HIPAA Privacy Rule – Rights and Additional Requirements

Health Insurance Portability and Accountability Act

Health Insurance Portability and Accountability Act

The HIPAA Act of 1996 required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information.1 To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.


Name: Health Insurance Portability and Accountability Act

Short Name: HIPAA

Effective Date: August 21, 1996

Region | State : CA, US

Applicable Industries : HIPAA is applicable primarily to industries and organizations that handle protected health information, Here are the key types of industries and entities that HIPAA applies to: Healthcare Providers, Health Plans, Business Associates, Healthcare Contractors, Telemedicine and Health Tech Companies, Pharmaceutical Companies and Clinical Research Organizations, Employers.

HIPAA Privacy Rule - Individual’s Rights




Also Refferred as



Right to Notice of Privacy Practices

Each covered entity must provide a notice of its privacy practices51 that tells how they may use and share Individual’s health information. It must also include Individual’s health privacy rights. In most cases, Individuals should receive the notice on their first visit to a provider or in the mail from their health plan.

Right to Notice

45 C.F.R. §§ 164.520(a) and (b)


Right to Receive Paper Copy of Privacy Notice

A covered health care provider with a direct treatment relationship with individuals must deliver a privacy practices notice to patients starting April 14, 2003.

Under the HIPAA Privacy Rule, individuals have the right to receive a paper copy of their Notice of Privacy Practices (NPP). The NPP is a document that explains how a covered entity (CE) may use and share your protected health information (PHI). CEs are required to provide a copy of their NPP to you at the time of your first appointment or service, or upon request.

45 C.F.R. § 164.520(c).


Right to Access

Individuals have the right to review and obtain a copy of their protected health information in a covered entity’s designated record set.55 The “designated record set” is that group of records maintained by or for a covered entity that is used, in whole or part, to make decisions about individuals, or that is a provider’s medical and billing records about individuals or a health plan’s enrollment, payment, claims adjudication, and case or medical management record systems.

Right to Know
Right to Information

45 C.F.R. § 164.520(c).


Right to Amendment

The Rule gives individuals the right to have covered entities amend their protected health information in a designated record set when that information is inaccurate or incomplete.58

Right to Rectification

45 C.F.R. § 164.526.


Right to Disclosure Accounting

Individuals have a right to an accounting of the disclosures of their protected health information by a covered entity or the covered entity’s business associates.60 The maximum disclosure accounting period is the six years immediately preceding the accounting request, except a covered entity is not obligated to account for any disclosure made before its Privacy Rule compliance date.

45 C.F.R. § 164.528


Right to Authorization for Use or Disclosure

A covered entity must obtain the individual’s written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule.44

45 C.F.R. § 164.508


Right to Restrict Use or Disclosure

Individuals have the right to request that a covered entity restrict use or disclosure of protected health information for treatment, payment or health care operations, disclosure to persons involved in the individual’s health care or payment for health care, or disclosure to notify family members or others about the individual’s general condition, location, or death.61 A covered entity is under no obligation to agree to requests for restrictions.

Restriction Request

45 C.F.R. § 164.522(a)


Right to Review Denial Access

For information included within the right of access, covered entities may deny an individual access in certain specified situations, such as when a health care professional believes access could cause harm to the individual or another. In such situations, the individual must be given the right to have such denials reviewed by a licensed health care professional for a second opinion.57

Covered entities may impose reasonable, cost-based fees for the cost of copying and postage.


Right to file a complaint

A person who believes a covered entity or business associate is not complying with the administrative simplification provisions may file a complaint to the U.S. Dept. of Health and Human Services (HHS), Office of Civil Rights (OCR).

1 45 C.F.R. § 164.530(d).


Right to Request Confidential Communication

Health plans and covered health care providers must permit individuals to request an alternative means or location for receiving communications of protected health information by means other than those that the covered entity typically employs.63 For example, an individual may request that the provider communicate with the individual through a designated address or phone number. Similarly, an individual may request that the provider send communications in a closed envelope rather than a post card.

45 C.F.R. § 164.522(b).

HIPAA Specific Requirements for Covered Entities.

These are not Rights but HIPAA Privacy Rule requirements that must be accomplished by the Company (aka Covered Entity)

Privacy Policies and Procedures

A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule.64

Related Posts

CCPA-California Consumer Privacy Act
Knowledge Center

CCPA / CPRA Rights

California Consumer Privacy Act The California Consumer Privacy Act (CCPA),