Patient’s Guide to HIPAA Part II – Basic Patient Rights: (FAQ 13 – 53)



You are reading the Patient’s Guide to HIPAA Part II, which is FAQ 13-53

HIPAA Guide Quick Links:



This section includes all of Part II of the Guide, Basic Patient Rights, FAQ 13-53. Part II covers the rights that HIPAA grants to patients. The rule defines seven patient rights, but not all of those rights are meaningful. We discuss the rights in the order of importance as we view the rights. Your mileage may vary.

A. Right to a Notice of Privacy Practices (FAQ 13 – 17)


FAQ 13: What is a HIPAA Notice of Privacy Practices?

The rule requires each covered entity, like a hospital, to publish a notice of privacy practices. The notice describes how each entity implements the rule. Notices from different health care institutions may look similar because the rule is the same for everyone. However, each notice will have some details (procedures, addresses, etc.) that are specific to the institution. If you want to learn more about health privacy, a notice of privacy practices is a good place to start. So is this FAQ!


FAQ 14: Why Are the Notices Long and Boring?

One answer is that the rule is long and complicated. Another answer is that lawyers write many of the notices. Often, lawyers write like…lawyers, and the results are sometimes complete, precise, and often incomprehensible. Some privacy notices – and not just notices for health – are deliberately written to be obscure. Even other lawyers can’t understand them. Not every organization really wants you to understand or exercise your privacy rights.

In the end, health privacy is a complex subject, and health records have quite a few uses and disclosures that you probably never thought about. All of these factors contribute to the length and complexity of the notices. But the notice is your friend and your guide if you want to pursue your rights.


FAQ 15: Should I Read the Notice?

Only if you want to. Every expert says that people should know their rights and understand privacy. We agree, but we recognize that people often don’t have the time or interest. Don’t feel guilty if you just don’t have the interest today to read the notice from your doctor, hospital, laboratory, pharmacy, etc. What is important is that the notice exists and that the record keeper who produced the notice has a privacy policy and – we hope – actually implements the policy appropriately.

The HIPAA requirement that each covered entity prepare a notice was a big advance in privacy protection. That remains true even if most patients never read the notice. The notice also tells a covered entity’s employees what the privacy rules are. That is just as important as telling patients what the rules are. In the past, employees often didn’t know whether there were privacy rules or what those rules stated.

To put it another way, you have privacy rights whether or not you know the details. Your rights do not depend on your level of understanding. You can do a better job of protecting your rights if you know more, of course.

Here’s what’s really important:

  • Read the notice when it matters to you. If you decide that you want a copy of your health records, that’s a time to read the notice and find out how to obtain the records.
  • If you think that there is an error in your record, read the notice and learn how to ask for a correction.
  • If you think that your records were improperly used or disclosed, read the notice to see if you are right.
  • If you have a privacy complaint, you can read about the complaint procedure that the rule provides.

When it makes a difference to you, get a copy of the notice and read it. That could be today or two years from now. You can always ask for a copy, even if you are no longer someone’s patient. If a provider or insurer maintains a website, it should post a copy of its privacy policy on the website. That may make it easier for you to find the notices that you need.


FAQ 16: What Are the Forms that My Doctor’s Office Asks Me to Sign?

The rule generally requires a health care provider to make a good faith effort to obtain an acknowledgement that each patient received the notice. Some people think that it is a dumb requirement and a paperwork burden, but that’s what the rule says. Signing a standard acknowledgement does not waive your rights.

You do not have to sign the acknowledgement. Your rights do not change if you sign or don’t sign. However, the requirement for a signature is poorly understood. Some receptionists think that a signature is mandatory, and they will hassle you if you don’t sign. Some will tell you that you must sign or you can’t see the doctor. That is wrong.

You can fight about signing the acknowledgement if you want. We suggest, however, that this isn’t a fight worth having. Save your energy for another battle. The acknowledgement – if that is all that the form contains – is meaningless. If you see something on the form that you don’t like, you can just cross it out. Odds are that no one will even look at what you did.

We hear that some doctors are asking patients to sign broader forms that limit the ability of patients to file malpractice suits, that prevent patients from talking about the doctor to other people or on the Internet, or do accomplish other things that benefit the doctor and not the patient. We suggest being very careful if offered these types of documents. We wouldn’t sign one.

