Federal regulations in the United States establish a framework for protecting sensitive health information. These rules ensure individuals control their medical data and how it is used and shared. This article explores the rights granted to patients concerning their health information under federal privacy standards.
Your Core Health Information Rights
Patients have several rights concerning their protected health information (PHI). A fundamental right is the ability to access and obtain a copy of their medical records. This includes inspecting and receiving copies of health information held by healthcare providers and health plans in a “designated record set,” such as medical and billing records. Patients can also direct providers to send copies of their PHI directly to another person or entity.
Patients can request amendments to their health information if they believe it is inaccurate or incomplete. They also have the right to receive an accounting of disclosures, which lists instances where their PHI has been shared by covered entities. This typically covers disclosures for purposes other than treatment, payment, or healthcare operations, for up to six years prior to the request.
Patients can request restrictions on how their PHI is used and disclosed, especially for treatment, payment, or healthcare operations. Providers and health plans are generally not required to agree, but they must comply if the patient pays for a service entirely out-of-pocket and requests the information not be shared with their health plan. Individuals also have the right to request confidential communications, asking to receive health information by alternative means or at alternative locations, such as a different mailing address or specific communication method.
Patients have the right to receive a Notice of Privacy Practices (NPP) from their healthcare providers and health plans. This notice explains how their health information may be used and shared, outlines their privacy rights, and details how to contact the organization for more information or to file a complaint. The NPP is typically provided at the first visit to a provider or upon enrollment with a health plan.
Managing Your Health Information Access
To request medical records, patients generally submit a written request to the healthcare provider or health plan. Covered entities can charge a reasonable, cost-based fee for copying and postage, but must inform the individual of the approximate fee in advance. Providers are typically required to respond to access requests within 30 days, with a possible 30-day extension.
Requesting an amendment to health information typically requires a written submission, often including a reason for the change. Covered entities must act on these requests within 60 days. If an amendment request is denied, the covered entity must provide a written denial stating the basis for the decision and inform the individual of their right to submit a written statement of disagreement.
Healthcare providers, health plans, and healthcare clearinghouses are “covered entities” under these regulations. They, along with their “business associates” (e.g., billing companies, IT providers), are responsible for upholding patient rights. These entities must establish procedures to ensure compliance with requests and protect patient information.
Addressing Privacy Rule Concerns
If patients believe their privacy rights have been violated, they have avenues for recourse. The initial step is to file a complaint directly with the healthcare provider or health plan involved. Many organizations have internal processes for addressing such concerns, and their Notice of Privacy Practices often provides contact information for their privacy officer.
For formal complaints, individuals can contact the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS). The OCR enforces federal health information privacy regulations. When filing a complaint, provide specific details: who was involved, what happened, when and where it occurred, and why you believe your rights were violated.
The OCR investigates complaints and can take enforcement actions against entities that fail to comply. Patients generally cannot sue healthcare providers or health plans directly under federal privacy regulations for privacy violations. The primary mechanism for addressing such issues is through the complaint process with the OCR.