HIPAA Rights: What Patients Need to Know

Health Law February 20, 2026 7 min read

The Health Insurance Portability and Accountability Act (HIPAA) gives you powerful rights over your medical information. Yet many patients don't know what protections exist or how to enforce them. This guide explains your key rights in plain language.

Who Is Covered by HIPAA?

HIPAA applies to covered entities — organizations that handle protected health information (PHI):

Doctors, hospitals, clinics, and other healthcare providers
Health insurance companies and HMOs
Healthcare clearinghouses
Business associates who handle PHI on behalf of covered entities

    Important: HIPAA does NOT apply to employers, life insurers, workers' comp carriers, most schools, or most law enforcement agencies. It also doesn't cover health apps or fitness trackers unless they work with a covered entity.
  

Your Six Core HIPAA Rights

Right to Access

Request a copy of your medical records. Must be provided within 30 days (one 30-day extension allowed).

Right to Amend

Request corrections to inaccurate or incomplete health information in your records.

Right to Accounting

Get a list of disclosures of your PHI made without your authorization for the past 6 years.

Right to Restrict

Request restrictions on how your PHI is used or disclosed for treatment, payment, or operations.

Right to Confidential Communications

Request that communications be sent to a different address or by a different means.

Right to Notice

Receive a clear written explanation of how your health information may be used and shared.

Accessing Your Medical Records

Under the 2021 HIPAA updates, covered entities must provide you with electronic access to your records at no cost when transmitted electronically. For paper copies, they can charge a reasonable fee.

Submit a written request to the provider's Privacy Officer or medical records department
Specify the records you need and your preferred format (paper or electronic)
Provider has 30 days to respond (or 60 days with notice)
If denied, you have the right to a written explanation and to request a review

When Can Your Information Be Shared?

Providers can share your PHI without your authorization for:

Treatment — sharing with other treating physicians
Payment — billing your insurer
Healthcare operations — quality improvement, training
Public health activities and reporting communicable diseases
Court orders or law enforcement with proper legal process

Watch Out: Providers can share your records with family members who are directly involved in your care — but only if you have not objected. Make your wishes known in writing.

Mental Health and Substance Abuse Records

These records receive extra protections beyond standard HIPAA rules:

Psychotherapy notes are kept separate and require specific authorization to disclose
Substance use disorder records (covered by 42 CFR Part 2) have additional restrictions
Many states have stricter mental health privacy laws that go further than HIPAA

Filing a HIPAA Complaint

If you believe your rights were violated, you can file a complaint with the HHS Office for Civil Rights (OCR):

File within 180 days of the violation (extensions may be granted)
Submit online at hhs.gov/ocr/complaints, by mail, or by fax
Include: your name, the covered entity involved, a description of the act, and date
OCR investigates and can impose civil money penalties up to $1.9 million per violation category per year

You can also file a complaint with your state attorney general or state health department, as many states have additional enforcement mechanisms.

FAQ: HIPAA Patient Rights

Can my employer access my medical records? +

Generally no. Your employer is not a covered entity under HIPAA and cannot access your medical records without your written authorization. Exception: if your employer is self-insured, some limited health information may flow through the plan administration.

Can a hospital share my diagnosis with my family? +

Providers may share information with family members "directly involved in your care" if they reasonably infer you would not object. If you want to restrict this, tell your provider in writing. You can also designate specific people as authorized to receive your information.

What if my records contain errors? +

Submit a written amendment request to the covered entity. They must act within 60 days (one 30-day extension allowed). They can deny your request, but must give a written reason. If denied, you can submit a statement of disagreement that must be included with any future disclosures.

Can I sue for HIPAA violations? +

HIPAA does not create a private right of action — individuals cannot sue directly for HIPAA violations. You must file a complaint with OCR. However, some states have health privacy laws that DO allow private lawsuits. Consult an attorney about state-law remedies.

Are health apps covered by HIPAA? +

Usually not. Most consumer health apps (fitness trackers, diet apps, mental health apps) are not HIPAA-covered entities or business associates. Only apps that work directly with a covered entity on behalf of patients fall under HIPAA. The FTC Act and state privacy laws may provide some protection.

What are the penalties for HIPAA violations? +

Civil penalties range from $100 to $50,000 per violation (with annual caps up to $1.9 million per violation category). Criminal penalties apply for willful violations — up to $250,000 in fines and 10 years imprisonment for the most serious cases involving intent to sell PHI.