What you really need to know:

When you visit your doctor’s office for the first time, someone should offer you a copy of the doctor’s notice. You may be offered the same notice on each visit because many offices find it easier to give every patient a notice on every visit rather than keeping track of first visits. Sometimes, the notice will be sitting on a counter or table. You have the right to take a copy home. Remember that you can always ask for a copy later or find it on the website of your doctor or insurer. If you don’t care about it today, it should be available to you later, even if you are no longer a patient of that doctor or covered by that insurer.

Your health plan also will provide you a notice, but the rules for getting you the notice are somewhat different for health plans. Patients really don’t need to know those rules. You probably received a health plan notice in the mail, but you may have ignored it. If you want a notice from your health plan, ask for it or look on the health plan’s website.

The 2013 changes to the HIPAA rule will result in changed privacy notices for just about every covered entity. You will be offered new notices or be told that they are available. Again, you can pay attention to the notices or wait until you have a particular reason to care about your health privacy rights.


FAQ 17: What Are the Most Important Parts of the Notice?

Almost any health privacy notice will tell you something that you probably didn’t know. For example, a notice is supposed to include examples of the uses and disclosures that a covered entity can make. These examples will likely be both enlightening and disturbing. The basic list of uses and disclosures is long to begin with, and that may be upsetting if you’ve never read about them before.

Most notices are quite similar because you have the same rights everywhere the rule applies. If you read one notice, you’ve generally read them all. However, there may be some variations here and there between notices from health care providers and notices from insurers. Differences in state law may result in different notices from covered entities in different states.

When you want to exercise your rights at a particular covered entity, the local procedures described in the notice are likely to be different in each notice. That’s when reading the notice may matter a lot. Each notice should describe the covered entity’s procedures for exercising patient rights. Make sure you follow any specified procedures. Otherwise, here are some notable features to look for:

• If the notice is for a hospital or other large institution, read the description of which institutions and providers are covered. We have a notice for a hospital that says that more than a dozen different institutions in three states are part of the same institution. That means that patient information can be readily shared among all the affiliated organizations without your consent. That ability to share records widely may not be unusual or should not always be troubling. Further, being able to obtain care at related institutions may be a good thing. Consider, however, if your cousin works in a health care facility in a nearby state. You may not realize that facility is connected to the health care provider that you see regularly. You might not be happy knowing that your cousin may have access to your record. It may or may not be lawful for your cousin to do so, but the possibility may be unnerving.

• A hospital can use your records in a limited way for fundraising. You have the right to tell the hospital not to use your records for fundraising. If you say nothing, then use of your records for fundraising is permissible. A 2013 change requires a covered entity to include in each fundraising communication a clear and conspicuous opportunity to opt-out of future fundraising communications. Exercising this opt-out right may not be of critical importance, but it helps everyone if some people exercise opt-out rights when they exist.

• Find the national security disclosure provision. A covered entity can disclose your records for just about any national security purpose. The rule does not require a warrant, court order, subpoena, or any procedure prior to the disclosure. We point this out because it is perhaps the most privacy-invasive of the HIPAA disclosure provisions. You are also invited to look for other broad and objectionable disclosure provisions in the notice. Don’t blame the hospital or doctor. The rule allows these disclosures to be made, and privacy notices usually reserve the right for a covered entity to make allowable disclosures. However, the disclosures are not necessarily mandatory. In other words, a doctor can disclose your record to the CIA, but the doctor can usually say no.

• Look for the provision that says a covered entity can change the notice at any time and with retroactive effect. This isn’t quite as bad as it looks because HIPAA limits the ability of a covered entity to change the policy. The covered entity must comply with HIPAA, and it cannot change the notice and take away your rights. However, if HHS changes HIPAA or if Congress passes new laws, then your rights can expand, diminish, or disappear. Most privacy policies elsewhere (such as on commercial websites like search engines or clothing retailers) are not based on formal legal requirements and are changeable at the discretion of the record keeper. Changes are not always bad, but it is okay to be a bit suspicious.

• Find the right to request alternate methods of communications. This right may be important to you, and the notice tells you how to exercise this right. We explain this right in full later. (See FAQs 25-28.)

• At the end of the notice is where your will probably find contact information for the covered entity’s privacy officer. If you have any questions or want to exercise your rights, the privacy officer for the covered entity is probably the first person to contact.


B. Right to Inspect and Copy Your Record (FAQ 18 – 24)


FAQ 18: Why Both Inspect and Copy?

HIPAA provides each patient with the right to inspect his or her record and to have a copy of the record. These are two different things. You cannot be charged a fee if you want to inspect your records. This means that you can always see your record, even if you don’t want to pay.

If you want a copy of the record to take with you, then you can be charged a fee. You can also be charged an additional fee if you ask for a summary or explanation of your record. You do not have to ask for a summary or explanation.


