1. HealthIT.gov >
  2. For Patients & Families >
  3. Protecting Your Privacy & Security >
  4. Your Health Information Rights

Protecting Your Privacy & Security

Your Health Information Rights

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule provides you with health information privacy rights. These rights are important for you to know. You can exercise these rights, ask questions about them, and file a complaint if you think your rights are being denied or your health information isn't being protected.

Your health information rights include:

  • Right to access your health information
  • Right to an accounting of disclosures of your health information
  • Right to correct or amend your health information
  • Right to notice of privacy practices
  • Right to file a complaint

 

Do I have the right to see and get a copy of my health records?

Yes. The HIPAA Privacy Rule gives you the right to inspect, review, and receive a copy of your health and billing records that are held by health plans and health care providers covered under HIPAA.

  • In a few special cases, you may not be able to get all of your information. For example, your doctor may decide that something in your file could physically endanger you or someone else and may not have to give this information to you.
  • In most cases, your copies must be given to you within 30 days. However, if your health information is not maintained or accessible on-site, your health care provider or health plan can take up to 60 days to respond to your request. If, for some reason, they cannot take action by these deadlines, your provider or plan it may extend the deadline by another 30 days if they give you a reason for the delay in writing and tell you when to expect your copies.
  • The provider cannot charge a fee for searching for or retrieving your information, but you may have to pay for the cost of copying and mailing.

Your State may also have laws that give you rights to see and copy your medical records. If there is a difference between State and Federal law, your provider must follow the law that gives you the most rights.

 

Do I have a right to know when my provider has shared my health information with people outside of his or her practice?

Yes. You have a right to receive an "accounting of disclosures," which is a list of certain instances when your health care provider or health plan has shared your health information with another person or organization. There are some major exceptions to this right. Currently, an accounting of disclosures does not include information about when your health care provider or health plan shares your information with another person or organization for treatment, payment, or health care operations.

 

Can I ask to correct the information in my health records?

Yes. You can ask your health care provider or your health plan to correct your health record by adding information to it to make it more accurate or complete. This is called the "right to amend." For example, if you and your hospital agree that your record has the wrong result for a test, the hospital must change it. If you and your health provider or health plan do not agree that an amendment is necessary, you still have the right to have your disagreement noted in your record. In most cases, your record should be changed within 60 days, but the provider can take an extra 30 days if they provide you a reason.

 

Do I have the right to receive a notice that tells me how my health information is being used and shared?

Yes. You can learn how your health information is used and shared by your provider or health insurer. They must give you a notice that tells you how they legally may use and share your health information and how you can exercise your rights. In most cases, you should get this notice on your first visit to a provider or in the mail from your health plan, and you can ask for a copy at any time. This is the document that providers often ask for you to sign to indicate that you have received it.

 

Who has to follow the parts of the HIPAA Privacy Rule that give me rights with respect to my health information?

  • Most doctors, nurses, pharmacies, hospitals, clinics, nursing homes, and many other health care providers
  • Health insurance companies, Health Maintenance Organization (HMOs), and most employer group health plans
  • Certain government programs that pay for health care, such as Medicare and Medicaid

 

Do I have the right to file a complaint?

Yes. If you believe your information was used or shared in a way that is not allowed under the HIPAA Privacy Rule, or if you were not able to exercise your health information rights, you can file a complaint with your provider or health insurer. The privacy Notice you receive from them will tell you how to file a complaint. You can also file a complaint with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights or your State's Attorneys General Office.

 

Are State governments involved in protecting privacy rights?

Yes. The HIPAA Privacy Rule sets a Federal "floor" of privacy protections — a minimum level of privacy that health care providers and health plans must meet. Many States have health information privacy laws that have additional protections that are above this floor. In addition, even though HIPAA is a Federal law, State Attorneys General have been given the authority to enforce HIPAA.

 

Where can I learn more about my health information rights?

Learn more about:

For additional information, see the HHS Office for Civil Rights.