Know Your Patients’ Rights

By Diane Evans

Publisher, MyHIPAA Guide

Patients may have more rights over their health records than you realize.

Under today’s privacy rules, consent entails far more than a “check-the-box” exercise as in the past.  Yet, according to government sources, an estimated 27% of Americans aren’t even aware of their basic right to electronic copies of their medical records.

In a public awareness effort, the feds recently released information, including videos, to educate the public so people can make choices based on personal preferences. 

Meanwhile, here are some of the key points to keep in mind, based on information in a model Patient Privacy Notice published by the federal government:

·        Patients are permitted to see, or get an electronic or paper copy, of their medical record and other health information a doctor has about them.  Generally patients should expect to have copies of their records within 30 days of a request, and they may be charged a reasonable fee, based on allowable calculations.

·        Patients may ask their doctor to correct health information they believe is incorrect or incomplete.  The doctor may say no, but should offer a written explanation of why within 60 days.

·        Patients may ask for a list of the times their health information has been shared, who received it and why, going back six years..

·        If a patient pays out-of-pocket in full for a service or health care item, the patient can ask a doctor not to share that information with the patient’s health insurer.  The doctor should say yes unless a law requires the sharing of certain information.

·        If a patient has a legal guardian, or has given someone medical power of attorney, that person can exercise the patient’s rights and make choices about his or her health information.

In addition, a patient can ask to be contacted in a specific way, such as at an office phone or at a different mailing address.  In its Guide to Privacy and Security of Electronic Health Information, the feds tell health care providers they “must accommodate reasonable requests” from patients.  For example, a patient may request that appointment reminders be left on their work voicemail rather than home phone voicemail.

For those who prefer email communications, healthcare providers may send unencrypted emails. However, the patient should consent to unsecured emails based on an understanding of the risks.

There are certain things that HIPAA does not do, and these limitations should be understood as well, as detailed in a federally produced Fact Sheet titled Medical Privacy of Protected Health Information.

For example, the Fact Sheet points out tat healthcare providers can share protected health information, without a patient’s permission, with:  

·        Other professionals who are treating that individual;;

·        Health plans and other entities for billing and payment purposes;

·        Certain public health and safety officials, for situations such as disease prevention, product recalls, suspected abuse, neglect or domestic violence.

In addition, the Fact Sheet notes:

·        HIPAA does not prevent calls or visits to hospitals by a patient’s family or friends, the clergy, or anyone else. As long as the patient does not object, health care professionals may provide information to a patient’s family, friends, or anyone else identified by a patient as involved in his or her care.


·        Unless a patient objects, basic information such as the patient’s phone and room number may appear in a hospital directory.


·        Members of the clergy may access a patient’s religious affiliation if provided by the patient, and they do not have to ask for patients by name.


·        If a patient is incapacitated, healthcare providers may share information with a patient’s family or friends if they believe doing so is in the patient’s best interest.


One other thing to keep in mind:  Information sometimes slips out in ways that do not violate federal privacy rules.HIPAA does not eliminate all so-called “incidental disclosures” of patient information.  Incidental disclosures are considered acceptable if a healthcare provider has policies and procedures in place to reasonably safeguard protected  health information.  An incidental disclosure might happen if a hospital visitor overhears a provider’s confidential conversation taking place, or if someone glimpses a patient’s name on a sign-in sheet or nursing station whiteboard.

Throughout its published materials, the federal government clearly acknowledges that no one healthcare provider can totally eliminate the risk of unauthorized disclosures.  Privacy rules set out to reduce risk to the greatest extent reasonably possible.


Upcoming Webinars


07apr1:00 pm1:30 pmCOVID-19 - Privacy & Security Updates with Q&A

08apr3:00 pm3:30 pmCOVID-19 - Privacy & Security Updates with Q&A

Upcoming Events


07apr1:00 pm1:30 pmCOVID-19 - Privacy & Security Updates with Q&A

08apr3:00 pm3:30 pmCOVID-19 - Privacy & Security Updates with Q&A

10 Steps to Compliance
screen tagSupport