FAQ 19: Do I Want to See or Copy My Record?

There are many reasons you might want to review your health record at your health care provider or insurer. Decide if any of these appeals to you:

• You plan to move to another city and want to bring your records to a new doctor so that the doctor has your current information on your first visit. You may not know who the new doctor is in advance so you cannot arrange a doctor-to-doctor transfer.

• You want a second opinion from another doctor and want to avoid having duplicate tests. If you have the records, you don’t have to let your first doctor know about the second opinion.

• You want to make sure that your new consulting doctor knows about earlier treatments and previous tests.

• You want to keep a permanent copy of all your health records in one place and in your possession.

• You are curious.

• You want to make sure that your children have your records because you think that something in your record (e.g., genetic information or family history that they may not know) may eventually be relevant to their treatment.

• You have given your medical power of attorney to your grandson, and you want him to have all of your records (not just those for your current treatment) so that he can make informed decisions or so he can obtain assistance in making choices. By the way, the records that you give to your grandson are not covered by HIPAA in his hands (except, perhaps, if he is a physician or other health care provider).

• You want to talk to a lawyer about medical malpractice and don’t want your health care provider to know about it.

• You think that there might be incorrect or irrelevant information in your record.

• You think that you are a victim of medical identity theft.

• You think that your insurance company improperly denied your claim, and you want to see the record about you that the company maintains.

• You think that your doctor or insurance company is lying to you.

• Any other reason or no reason. It is your right to see or have a copy of your record. You don’t need to have a reason. You do not have to tell anyone what your reason is.


FAQ 20: Which Records Can I Get and in What Formats?

You can generally ask for your all of your records maintained by any covered entity, but the covered entity can withhold some records.  We will cover that subject in FAQ 24.

The copying of paper records is familiar to everyone. For electronic records that a covered entity maintains (whether or not the information is formally maintained in an electronic health record), you have the right to obtain the information from a covered entity in an electronic format. Generally, you can choose the electronic format you want as long as the information is readily reproducible in that format. In order words, a covered entity has to give you the format you want if it can without a great deal of trouble. Be sure to state your preference and ask for alternative formats if you can. You can also ask the covered entity what formats it is capable of providing and then make an appropriate choice.

Remember that some electronic records (e.g., 3-D images created by an MRI) may be maintained in a format that requires special software to read. If your goal is to be able to share an electronic record with a physician, then the native format may be okay because your physician will likely to able to read it in that format even if you can’t.

Depending on your purpose, you may be interested in records of your hospitalization, records from your family physician, records from your insurance company, records from your pharmacy or pharmacy benefit manager, or your records any other covered entity. You can ask every covered entity for all of your records, but the next few questions suggest reasons for narrowing your request.

New in 2013 is a requirement that you can tell a covered entity to transmit your record directly to someone you designate. Your request must be in writing, signed, and clearly identify the designated person and where to send the copy of protected health information. This is not the same as an authorization, which has many more elements to it. Authorizations are discussed in later FAQs.

We think this rule was needed because some hospitals made it hard for a patient’s lawyer to obtain the patient’s record. It’s fine to use this capability, but be careful that you don’t casually or accidentally sign a form that allows someone to get your health records. Whoever gets your records in this fashion may not be subject to HIPAA, and your records could conceivably be made public or used for marketing or profiling. If you allow a data broker or marketer to have a copy of your health records, you are not likely to be happy about the result. This particular change in the rule has potential for mischief, but your can protect yourself by being careful what you sign. That’s good advice all the time.


FAQ 21: How Much Will It Cost For a Copy of My Medical Record?

A covered entity can charge a reasonable, cost-based fee for providing a copy. The fee may include only the cost of labor for copying, the cost of supplies for creating the paper copy or electronic media, and the cost of postage. Any other copying charges – including but not limited to administrative fees, overhead, retrieval costs for locating data – are improper.  Charges for inspecting a record are improper, even if the covered entity says that it had to make a copy for you to inspect. Charges for a summary or for an explanation are permissible if you ask for a summary or explanation.

Don’t let anyone charge you more than is allowed by the HIPAA rule. If you don’t think that the fees are proper, complain about it. You have a right to complain to the Secretary of HHS (via the Office of Civil Rights), and that right will be covered later. (See FAQs 46-50, 51.)  Remember that state law may establish lower fees than HIPAA allows or may not allow any fees at all. If you need records and can’t afford to pay, ask for a waiver of fees. Some covered entities may provide some or all records without charge or at a discount, but they are not required by HIPAA to do so.

