Under the HIPAA Privacy Rule, PHI can only be given out after obtaining written authorization from the patient, except in specific circumstances such as treatment, payment, healthcare operations, or as required by law, thereby ensuring that sensitive health data is shared or disclosed in a manner that upholds the individual’s privacy and consent rights. The right to protect PHI via written authorization is one of several patient rights under the HIPAA Privacy Rule. The table below lists the the patient rights under the HIPAA Privacy Rule.
| Patient Right under HIPAA Privacy Rule | Description of Patient Rights |
|---|---|
| Access to PHI | Patients have the right to access their Personal Health Information (PHI) held by healthcare providers and health plans, including viewing and obtaining copies of medical records, lab results, and other health documents. This facilitates greater transparency and patient involvement in their healthcare management. |
| Amendments to PHI | Patients can request that their healthcare provider or health plan amend their PHI if they believe it is incorrect or incomplete. While providers can deny requests under certain conditions, they must provide a written explanation for the denial and allow the patient to submit a statement of disagreement. |
| Accounting of Disclosures | Under HIPAA, patients are entitled to an accounting of disclosures, which is a report that details instances where their PHI was shared without their explicit consent. This report covers disclosures made for certain purposes over the past six years, excluding those for treatment, payment, and healthcare operations. |
| Requesting Restrictions | Patients may request restrictions on the use or disclosure of their PHI for treatment, payment, or healthcare operations. While healthcare providers are not required to agree to these restrictions, they must comply with any agreed-upon restrictions unless the information is needed for emergency treatment. |
| Confidential Communications | Patients have the right to request that their healthcare provider communicate with them about their PHI in a certain way or at a certain location. For example, a patient might request that the provider only contact them at a private phone number or address to maintain confidentiality. |
| Right to a Privacy Notice | The Privacy Rule mandates that healthcare providers and health plans provide patients with a Notice of Privacy Practices. This notice outlines how the patient’s PHI may be used and disclosed, the patient’s privacy rights, and the entity’s privacy practices. |
| Right to File a Complaint | Patients have the right to file a complaint with their healthcare provider, health plan, or the U.S. Department of Health and Human Services if they believe their HIPAA rights have been violated. This ensures accountability and recourse in the event of potential privacy violations. |
| Right to Be Informed of Breaches | Patients are entitled to be notified in the event of a breach of their unsecured PHI. Covered entities must provide this notification without unreasonable delay and in no case later than 60 days following the discovery of a breach, which ensures timely awareness and response to privacy incidents. |