if a provider violates their privacy
Why is this Important?
A 2023 report from the Office for Civil Rights found over 725 major healthcare data breaches in just one year, affecting more than 133 million patient records. That is not a small number.
Still, a large majority of patients have never read a privacy notice, never checked their medical records for errors, and never once exercised a single HIPAA right.
Part of the problem is how these rights are explained, or more accurately, how they are not. The standard privacy notice most clinics hand you is four pages of dense legal text. Nobody reads it. Nobody is meant to.
What is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act. It was signed into law in 1996 and has been updated several times since.
The part that directly affects patients is called the HIPAA Privacy Rule. In simple terms, it does two things:
- It protects your health information from being shared without your permission
- It gives you specific rights over how that information is used, stored, and accessed
Your health data, things like diagnoses, prescriptions, test results, mental health records, and billing details, is called Protected Health Information (PHI). HIPAA regulates who can see it, who can share it, and when.
Covered entities under HIPAA include hospitals, doctors, dentists, insurance companies, pharmacies, and health apps that handle medical data.
The 10 HIPAA Rights Every Patient Should Know
| # | Right | What It Means |
| 1 | Access to Medical Records | You can request and receive your own records |
| 2 | Right to Request Corrections | You can fix wrong information in your file |
| 3 | Right to a Privacy Notice | Providers must tell you how they use your data |
| 4 | Right to Control Data Sharing | You decide who gets access to your health info |
| 5 | Confidential Communication | Providers must communicate with you privately |
| 6 | Accounting of Disclosures | You can see who received your health data |
| 7 | Right to Restrict Disclosures | Limit what gets shared in some situations |
| 8 | Right to File a Complaint | Report violations without fear of retaliation |
| 9 | Breach Notification | You must be told if your data is compromised |
| 10 | Right to Authorize or Revoke | Control who has permission — and take it back |
Detailed Breakdown of All 10 Rights
1. Right to Access Your Medical Records
What it says: Under HIPAA patient rights, you have the right to inspect and receive a copy of your own medical records. This includes clinical notes, lab results, imaging reports, medication history, and billing records.
How long does it take? Providers generally have 30 days to respond to your request, with a possible 30-day extension if they notify you in writing.
Real example: A patient in Texas requested her MRI results before a second consultation. The hospital initially stalled. Under her HIPAA access to medical records rights, she submitted a written request and received the records within 28 days, and discovered the original radiologist had missed a small fracture.
How to use it: Submit a written request to your provider’s Health Information Management or Privacy Office. You can ask for records electronically if they maintain them that way.
2. Right to Request Corrections to Your Records
What it says: If you believe information in your medical record is wrong or incomplete, you have the right to request an amendment.
Why it matters: Billing errors and diagnostic mistakes are more common than most people realize. A wrong diagnosis in your file can affect future care, insurance claims, and even employment in some fields.
Real example: A man in Ohio discovered his medical records listed him as a smoker, he had never smoked. That single error affected his life insurance premium for three years before he found and corrected it.
How to use it: Write to your provider explaining specifically what is incorrect and what the accurate information should be. The provider has 60 days to respond and must explain in writing if they deny your request.
3. Right to Receive a Privacy Notice
What it says: Every covered healthcare provider must give you a written notice explaining how they use and share your health information. This is called a Notice of Privacy Practices.
What most people miss: You are supposed to receive this notice at your first visit, and sign to acknowledge you got it. Many patients sign it without reading a single word.
What to look for in the notice:
- Who they share your data with
- How long they keep your records
- Your rights under HIPAA
- How to file a complaint
4. Right to Control How Your Health Data Is Shared
What it says: Under HIPAA data privacy rights, your provider generally cannot share your health information for marketing, research, or non-treatment purposes without your written authorization.
Exceptions exist: Providers can share your data for treatment, payment, and standard healthcare operations without asking you. But for almost everything else, they need your permission.
Real example: A pharmaceutical company tried to obtain patient prescription data from a regional pharmacy chain for targeted marketing. Without patient authorization, this would be a direct HIPAA violation, and several such cases have resulted in million-dollar settlements.