Standard copying costs can be as much as $1.00 a page or perhaps more. If you want a hard copy of an x-ray, the fee could be considerably more (but an electronic copy may be cost-free if transmitted to you electronically). Many health care institutions hire outside firms to handle copies. Copying hospital records is a business. Insurance companies and lawyers tend to be frequent requesters of records, and copying charges can be expensive because these requesters don’t much care and because there is no competition. The result is that the standard charge per page can be high. Your best strategy may be to narrow your request (see the discussion in FAQ 23 about what records to request) or to obtain an electronic copy of records that are already electronic. Copies of electronic records may be less expensive.


FAQ 22 : How Do I Make a Request for Access?

Start by reviewing the covered entity’s copy of the notice of privacy practices. Remember that every covered entity must provide a copy of its notice to anyone who asks for one. In addition, a copy should be available on the website of each covered entity (if the covered entity has a website).

The notice of privacy practices describes your right to inspect and to obtain a copy of your record. It should also tell you the local procedure for making a request. You will likely be asked to write a letter or fill out a form in order to make your request for access. A covered entity can insist on a written request and may ask you for identification. Asking for an ID is reasonable because you don’t want someone else to get your records without your consent. However, avoid letting a covered entity make a copy of your driver’s license. Someone with access to your health records may use that copy to make you a victim of identity theft.

When you make a request, the covered entity must act on your request within 30 days. Don’t count on an instant response. The entity can take an additional 30 days to respond if it provides you with a written explanation of the delay. If you need the records more urgently, say so. It might help, but the rule allows the covered entity to wait 30 days or more no matter what. Your doctor might be responsive to your need for fast access, but bigger institutions have procedures and may not be inclined to do anything but the minimum required of them.


FAQ 23: What Records Should I Ask For?  The Strategy of Asking for Records.

A covered entity must allow you to inspect or obtain a copy of your record. Some records can be withheld. (See the next FAQ.)  Just figuring out who to ask and what to ask for can be complex. Don’t assume that you need a copy of all records from all health care providers and insurers. Obtaining your health records can be surprisingly complicated, may present some hard choices, may be expensive, will require some planning, and can take time. Managing many records from many different providers may be a challenge too. This FAQ tells you about the strategy for requesting health records.

First, copying costs for paper records may be considerable. You may want to think about the costs involved before you ask. A hospital record can have hundreds or even thousands of pages. Think about whether inspecting your records will meet your needs. If you can inspect first, you might be able to narrow your request and cut the cost. Copies of electronic records may be much less expensive than copies of paper records.

Second, if you have been using the same hospital or doctor for 20 years and the reason for your request relates only to your treatment from your last visit, you might limit your request to recent records, or records dating back one visit, one month, or one year.  The same idea may work if you want records from your insurer.

You may not know which records you need at first. The point is that you want to obtain records that you think are relevant, but you may not want every record from every HIPAA covered entity. Most people have had dozens of health care providers and insurers in the course of their lives. Many records will not be important or worth the time and effort to find for most people. Old records from individual practitioners may be hard to locate and obtain. However, hospitals and other long-standing institutions are more likely to have older records, although they may be in storage offsite.

If you want your records because you think you might have been a victim of an identity thief, you will find some more specific advice at the World Privacy Forum’s FAQ for medical identity theft victims.

It is possible that a thief used your name to obtain services from a health care provider, clinic, pharmacy, or laboratory that you never used yourself. Don’t be surprised if the trail leads you to unexpected places.

One part of the health care world that few people recognize is the Pharmacy Benefit Manager or PBM. A PBM is a company that contracts with managed care organizations, self-insured companies, government programs, and other insurers to manage pharmacy network management, drug utilization review, and other activities. A PBM is likely to be the organization that fills your drug prescriptions by mail. A PBM may have relevant records. Your health plan hires the PBM, and you may have to seek access to PBM records through the plan. The notice of privacy practices should tell you what you need to know on this front, or it should tell you how to find out. PBM records may duplicate records that exist elsewhere, but they can be important sources of information at times. If you are seeing more than one doctor, clinic, or hospital, PBM records tend to include information from different providers.

Third, asking for a copy of your complete paper health record may provide more information than you need. It may also be especially expensive. Your health records may include results of x-rays and other diagnostic tests that may be costly to duplicate.

On the other hand, if records are electronic, it may be easy and inexpensive to obtain an electronic copy of everything or almost everything. If the covered entity has electronic records, it must give them to you in electronic form if you want them in that form. You can ask for hard copy of electronic records, but the cost might be higher. Not all electronic records can be printed on paper. You can obtain electronic records in the format you want if the covered entity can reasonably provide them in that format.

