In 2023, OCR settled with a health system for $40,000 after the organization failed to provide a patient timely access to her own medical records — a right she'd held under federal law for over two decades. Cases like this surface regularly because covered entities still misunderstand what the Privacy Rule grants to patients and how aggressively OCR enforces those rights. If your organization handles protected health information, every member of your workforce needs to know these rights cold.

What Does the Privacy Rule Grant to Patients? Six Core Rights

The HIPAA Privacy Rule, codified at 45 CFR Part 164 Subpart E, establishes a comprehensive set of individual rights over protected health information (PHI). These aren't suggestions — they're enforceable mandates that apply to every covered entity and, through business associate agreements, extend across your entire ecosystem of partners.

Here are the six foundational rights the Privacy Rule grants to patients:

  • Right to Access PHI (§164.524): Patients can inspect and obtain a copy of their designated record set, including medical records, billing records, and insurance information. You must respond within 30 days.
  • Right to Request Amendment (§164.526): Patients can ask you to amend inaccurate or incomplete PHI. If you deny the request, you must provide a written explanation and allow the patient to submit a statement of disagreement.
  • Right to an Accounting of Disclosures (§164.528): Patients can request a list of certain disclosures your organization has made of their PHI over the prior six years — excluding disclosures for treatment, payment, and healthcare operations.
  • Right to Request Restrictions (§164.522(a)): Patients can ask you to limit how their PHI is used or disclosed. While you're generally not required to agree, you must comply when a patient pays out of pocket in full and requests that you not disclose to their health plan.
  • Right to Request Confidential Communications (§164.522(b)): Patients can ask to receive communications about their health information by alternative means or at alternative locations — for example, requesting that appointment reminders be sent only to a personal email.
  • Right to Receive a Notice of Privacy Practices (§164.520): Every patient must be given your Notice of Privacy Practices at the first service encounter, describing how your organization uses and discloses PHI, and how the patient can exercise their rights.

The Right OCR Enforces Most Aggressively: Patient Access

OCR launched its HIPAA Right of Access Initiative in 2019, and since then it has settled or imposed penalties in dozens of enforcement actions — with penalties ranging from $3,500 to $875,000. The message is unmistakable: delays, excessive fees, or outright denials of patient access requests will trigger enforcement.

In my work with covered entities, I've seen organizations stumble on the same issues repeatedly. Front desk staff don't know the 30-day response window. Health information management departments charge fees that exceed the reasonable, cost-based amount permitted under the rule. And some providers still require patients to pick up records in person when the patient has requested an electronic copy.

Your workforce must understand that patients can request their records in the format of their choice, including electronic formats, and you must provide them that way if readily producible. If you can't, you must offer an alternative readable electronic format the patient agrees to.

Amendment and Accounting Rights Your Staff Likely Overlooks

The right to request amendment and the right to an accounting of disclosures generate fewer headlines than access violations, but they create real compliance exposure. When a patient submits an amendment request, your organization has 60 days to act. If you deny it, you must allow the patient to file a statement of disagreement and append it to the record.

Accounting of disclosures trips up organizations because it requires you to track non-routine disclosures — those made for purposes other than treatment, payment, or healthcare operations. If your organization discloses PHI to a public health authority, a law enforcement agency, or in response to a court order, that disclosure must be logged and retrievable for six years.

Without a system to capture these disclosures, you're non-compliant the moment a patient exercises this right.

The Minimum Necessary Standard and Patient Rights

One critical nuance: the minimum necessary standard — which requires covered entities to limit PHI use and disclosure to the minimum amount needed — does not apply when a patient requests access to their own records. When the individual is exercising their Privacy Rule rights, you provide what they ask for.

This distinction confuses workforce members who've been trained to restrict PHI sharing. Comprehensive HIPAA training and certification should address this explicitly so staff don't inadvertently deny or delay legitimate patient requests.

Notice of Privacy Practices: The Right That Starts the Relationship

Your Notice of Privacy Practices is the document that informs patients about everything the Privacy Rule grants them. Under §164.520, covered entities with direct treatment relationships must provide the notice no later than the first service delivery and make a good faith effort to obtain written acknowledgment.

Too many organizations treat the Notice of Privacy Practices as a paperwork formality. In reality, it's a binding description of how you handle PHI. If your notice doesn't accurately reflect your current practices — or if it omits required patient rights — you're exposed in any OCR investigation.

Review your notice annually. Update it when your practices change. And make sure every version is readily available on your website.

How to Build Compliance Around Patient Rights

Understanding what the Privacy Rule grants to patients is the foundation; operationalizing those rights is where compliance lives. Here's what I recommend to every organization I work with:

  • Conduct a risk analysis that specifically evaluates your processes for handling access, amendment, accounting, restriction, and confidential communication requests.
  • Train every workforce member — not just clinical staff. Receptionists, billing teams, IT personnel, and business associates all interact with PHI and must know patient rights. Structured programs like those at HIPAA Certify's workforce compliance platform ensure consistent, documented training across your entire organization.
  • Document everything. Every request, every response, every denial reason. OCR investigations move fast when you can produce a clear paper trail — and stall painfully when you can't.
  • Set calendar-based reminders for response deadlines: 30 days for access, 60 days for amendments, with extensions only when permitted and communicated in writing.

Patient rights under the Privacy Rule aren't abstract principles — they're operational requirements backed by real enforcement consequences. Every HIPAA violation related to patient rights is preventable with proper training, clear policies, and leadership that treats compliance as a daily practice, not an annual checkbox.