5. Right to Request Confidential Communication
What it says: You can ask your provider to contact you in a specific way or at a specific location for privacy reasons.
When this matters most:
- If you do not want billing statements sent to a shared home address
- If you are dealing with a sensitive health condition and need privacy from family members
- If you want records sent to a work address instead
How to use it: You do not have to give a reason. Simply make a written or verbal request stating how and where you want to be contacted.
6. Right to an Accounting of Disclosures
What it says: You can request a list of who received your health information over the past 6 years, for any purpose other than routine treatment, payment, or operations.
Why this is powerful: This right lets you track whether your data was shared with a government agency, research organization, or any third party outside normal healthcare.
Real example: Patients at a large hospital network used this right to discover their de-identified data had been shared with a university research program. While technically legal, many were unaware, and wanted to know.
7. Right to Request Restrictions on Certain Disclosures
What it says: You can ask your provider to limit how they use or share your health information in some circumstances.
The one absolute restriction: If you pay out of pocket in full for a service, you have the right to request that your insurer not be informed of that specific treatment. This is a firm rule under HIPAA, providers must honor it.
Use case: Someone paying out of pocket for mental health therapy has the right to keep that information from being disclosed to their health insurer.
8. Right to File a Complaint Without Retaliation
What it says: If you believe a covered entity has violated your HIPAA privacy rule rights, you can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights.
Key protection: A healthcare provider cannot legally retaliate against you for filing a complaint, no denying care, no downgrading service, no intimidation.
How to file:
- Visit HHS.gov/OCR
- Submit electronically, by mail, or by fax
- You have 180 days from the date you discovered the violation
9. Right to Be Notified of a Data Breach
What it says: If your protected health information is compromised in a breach, the covered entity must notify you, and in large breaches, must also notify HHS and sometimes the media.
Timeline: For breaches affecting fewer than 500 people, notification must happen within 60 days of discovery. For larger breaches, HHS must be notified immediately.
What the notice must include:
- What happened
- What data was involved
- What steps you should take
- What the provider is doing to address it
Why it matters: Medical identity theft is one of the fastest-growing forms of identity theft in the U.S. Stolen health records sell for far more on the dark web than stolen credit card numbers, according to cybersecurity firm Trustwave.
10. Right to Authorize, and Revoke, Permissions
What it says: When you give written authorization for your data to be shared for a specific purpose, you also have the right to revoke that authorization at any time.
Important: Revoking authorization does not undo disclosures that already happened, but it stops future sharing.
Real example: A patient authorized a hospital to share her records with a clinical trial team. A year later, she decided to withdraw from the trial. She submitted a written revocation and her data was no longer forwarded.
Why HIPAA Rights Every Patient Should Know Matter
This is not about legal formalities. These rights have direct, real-world consequences.
- Medical errors caused by bad records: A 2020 study published in JAMA found that diagnostic errors affect approximately 12 million Americans annually, and inaccurate patient records are a contributing factor. Exercising your right to review and correct records reduces that risk.
- Medical identity theft: According to the Medical Identity Fraud Alliance, medical identity theft affects hundreds of thousands of patients each year. The consequences include fraudulent bills, wrong entries in medical records, and even incorrect treatments based on someone else’s history.
- Insurance fraud: If your insurer receives incorrect health information, you can be unfairly denied coverage or charged higher premiums. Checking your records under HIPAA access to medical records rights gives you visibility into what your insurer is seeing.
- Data misuse: Health data is valuable. Some providers and data brokers operate in gray areas. Knowing how to check disclosure history and revoke authorizations gives patients real protection.
How to Exercise Your HIPAA Rights – Step by Step
- Step 1: Know who your privacy contact is: Every covered healthcare provider must designate a Privacy Officer. Ask your clinic or hospital who this is.
- Step 2: Make requests in writing: Verbal requests can get lost or dismissed. A written request creates a paper trail. Email with read receipt or certified mail works well.
- Step 3: Be specific: State exactly what you want, a copy of your records from a specific date range, a correction to a specific field, a list of disclosures from a specific time period.
- Step 4: Know the deadlines: Providers have 30 days for record requests, 60 days for amendment requests, and 60 days for disclosure accounting.
