The HIPAA Privacy Rule grants you six core rights over your protected health information (PHI): the right to access your records, request corrections, receive a privacy practices notice, restrict certain uses of your data, request confidential communications, and get an accounting of who your information was shared with. These rights apply to any health insurer, healthcare provider, or clearinghouse that transmits health information electronically, collectively known as “covered entities.”
Access to Your Health Records
You have the right to see and obtain a copy of your health records held in a provider’s or insurer’s designated record set. This includes medical charts, billing records, insurance enrollment data, and other information used to make decisions about your care. You can request records in paper or electronic format.
Providers who don’t want to calculate their actual copying costs can charge a flat fee of up to $6.50 for electronic copies of records maintained electronically. Some entities instead calculate actual or average costs, but the fee must be reasonable and limited to the cost of labor, supplies, and postage. A provider cannot deny you access simply because you have an unpaid balance for medical services.
There are narrow exceptions. Psychotherapy notes (a therapist’s private session notes kept separate from your medical record) are generally not accessible under this right. Information compiled in anticipation of a lawsuit may also be excluded.
Requesting Corrections to Your Records
If something in your medical record is inaccurate or incomplete, you can request an amendment. Your provider or insurer can require the request in writing and ask you to explain why the change is needed, but they must tell you about those requirements upfront.
A covered entity can deny your amendment request on four specific grounds: the record wasn’t created by that entity (unless the original creator is no longer available), the record isn’t part of the designated record set, the record wouldn’t be available for you to inspect, or the existing information is already accurate and complete. If your request is denied, you have the right to submit a written statement of disagreement that becomes part of your record going forward.
Notice of Privacy Practices
Before or at the time of your first interaction, most covered entities must hand you a written notice, in plain language, explaining how they may use and share your health information. This notice must describe your rights, explain how to exercise them, identify who to contact with questions, and state that the entity is legally required to protect your privacy. It must also tell you how to file a complaint, both with the entity itself and with the federal government. The notice must include an effective date.
This document matters more than most people realize. It’s the only place where a provider spells out the full range of ways your information might be used, from routine billing to quality improvement to fundraising. Reading it tells you exactly what you’ve agreed to and what requires your separate authorization.
Authorization for Certain Uses
Providers and insurers can use your health information for treatment, payment, and routine healthcare operations without asking your permission each time. But for other purposes, they need your written authorization first. Marketing is the most common example. If a pharmacy wants to send you promotional materials from a drug manufacturer, that typically requires your explicit consent. The same applies to the sale of your health information and, in most cases, sharing your psychotherapy notes.
You can revoke an authorization at any time, in writing, though the revocation doesn’t apply to information already shared while the authorization was in effect.
Restricting How Your Information Is Used
You can ask a covered entity to limit how it uses or discloses your health information for treatment, payment, or operations. You can also ask that information not be shared with family members or others involved in your care. The important caveat: in most cases, the provider is not required to agree to your restriction request. It’s a right to ask, not a guarantee.
One exception stands out. If you pay for a service entirely out of pocket and in full, you can instruct your provider not to share information about that service with your health insurer. In that specific scenario, the provider must honor your request. This gives you meaningful control when you want to keep a visit or procedure off your insurance record.
Confidential Communications
You can request that a provider or health plan contact you through an alternative method or at a different location. For example, you might ask your doctor’s office to call your cell phone instead of your home number, or to send correspondence to a P.O. box rather than your home address. Covered entities must accommodate reasonable requests. They cannot require you to explain why you’re making the request, though health plans can ask you to clarify how you’ll handle payment or how they can reach you if needed.
Accounting of Disclosures
You have the right to receive a report listing certain disclosures of your health information made during the previous six years. This accounting must include the date of each disclosure, the name and address of the recipient, a description of the information shared, and the purpose of the disclosure.
The accounting does not cover every time your information changes hands. Several common categories are exempt: disclosures for treatment, payment, or healthcare operations; information shared directly with you; disclosures you explicitly authorized; incidental disclosures; information shared for facility directories or with people involved in your care; disclosures for national security or intelligence purposes; and disclosures to correctional institutions or law enforcement under certain provisions. In practice, this means the accounting primarily captures less routine sharing, such as disclosures required by court orders, public health reporting, or research.
Reproductive Health Protections Added in 2024
A final rule issued in 2024 added a significant new layer of protection. Covered entities and their business associates are now prohibited from using or disclosing your health information to investigate or impose liability on anyone for seeking, obtaining, providing, or facilitating reproductive healthcare that was lawful where it was provided. This applies whether the care is lawful under state law or protected by federal law.
The rule includes a presumption that reproductive healthcare provided by someone other than the entity receiving the information request was lawful, unless the entity has actual knowledge otherwise or receives factual information demonstrating a substantial basis that the care was unlawful. When someone requests your reproductive health information for investigative or legal purposes, the entity receiving that request must obtain a signed attestation that the information will not be used for a prohibited purpose.
New Rights for Substance Use Disorder Records
Federal regulations governing substance use disorder treatment records, long kept under a separate and stricter framework, were recently aligned with HIPAA. This alignment gives patients new rights that mirror HIPAA protections: the right to receive an accounting of disclosures, the right to request restrictions on certain disclosures, and the right to file a complaint directly with the Secretary of HHS. Patients also gained the right to opt out of fundraising communications. The notice that substance use treatment programs provide to patients now must meet the same standards as the HIPAA Notice of Privacy Practices.
Filing a Complaint
If you believe a covered entity has violated your privacy rights, you can file a complaint with the entity itself or with the Office for Civil Rights (OCR) at HHS. The federal deadline is 180 days from when you knew or should have known about the violation. OCR can sometimes extend this window if you show good cause, but filing promptly strengthens your case. Complaints can be submitted online through the HHS website, by mail, or by email.