Consider how you might limit your request for access so that you limit your costs. See if you can talk to someone in the record keeper’s office when you make a request so that you can negotiate what you really need. One idea is to not ask for a hard copy of an x-ray unless you know that x-rays are essential. Even then, an electronic copy may be sufficient. If other records are especially expensive to duplicate, you may want to defer asking for those records too. Ask for a price list before requesting all records. Another idea is to ask to inspect your records first so you can decide which parts you want to have copied.

Fourth, once when you receive some records, you may be able to focus your later requests. You may find that the provider used a lab or other independent provider that will have some of your records that you may want to have or that you may want to inspect.

Finally, copying of electronic records can be very inexpensive. If you want a copy of all of your electronic records, you can ask for them. It’s a reasonable approach. Understand that the records may not arrive in a single, chronological file, however. You may receive many different files in different formats.

If you are planning to maintain your own health record archive for your lifetime, remember that computer record formats may change over time. Some formats go out of date. For example, it can be difficult or impossible today to read a file saved by a 1992 word processing program. Consider asking for records in formats likely to remain in use in the long run. Experts think that PDF may be one of those formats, but there may be others. This can be a complex issue to assess.


FAQ 24: Can a Covered Entity Withhold Any of My Medical Records?

Yes. In some situations, a covered entity can withhold records.

First, the right of access under HIPAA does not extend to psychotherapy notes, materials compiled for litigation, and some laboratory records (non-CLIA labs). A non-CLIA lab is typically a lab that does research work. By the way, CLIA stands for the Clinical Laboratory Improvement Amendments, and you can find more information at It is a complicated law, and most patients don’t have to worry about CLIA issues.

Second, a covered entity can deny you access to some records, including records maintained by a prison, some records of research participants, and records obtained from someone other than a health care provider under a promise of confidentiality. The HIPAA privacy rule does not require a health care institution to allow you to appeal the denial of these records, but some institutions might accept an appeal if you file one. Read the notice of privacy practices to learn if there is an appeal option. We recommend that you appeal to the head of the institution (or to the privacy officer) even if you don’t have the right to do so. An appeal may result in a review of the initial decision. If it doesn’t, then you only invested the energy of writing a letter.

Third, a covered entity can deny you access to some records if a licensed health professional determines that access is reasonably likely to endanger the life or physical safety of you or another individual. Records about other people can be withheld if a licensed health professional has determined that access is reasonably likely to cause substantial harm to that individual or another person. Requests made by an individual’s personal representative can also be denied if disclosure would cause substantial harm. If an institution withholds records for any of these reasons, it must provide a written denial explaining the reason for the denial. It must also explain any appeal rights that you have.

Remember that state law may grant you greater access rights than HIPAA. If state law has an access provision for health records – and many states do – then you may be able to obtain records exempt under HIPAA. If a federal agency has your records, rights of access under the Privacy Act of 1974 may be greater than the rights under HIPAA.



C. Right to Request Confidential Communications (FAQ 25 – 28)


FAQ 25: What is the Right to Receive a Confidential Communication?

You have the right to ask a health care provider to communicate with you by alternative means or at alternative locations. This means, for example, that you can ask your fertility clinic not to call you at work or to send you an email notification of an appointment. You could ask your psychiatrist not to leave a message about an appointment at your home telephone voice mail. You might also ask a specialized clinic not to send you a post card reminder of your appointment but to use a closed envelope. A provider must accommodate reasonable requests. We think that all of the examples in this paragraph are generally reasonable. We also think that that asking for written communications – including bills – to be in plain envelopes with no identification of the provider in the return address is also reasonable.

The right to receive a confidential communication is a real right that may be important to you. Not everyone will care or will care all the time. You may not object to a postcard from your dentist reminding you to make an appointment to have your teeth cleaned. However, many people would likely object to receiving a postcard informing them about a follow-up visit to a sexually-transmitted disease clinic.

The right to receive a confidential communication is important because a provider doesn’t need express permission to contact a patient at home or to leave a message on an answering machine. For a patient who doesn’t want others in his or her family or household to know about a form of treatment, then exercising the right to receive a confidential communication will be crucial. For some, this right may provide a vital privacy protection that will make the greatest difference to your life or wellbeing.


FAQ 26: How Do I Exercise the Right to Receive a Confidential Communication?

