In 2023, OCR settled with a dental practice in New England for $50,000 after it failed to provide a patient with a copy of her medical records within the required timeframe. It wasn't a data breach. It wasn't a hacking incident. It was a failure to honor a patient's most basic Privacy Rule right — and it triggered a federal investigation. If your workforce can't answer what are the six patient rights under the Privacy Rule, your organization is already at risk.

What Are the Six Patient Rights Under the Privacy Rule — and Why They Matter Now

The HIPAA Privacy Rule, codified at 45 CFR Part 164 Subpart E, grants individuals a specific set of rights over their protected health information (PHI). These aren't suggestions. They are federally enforceable entitlements, and every covered entity — from large hospital systems to solo practitioners — must have policies, procedures, and trained workforce members capable of honoring them.

OCR has increased its focus on patient right-of-access cases since launching the Right of Access Initiative in 2019. As of early 2024, the agency has settled or imposed penalties in more than 45 right-of-access cases alone. That's one category of patient rights. Multiply that scrutiny across all six, and the compliance exposure becomes significant.

The Six Individual Rights Your Organization Must Uphold

1. The Right to Access PHI

Under 45 CFR § 164.524, individuals have the right to inspect and obtain a copy of their protected health information maintained in a designated record set. Your organization must respond within 30 days of a written request (with one 30-day extension permitted). You can charge a reasonable, cost-based fee — but you cannot deny access simply because a patient owes money.

This is the right most frequently enforced by OCR. If your front-desk staff doesn't know how to process an access request, your organization needs HIPAA training and certification for your workforce immediately.

2. The Right to Request Amendment of PHI

Under 45 CFR § 164.526, patients can request that a covered entity amend information they believe is inaccurate or incomplete. You have 60 days to act on the request. If you deny it, you must provide a written explanation and allow the patient to submit a statement of disagreement that becomes part of their record.

Many organizations lack a formal amendment request process. That procedural gap is a HIPAA violation waiting to happen.

3. The Right to an Accounting of Disclosures

Section 45 CFR § 164.528 gives individuals the right to receive a list of certain disclosures of their PHI made by the covered entity or its business associates. This accounting must cover the six years prior to the request and must include the date, recipient, and purpose of each disclosure.

Routine disclosures for treatment, payment, and healthcare operations are excluded, but disclosures to public health authorities, law enforcement, or pursuant to court orders are not. Maintaining accurate disclosure logs is essential — and often neglected.

4. The Right to Request Restrictions on Uses and Disclosures

Under 45 CFR § 164.522(a), patients can ask your organization to restrict how their PHI is used or disclosed for treatment, payment, or healthcare operations. Covered entities are generally not required to agree to such requests — with one important exception.

If a patient pays for a service entirely out of pocket and requests that you not disclose that information to their health plan, you must comply. The Omnibus Rule of 2013 made this mandatory, and many organizations still haven't updated their workflows to reflect it.

5. The Right to Request Confidential Communications

Section 45 CFR § 164.522(b) allows individuals to request that your organization communicate with them through alternative means or at alternative locations. A domestic violence survivor may ask that appointment reminders be sent only to a personal email, not a shared home phone.

Covered entities must accommodate reasonable requests. You cannot require an explanation for the request, and you cannot condition treatment on the patient withdrawing it.

6. The Right to Receive a Notice of Privacy Practices

Under 45 CFR § 164.520, every covered entity with a direct treatment relationship must provide a Notice of Privacy Practices (NPP) at the first point of service. The NPP must clearly describe how the organization uses and discloses PHI and must enumerate each of the patient rights listed above.

This right is foundational. Without a compliant NPP, your patients cannot meaningfully exercise any of their other rights. OCR reviews NPPs during every compliance investigation — and outdated notices are a common finding.

The Minimum Necessary Standard and Patient Rights

It's worth noting that the minimum necessary standard under 45 CFR § 164.502(b) does not apply when a patient exercises their right to access their own PHI. Your organization cannot use the minimum necessary principle to withhold records a patient has requested. This is a frequent misunderstanding, especially among clinical staff who may be unfamiliar with the distinction.

Business Associates Have Obligations Too

When a business associate maintains PHI in a designated record set on behalf of a covered entity, the business associate must make that information available so the covered entity can fulfill access and amendment requests. Your business associate agreements should explicitly address these obligations. If they don't, you have a contract gap that could become a compliance liability.

How to Operationalize Patient Rights Across Your Workforce

Policies alone don't protect you. OCR evaluates whether your workforce members — from front-office staff to IT administrators — can actually execute these rights in practice. Here's where most organizations fall short:

  • No standardized intake process for access and amendment requests
  • No disclosure tracking system capable of generating six-year accountings
  • Outdated Notice of Privacy Practices that omit Omnibus Rule requirements
  • No training on the mandatory restriction for self-pay services
  • No documented workflow for confidential communication requests

Each of these gaps represents a potential HIPAA violation with real enforcement consequences. Building a culture of compliance starts with workforce training that covers these rights in detail — not as abstract concepts, but as daily operational responsibilities.

If your organization hasn't conducted recent training on patient rights, explore HIPAA Certify's workforce compliance program to bring your team up to standard before OCR comes asking questions.

Risk Analysis Should Include Patient Rights Readiness

Your HIPAA risk analysis under 45 CFR § 164.308(a)(1) shouldn't focus only on cybersecurity threats. Administrative failures — like not honoring access requests on time or lacking an amendment process — are compliance risks that belong in your risk register. OCR's enforcement record makes this clear: patient rights violations now generate penalties as routinely as security incidents.

Understanding what the six patient rights under the Privacy Rule are is the first step. The harder work — and the work that actually protects your organization — is building systems, training people, and monitoring compliance every day.