- Step 5: Escalate if needed: If a provider refuses or ignores your request, file a complaint with HHS Office for Civil Rights at hhs.gov/ocr.
Common Mistakes Patients Make With HIPAA Rights
- Not reviewing medical records after visits: Most people assume records are accurate. They often are not. Billing codes, diagnoses, and medication lists should be checked periodically.
- Signing privacy notices without reading them: The notice tells you exactly how your data is being used. At minimum, look at the section on third-party sharing.
- Assuming HIPAA covers everything: HIPAA applies to covered entities, hospitals, insurers, pharmacies, and their business associates. Some fitness apps, wellness platforms, and genetic testing companies are not covered and operate under different rules.
- Not following up on breach notifications: When you get a breach notification, take the recommended steps, monitoring your credit, checking your Explanation of Benefits statements, and verifying your medical records have not been altered.
- Thinking complaints lead to retaliation: They cannot legally. And filing a complaint with HHS is often the fastest way to get a resolution.
FAQ: HIPAA Rights Every Patient Should Know
What rights do patients have under HIPAA?
Patients have 10 core rights under the HIPAA Privacy Rule: access to records, right to request corrections, privacy notice, control over data sharing, confidential communication, disclosure history, restriction requests, complaint filing, breach notification, and the ability to authorize or revoke data sharing. These apply to all covered healthcare providers in the U.S.
Can I see my medical records anytime?
Yes. Under HIPAA patient rights, you have the right to request your records at any time. Providers typically have 30 days to fulfill the request. They can charge a reasonable fee for copying but cannot deny access without a valid written reason.
Can hospitals deny access to my records?
In limited cases, yes. A provider can deny access if a licensed professional believes the information could harm you or someone else. But they must tell you in writing and explain how to request a review. Denial is relatively rare and must be justified.
How does HIPAA protect patient privacy?
HIPAA requires covered entities to safeguard your protected health information (PHI) both physically and digitally. It limits who can access your data, requires consent for non-essential sharing, mandates breach notifications, and gives you direct control over your records. Violations can result in fines of up to $1.9 million per violation category per year.
Can you correct medical records under HIPAA?
Yes. This is one of the most underused HIPAA privacy rule rights. Submit a written amendment request to your provider. They have 60 days to respond. If they deny it, they must explain why in writing, and you have the right to add a statement of disagreement to your file.
Is HIPAA applicable outside the U.S.?
HIPAA is a U.S. federal law and applies only to U.S.-based covered entities and their business associates. If you receive care abroad, different national privacy laws apply. However, if a U.S.-based hospital processes your data, HIPAA rules still govern how that data is handled.
Can I sue for a HIPAA violation?
HIPAA does not give individuals a private right to sue directly. However, you can file a complaint with HHS, which can investigate and issue fines. Some states have their own health privacy laws that do allow individual lawsuits. Consulting an attorney familiar with health privacy law is advisable if you believe you have suffered real harm.
What is the HIPAA Privacy Rule in simple terms?
The HIPAA Privacy Rule sets national standards for protecting patient health information. It tells healthcare providers what they can and cannot do with your data, gives you rights to access and control that data, and creates penalties for misuse. Think of it as a bill of rights for your health information.
What are the top HIPAA violations?
The most common HIPAA violations include unauthorized access to patient records, failure to conduct risk assessments, missing or outdated privacy notices, improper disposal of PHI, failure to notify patients of breaches, and sharing data without proper authorization. Many result from poor staff training rather than intentional misuse.
How long does it take to get medical records under HIPAA?
Providers have up to 30 days from the date of your written request. They may extend this by another 30 days if they provide written notice explaining the delay. If they miss both deadlines without communication, that itself can be reported as a violation.
Key Takeaways
- HIPAA gives you 10 legally enforceable rights over your health data, most patients use zero of them.
- You can access, correct, and restrict your medical records at any time.
- Providers must notify you within 60 days of a data breach.
- Medical identity theft and billing errors are real risks that these rights help you catch early.
- File complaints with HHS Office for Civil Rights at hhs.gov/ocr, retaliation is illegal.
- Paying out of pocket gives you the right to keep that visit off your insurance records.