A provider may require you to make a written request to receive a confidential communication in writing. Read the notice of privacy practices to find out the local procedure. In a small office, an oral request may be sufficient. Still, if you orally tell the receptionist not to call you at your office, the doctor may not know about your request. A written request may be safer because it creates a formal record of the request. You should keep a copy of your written request.

The rule says that a provider must permit a patient to make a request, but it does not expressly say that the provider must respond at all, or in writing. However, a provider must agree to a reasonable request. You would be well advised to ask for a written acknowledgement and to save the acknowledgement. If you only receive an oral response, you might want to send a written confirmation to the provider, and keep a copy of your confirmation. The written confirmation should summarize the request and identify the person who agreed to comply. Ask the provider to respond if the summary is incorrect.

You do not have to tell the provider why you made the request. Indeed, the rule expressly prohibits a provider from requiring an explanation as a condition of fulfilling the request. However, the rule does not prohibit the provider from asking for you reason. You don’t have to disclose your reason if you don’t want to.


FAQ 27: Does the Right to Receive a Confidential Communication Apply to Health Plans?

Yes, but the rule is a bit different. To make a request to a health plan, the individual must clearly state that the disclosure of all or part of the information could endanger the patient. The plan may require that a request contain a statement that disclosure could endanger the patient. The plan can demand a written request.

It is not apparent, however, that the patient must identify what the harm is. The statement that disclosure could endanger the patient seems to be enough. Perhaps the most likely example of endangerment is a threat of domestic violence. A battered spouse may not want information about her location or activities to be accessible by her batterer.

We can’t be sure about everything that might constitute endangerment. We suggest taking the position that it is up to the patient to decide what it means. If you say that disclosure could be potentially endangering or merely embarrassing, that’s enough to convince us. If a disclosure to the wrong person might persuade you to stop seeking treatment, we would argue that also constitutes endangerment. We can’t predict how plans will respond, but we emphasize that plans must accommodate reasonable requests. Asking to send mail to an alternate address (physical or email) strikes us as reasonable. Asking for phone calls only to your cell phone and not to your home phone also strikes us as reasonable. Asking for messages to be sent by carrier pigeon will not be viewed as reasonable by anyone.


FAQ 28: Are There Any Other Requirements for the Right to Receive a Confidential Communication?

A plan or provider can condition the accommodation on the patient providing an alternative address or means of contact for information about how payment will be handled. This means that you can’t ask someone to send all bills to the White House unless you are the President.

There’s an exception for emergencies. No matter what restriction a covered entity agreed to, it can ignore the restriction in case the information is needed to provide emergency treatment. Fair enough.



D. Right to Request Amendment (FAQ 29 – 36)


On our list, the right to request an amendment of your health record is only the fourth right out of seven. Normally, access and amendment go hand in hand. We list amendment lower because the limits on the amendment right seriously undermine its utility. Nevertheless, if you can use it, the right to request an amendment may be important to you.

We want to underscore that the law does not give you a right to amend your record. You only have a right to request an amendment. We see this as a reasonable implementation of a patient’s interest in amending a record. The record keeper has rights and interests as well as the patient, and these rights and interests deserve respect too. You cannot, for example, reasonably expect your doctor to change the record so that it no longer shows that you were treated. A doctor has a legal and professional obligation to maintain treatment records.

This part of HIPAA comes as a surprise to many who believe they have a right of outright deletion. This is not the case.


FAQ 29: How Do I Make a Request for Amendment?

Start by obtaining a copy of the notice of privacy practices. You may already have a copy. If not, each HIPAA covered entity must provide a copy of its notice to anyone who asks for one. In addition, a copy should be available on the website of each covered entity (if the covered entity has a website). The notice of privacy practices describes your rights, including your right to ask for an amendment. The covered entity’s notice will tell you where to submit your request for amendment.

You might be asked to write a letter or fill out a form to make your request for amendment. You might be asked to tell the record keeper what information is wrong or is not about you. You may have to explain why you want the amendment.

When you make a request, the covered entity must act on your request within 60 days. The entity can take an additional 30 days to act if it provides you with a written explanation of the delay.


FAQ 30: Can I Ask that Incorrect Information be Removed From My File?

Yes, but it may not be that easy. A HIPAA-covered entity does not necessarily have to remove incorrect information. It can mark the information as incorrect and add additional notes that show the correct information.

There is a reason for this policy. Suppose that your doctor suspects that you have an infection. Before the test results come back, the doctor prescribes an antibiotic. When the test later shows that you didn’t have the infection, the doctor tells you to stop taking the antibiotic.

