Patient rights are not optional — they are enforceable requirements

The HIPAA Privacy Rule grants patients a specific set of rights regarding their protected health information. These are not suggestions. They are legal requirements that Covered Entities must honor, and OCR enforces them aggressively — particularly the right of access.

Between 2019 and 2024, OCR settled more enforcement actions under its Right of Access Initiative than under any other enforcement priority. The message is clear: if patients cannot access their own health records in the manner and timeframe HIPAA requires, your practice is a target.

This is Step 7 of our 17-step HIPAA compliance roadmap. The previous steps built your administrative, physical, and technical foundation. This step addresses the Privacy Rule obligations that directly affect how patients interact with your practice and their data.

The right to access PHI

Under 45 CFR 164.524, patients have the right to access and obtain a copy of their PHI maintained in a designated record set. This includes medical records, billing records, insurance information, and any other records used to make decisions about the individual.

What the law requires

• 30-day response window. Upon receiving a valid request, you have 30 calendar days to provide access. A single 30-day extension is permitted if you notify the patient in writing with the reason for the delay.
• Patient's choice of format. If the patient requests electronic records and you maintain them electronically, you must provide them in the requested electronic format if readily producible — or in a mutually agreed alternative.
• Reasonable, cost-based fees. You may charge a reasonable, cost-based fee for labor to create the copy, the supplies, and postage. You may not charge for retrieval or search time. Many states impose stricter fee limits.
• Third-party direction. Patients can direct that copies be sent to a third party. The request must be in writing, signed, and clearly identify the designated person or entity.

Common failures

• Exceeding the 30-day window. The most frequent violation. Practices that route requests through a physician for "review" before release often blow the deadline. The physician does not need to approve the release — the patient has a legal right to access.
• Requiring patients to appear in person. You cannot require patients to pick up records at your office. If they request electronic delivery, accommodate it.
• Excessive fees. Charging per-page fees that exceed state limits, or charging for retrieval time the regulation does not permit.
• Refusing based on the requesting party. If a patient directs records to an attorney, an insurance company, or another provider, you must comply. You do not get to decide whether the request serves the patient's interests.

OCR has settled Right of Access cases with penalties ranging from $3,500 to $240,000. The common thread: practices that treated access requests as inconveniences rather than legal obligations.

The right to request amendments

Under 45 CFR 164.526, patients have the right to request that you amend their PHI. You must act on the request within 60 days.

You may deny an amendment request if:

• The PHI was not created by your practice (direct the patient to the originating entity)
• The PHI is not part of the designated record set
• The information is accurate and complete as written
• The PHI is not available for access (rare circumstances)

If you deny the request, you must provide a written denial with the reason and inform the patient of their right to submit a statement of disagreement. If you accept the amendment, you must make the change, inform the patient, and notify others who have received the original information and need the amendment.

Documentation standard

Maintain a log of all amendment requests — the request, your response, the basis for any denial, and any statement of disagreement from the patient. This log is part of your compliance documentation and must be maintained for six years.

Accounting of disclosures

Under 45 CFR 164.528, patients have the right to an accounting of disclosures — a list of instances where the practice disclosed their PHI outside of treatment, payment, and healthcare operations, and outside of disclosures the patient authorized.

What must be tracked

The accounting must cover disclosures made during the six years prior to the request (or since compliance date, if shorter), including:

• Disclosures to public health authorities
• Disclosures for law enforcement purposes
• Disclosures required by law (court orders, subpoenas)
• Disclosures for research purposes
• Disclosures for workers' compensation
• Breach notifications

What is excluded

The following do not need to appear in the accounting:

• Disclosures for treatment, payment, and healthcare operations
• Disclosures the patient authorized
• Disclosures to the patient themselves
• Incidental disclosures
• Disclosures for national security or intelligence purposes

The operational challenge

Most independent practices do not systematically track disclosures. When a patient requests an accounting, the office scrambles to reconstruct what was disclosed to whom over the past six years. This is the wrong approach.

Build the tracking system now:

• Maintain a disclosure log with: patient name, date of disclosure, recipient, description of the PHI disclosed, and purpose
• Update the log at the time of each disclosure — not retroactively
• Use your EHR's disclosure tracking module if available, or maintain a separate secured log

The accounting must be provided within 60 days of the request. The first accounting in any 12-month period must be free of charge.

Notice of Privacy Practices (NPP)

Under 45 CFR 164.520, every Covered Entity that provides direct treatment must maintain and distribute a Notice of Privacy Practices. The NPP must describe:

• How the practice uses and discloses PHI
• The patient's rights under HIPAA
• The practice's legal duties regarding PHI
• How to file a complaint with the practice and with OCR
• A contact person for privacy matters (your Privacy Officer)
• The effective date of the notice

Distribution requirements

• At first service delivery: Provide the NPP and make a good-faith effort to obtain written acknowledgment of receipt
• Available on request: Keep copies available for anyone who asks
• Posted in the office: Display the NPP prominently in your facility
• Posted on your website: If you maintain a website, the NPP must be prominently posted

Keeping the NPP current

When your privacy practices change materially — new uses or disclosures of PHI, changes in patient rights, changes in legal duties — you must revise the NPP and distribute the updated version. You do not need to re-collect acknowledgments for revisions, but you must make the revised notice available.

The right to request restrictions

Under 45 CFR 164.522(a), patients can request restrictions on how you use or disclose their PHI. You are generally not required to agree to a restriction — with one important exception:

If a patient pays out of pocket in full and requests that you not disclose the service to their health plan, you must honor that request. This provision, added by the HITECH Act, gives patients direct control over disclosures to insurers when they are willing to bear the full cost.

Whether or not you agree to other restriction requests, document the request and your response.

The right to request confidential communications

Patients can request that you communicate with them through alternative means or at alternative locations — 45 CFR 164.522(b). A patient experiencing domestic violence might request that appointment reminders not be sent to their home address. A patient might request that calls only be made to their cell phone, not their work number.

You must accommodate reasonable requests. You may not require an explanation for the request.

Why small practices often fall short

Patient rights compliance suffers in independent practices for predictable reasons:

• No dedicated compliance staff. The office manager handles privacy requests alongside scheduling, billing, and vendor management.
• Lack of systems. No disclosure log, no amendment tracking, no organized process for access requests.
• Clinical culture. Providers sometimes view access requests as challenges to their professional judgment rather than legal rights.
• Volume pressure. In a busy clinic, a records request gets pushed to the bottom of the priority stack — and the 30-day clock runs out.

The solution is not more staff. It is better systems. Build the disclosure log now. Create a template for access request responses. Train front desk staff on what to do when a patient asks for their records. Assign the Privacy Officer ownership of the process. Use your HIPAA compliance roadmap to track these obligations alongside your other compliance requirements.

276 million Americans had their health data exposed in 2024. Patients are increasingly aware of their rights — and increasingly willing to exercise them. The practice that handles access requests promptly and professionally builds trust. The practice that delays, overcharges, or refuses creates a complaint that ends up on OCR's desk.

Patient rights are a compliance differentiator

In a world where healthcare breaches cost an average of $9.8 million (IBM, 2024) and where OCR is actively enforcing the Right of Access, getting patient rights wrong is an expensive mistake. Getting them right is an opportunity — to build trust, demonstrate professionalism, and differentiate your practice from competitors who still treat records requests as a nuisance.

---

This is Step 7 of our 17-step HIPAA compliance roadmap. Previous: Step 6 — Enforce Access Controls.