Back to Knowledge Hub
Your Rights

HIPAA Rights: Your Control Over Health Information

HIPAA gives you important rights over your health information, including access, corrections, and control over who sees your data. Here's how to exercise these rights.

April 16, 2026
8 min read

HIPAA gives you important rights over your health information.

Right to Access Your Records:

  • Request copies from any provider; they must respond within 30 days
  • They can charge a reasonable fee but cannot refuse access
  • You can request records in electronic format

Right to Corrections:

  • Request corrections to errors; provider must respond within 60 days
  • If refused, you can submit a statement of disagreement

Right to Know Who Has Your Data:

  • Request an "accounting of disclosures" covering the previous 6 years

Right to Restrict Sharing:

  • If you pay entirely out of pocket, you can prevent the provider from sharing that info with your insurer

Breach Notification:

  • Organizations must notify you within 60 days if your health data is compromised

Detailed Rights Explanation

Access Rights:

Your healthcare providers and health plans must give you copies of your health information in most cases. This includes:

  • Medical records
  • Billing records
  • Any other records used to make decisions about your care

What You Can Request:

  • Specific portions of your record
  • Your entire medical record
  • Records in electronic format (if available)
  • Records sent directly to someone you designate

Provider Response Requirements:

  • Must provide access within 30 days (60 days if records are off-site)
  • Can charge reasonable cost-based fees for copying
  • Cannot deny access except in very limited circumstances
  • Must provide records in the format you request if readily available

Amendment Rights: If you believe your medical record contains an error: 1. Submit a written request to amend 2. Provider has 60 days to respond (90 days with extension) 3. If approved, they must make the correction and notify relevant parties 4. If denied, you can submit a statement of disagreement

Accounting of Disclosures:

You can request a list of who your information was shared with, including:

  • When it was shared
  • Who received it
  • Why it was shared
  • What information was shared

Restrictions on Use: You can ask your provider or health plan to restrict how they use or share your information. They don't have to agree, except in one case: if you pay out of pocket in full for a service, you can require that they not share that information with your health insurer.

Communication Preferences:

  • You can ask to be contacted in a specific way (home phone vs. cell phone)
  • You can ask to be contacted at a specific location
  • Providers must accommodate reasonable requests

Special Protections

Mental Health Records:

  • Often have additional state law protections
  • May require special consent for sharing
  • Psychotherapy notes have extra protections under HIPAA

Substance Abuse Treatment:

  • Federal regulations provide additional privacy protections
  • Generally requires patient consent for any disclosure
  • Protected even from law enforcement in most cases

Genetic Information:

  • Cannot be used by health insurers for underwriting (under GINA)
  • Special protections in employment contexts

What HIPAA Doesn't Cover

Not Covered Entities:

  • Employers (except when providing healthcare)
  • Life insurers
  • Schools (except health clinics)
  • Many mobile health apps
  • Fitness trackers and wellness programs (unless connected to healthcare)

When to File a HIPAA Complaint

File with HHS Office for Civil Rights if:

  • A covered entity denies you access to your records
  • You suspect your health information was used or shared inappropriately
  • A covered entity doesn't respond to your requests within required timeframes
  • You believe there was a data breach that wasn't properly reported

How to File:

  • Online: hhs.gov/ocr/complaints
  • Phone: 1-800-368-1019
  • Must file within 180 days of when you knew about the violation

Enforcement: OCR can investigate complaints and impose fines ranging from hundreds to millions of dollars for HIPAA violations.

Pro Tips:

  • Keep copies of all requests you make
  • Follow up in writing if you don't get responses
  • Know that you have rights even if providers seem reluctant to comply
  • Your rights apply to all covered entities, not just your doctor

Filing a Complaint: HHS Office for Civil Rights at hhs.gov/ocr/complaints or 1-800-368-1019. File within 180 days of the violation.

Official Source

https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html#:~:text=Your%20Health%20Information%2C%20Your%20Rights

This information comes from official government sources and regulations.

Need Help With Your Specific Situation?

BenefitGuard can analyze your insurance plan, denied claims, and medical bills to give you personalized guidance based on these rights and protections.

Related Topics

Your Rights

No Surprises Act: Your Protection From Unexpected Medical Bills

The No Surprises Act protects you from surprise medical bills for emergency services and out-of-network providers at in-network facilities. Here's exactly what it covers and how to use your rights.

Your Rights

How to Appeal a Denied Insurance Claim: Complete Step-by-Step Guide

If your insurance denies a claim, you have the legal right to appeal. Most denials can be overturned with the right approach. Here's the exact process to follow.

Your Rights

How to Read Your Explanation of Benefits (EOB): Complete Guide

Your EOB isn't a bill, but it's critical for understanding what you owe and catching errors. Learn how to read every section and spot problems before you pay.