Now suppose that you ask the doctor to remove the initial diagnosis of an infection. If the information is totally removed, it will be impossible for the doctor to explain or justify the prescription for an antibiotic. It may not be appropriate to remove the entire incident from the record because the doctor will be unable to explain the treatment provided or the bill for the services. The doctor also needs to keep the record in the event that there are complications from the drug. The doctor rightly needs a history of the treatment for his/her protection for both legal and medical reasons. Your health record isn’t just about you. It’s about your provider too.

Health care providers are typically nervous about removing information from health records. For the most part, they have a reasonable concern for the reasons explained above. However, when the information in your health record is not about you, the provider’s concern is weaker. When the information in your record is not about you and the presence of the information did not affect your subsequent care, the argument for removal is stronger. For example, if your record includes a lab slip belonging to another patient, it may be appropriate for the record keeper to remove the slip entirely and put it in the right record.

However, if the incorrect information did affect your treatment – even if that treatment was inappropriate – then retaining some or all of the incorrect information (suitably marked as incorrect and including a full explanation) may be legally and medically justifiable. You may be able to negotiate with the provider about how the information should be marked or otherwise segregated from your medical record.

The problems faced by medical identity theft victims seeking amendment of their record can be particularly difficult. See the World Privacy Forum’s FAQ for identity theft victims at


FAQ 31: What Other Limits Are There on the Right to Seek Amendment?

A covered entity does not have to amend a record that it considers accurate and complete. It does not have to amend a record that is not available for inspection by you under the access provision.

More importantly, a covered entity is not required to amend a record not created by the covered entity. That means if the information in your record came from any third party – including another provider, an insurer, a relative, or anyone else – the covered entity has no obligation to amend your record or even to consider your request. We find this limitation on the right to seek an amendment to be unfair, inappropriate, and dangerous. Be aware that state law may not have the same limitation on amendment rights.

The covered entity must consider your request for amendment of third-party information if you provide a reasonable basis to believe that the originator of the information is no longer available to act on the requested amendment. Thus, if the record contains information from a previous physician who is no longer in practice, you may be able to force your current provider to consider amending information supplied by that physician. We note that it can be difficult to prove that the originator of information is unavailable, and an uncooperative covered entity can string a requester along if it doesn’t want to deal with a request for amendment honestly.

If the covered entity that is the originator of the incorrect information is available but does not act on a request for amendment, the information in the subsequent covered entity’s record may be just as wrong and could have a continuing detrimental effect on the patient. This can present a real Catch-22 for patients.

In most circumstances, a health care provider will act reasonably to verify information that may affect patient care. For example, if you tell your surgeon that you think that your blood type is A, the surgeon is not likely to cavalierly accept contrary information just because it came from a third party. Any health care provider is likely to be suitably concerned about the possibility of a medical error based on wrong information.

However, there may be real problems with third party information in some circumstances. Health insurers may not be as worried about an error, especially if the error provides an excuse to deny a claim.


FAQ 32: Do I Have Greater Amendment Rights under State Laws, other Federal Laws, or Hospital Policies?

Maybe. Some states have health privacy laws that provide greater rights of amendment. If your records are held by the federal government (e.g., Medicare, VA, or Indian Health Service), your rights to ask for amendment of records under the Privacy Act of 1974 may be greater than under HIPAA. These two sets of privacy rules overlap, and you are entitled to the best parts of both laws. Not only may other laws provide patients with better amendment rights than HIPAA, but they may offer better remedies and clear causes of action in case you have to sue to correct records.


FAQ 33: What Happens When a Covered Entity Agrees to Make an Amendment?

The covered entity that agrees to make an amendment must:

• Make the amendment;

• Tell the requester what it did; and

• Make reasonable efforts to inform others about the amendment within a reasonable time.

The third requirement is most noteworthy. If you convince a covered entity to amend your record, the covered entity must tell any persons that you identify who received the original incorrect information and who need the amendment. In addition, the covered entity must notify any persons who have the information that was the subject of the amendment and who may have relied or could foreseeably rely on the information.

To make sure that amendments have been appropriately distributed, you may want to ask for an accounting of disclosures. The right to receive an accounting is explained elsewhere in this guide. (See FAQs 37-44.)  What is important is that amendments be provided to those who may rely on the original incorrect information. Each patient has the right to tell a covered entity to send the amendment to anyone who received the original information and needs the information.

Be sure to ask that any amended information that bears on your future medical treatment be shared with other providers. Similarly, be sure to ask that amended information that bears on insurance and payment matters is shared with insurers and, possibly, with employers. The goal is to find and eliminate any incorrect information that others have and that may affect you adversely.

