HIPAA Patient Rights: PHI can only be given out after obtaining written authorization

Under the HIPAA Privacy Rule, PHI can only be given out after obtaining written authorization from the patient, except in specific circumstances such as treatment, payment, healthcare operations, or as required by law, thereby ensuring that sensitive health data is shared or disclosed in a manner that upholds the individual’s privacy and consent rights.  The right to protect PHI via written authorization is one of several patient rights under the HIPAA Privacy Rule.  The table below lists the the patient rights under the HIPAA Privacy Rule.

Patient Right under HIPAA Privacy RuleDescription of Patient Rights
Access to PHIPatients have the right to access their Personal Health Information (PHI) held by healthcare providers and health plans, including viewing and obtaining copies of medical records, lab results, and other health documents. This facilitates greater transparency and patient involvement in their healthcare management.
Amendments to PHIPatients can request that their healthcare provider or health plan amend their PHI if they believe it is incorrect or incomplete. While providers can deny requests under certain conditions, they must provide a written explanation for the denial and allow the patient to submit a statement of disagreement.
Accounting of DisclosuresUnder HIPAA, patients are entitled to an accounting of disclosures, which is a report that details instances where their PHI was shared without their explicit consent. This report covers disclosures made for certain purposes over the past six years, excluding those for treatment, payment, and healthcare operations.
Requesting RestrictionsPatients may request restrictions on the use or disclosure of their PHI for treatment, payment, or healthcare operations. While healthcare providers are not required to agree to these restrictions, they must comply with any agreed-upon restrictions unless the information is needed for emergency treatment.
Confidential CommunicationsPatients have the right to request that their healthcare provider communicate with them about their PHI in a certain way or at a certain location. For example, a patient might request that the provider only contact them at a private phone number or address to maintain confidentiality.
Right to a Privacy NoticeThe Privacy Rule mandates that healthcare providers and health plans provide patients with a Notice of Privacy Practices. This notice outlines how the patient’s PHI may be used and disclosed, the patient’s privacy rights, and the entity’s privacy practices.
Right to File a ComplaintPatients have the right to file a complaint with their healthcare provider, health plan, or the U.S. Department of Health and Human Services if they believe their HIPAA rights have been violated. This ensures accountability and recourse in the event of potential privacy violations.
Right to Be Informed of BreachesPatients are entitled to be notified in the event of a breach of their unsecured PHI. Covered entities must provide this notification without unreasonable delay and in no case later than 60 days following the discovery of a breach, which ensures timely awareness and response to privacy incidents.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone