Patient Rights under HIPAA


The Health Insurance Portability and Accountability Act of 1996 was established first and foremost established to protect patients. The act covers two broad areas: four of the five titles relate to health insurance, specifically health insurance fraud and managing health insurance plans. However, when most people talk about HIPAA, they refer to the second title, which specifically deals with patient data privacy. For many patients, this is the most important part of the legislation as it is what protects them from disclosure of their private health data.

What is Protected Health Information?

To ensure that all necessary information is protected, HIPAA offers a definition of “protected health information.” All of this information must be subject to rigorous safety controls to ensure that it is not accessed by unauthorized individuals. These definitions are important, as by knowing what information needs to be protected is the first step in ensuring that it is not disclosed unnecessarily. PHI can take many forms, but namely includes medical records, treatment plans, prognoses, and all “identifiers.” These are not always directly related to healthcare but can be used to trace an individual. Identifiers include things like names, phone numbers, email addresses, and social security numbers, but also data like IP addresses and retinal prints. All healthcare workers receive HIPPA training on how to identify things like PHI and, importantly, how to protect it.

Under HIPAA, the patient has a right to privacy, meaning all of this PHI can only be disclosed if it is needed to complete a task related to healthcare. This can be everything from consulting with another doctor about treatment plans to sending information out to billing so that the health insurance company can properly be invoiced. Under HIPAA, all of these tasks can be carried out so long as only the minimum necessary information is also passed on. That means that, for example, if the information is sent to billing or a healthcare clearinghouse, only information related to the treatment in question can be sent along – not the patient’s entire healthcare record.

Can patients access data?

Another important aspect of HIPAA’s focus on patients is the fact that it awards patients the right to access their healthcare information at any time they would like. This is important, as those who have chosen to access their healthcare data, over 80% found that this was a beneficial activity. Importantly, it gives patients increased agency over their own healthcare decisions as they are able to know what procedures have been carried out and who have carried them out. They can also choose who to send the records to – including other healthcare professionals. Patients retain the right to access their medical records even if they have outstanding bills. Patients also have the right to know who was accessed their healthcare data.

Additionally, if a patient believes there is a mistake on their health record, they can ask for it to be changed. This is subject to approval by their healthcare professional, though if there is some dispute about the proposed change the individual can still have it recorded on their medical record.