It may take considerable effort to make sure that every appropriate person has the information and that those with the information correct their own records. Every covered entity must act when it receives a notice of amendment, but that doesn’t mean that it will be done quickly or properly. It may be appropriate to ask each covered entity that received an amendment to confirm that it actually made the amendment. You may have to request a copy of your record from that covered entity to be certain. Should you do all of this? It may depend how important the information is to your future treatment.

Be aware of any Health Information Exchanges that may impact where your records are located. For example, covered entities in some states exchange electronic health records through a third party called a Health Information Exchange. Ask about the presence of an exchange or network so you can locate all of the copies of your records. As health records and health networks expand, some aspects of seeing and amending records may become easier.  But some things may be harder, especially if no entity has clear responsibility for a health record. This is an evolving area, and there may be a lot of learning for everyone to do.


FAQ 34  Can I Appeal if a Covered Entity Refuses to Make an Amendment?

Maybe. An institution must accept complaints about its health privacy policies and practices. Filing a complaint with an institution may not be the equivalent of filing an appeal of a denial of a request for amendment, but it may help if it forces someone new at the covered entity to review your request. However, some institutions may accept formal appeals. Consult the institution’s notice of privacy practices to see if there is an appeal method for a denial of a request for amendment. Talk to the privacy officer at the covered entity to see if you can obtain help.

You can also complain to the Secretary of the federal Department of Health and Human Services about how your request was handled. The Department’s Office of Civil Rights processes complaints. You can find information about the process at

You have another alternative. When a covered entity denies your request for amendment, it must tell you that you can request the covered entity to provide a copy of your request for amendment with any subsequent disclosure of the disputed information. In some instances, it may be important to make the request. Remember that the covered entity is not required to tell others about the dispute unless you ask. Read FAQ 35 for more information about other remedies if your request is denied.


FAQ 35: Are There Other Remedies if My Request for Amendment Is Denied?

Yes. You have the right to file a written statement of disagreement, and that is an important right. When a covered entity denies your request for amendment, it must tell you about this right.

The statement of disagreement gives you the opportunity to explain your side of the story. The covered entity can reasonably limit the length of the statement of disagreement, so don’t plan on writing a novel-length document. We also suggest that your statement should be factual and should refrain from making personal attacks on anyone involved in the process.

The covered entity can prepare and circulate a rebuttal to your statement of disagreement. If it does so, it must provide you with a copy of its rebuttal.

HIPAA offers another protection even if you don’t file a statement of disagreement. The rule requires a covered entity that received and denied an amendment request to append or link the record in question to your request for amendment if you ask it to do so. The purpose here is to make sure that whoever sees the disputed record will also see the request for amendment. If you ask for a change and it is denied for a good reason, you may not want to ask that your request be shared.  However, if you still disagree and you want others to know your views, then you should ask. One reason to ask to inspect or have a copy of your record is to see if the covered entity properly handled this requirement.


FAQ 36: Can a Covered Entity Still Disclose The Information that I Disputed?

Yes, but HIPAA offers additional rights. First, if you submitted a statement of disagreement, the covered entity must disclose it when it discloses the disputed information.

Second, if you choose not to submit a statement of disagreement, the covered entity must include your request for amendment (and its denial) along with any subsequent disclosure only if you requested that the covered entity do so. If you ask for a change and it is denied for a good reason, you may not want to ask that your request be shared.  If you still disagree and you want others to know your views, then you should ask.



E. Right to Receive an Accounting of Disclosures (FAQ 37 – 45)


FAQ 37: What’s an Accounting of Disclosures?

For a disclosure of medical information about an individual, an accounting is a record of:

• The date of the disclosure

• The name of the person or entity who received the information

• A brief description of the information disclosed

• A brief statement of the purpose of the disclosure (or, as an alternative, a copy of the request for a disclosure).

The non-intuitive term accounting comes from an older privacy law. It’s clearer to think of an accounting as a disclosure history. We will stick with the rule’s accounting terminology here because it is used commonly in HIPAA circles.


FAQ 38: Why Should I Care about Accounting of Disclosures?

Many patients won’t care, and that is okay. However, the accounting of disclosures can be crucial in some instances. You may want to ask for an accounting if you think that your records were improperly disclosed, if you think that you may be a victim of medical identity theft, or even if you are just curious about the circulation of your medical records. Be warned, however, that if you ask for an accounting, the response is likely to undermine whatever faith you had that your medical information is confidential. Records may be disclosed to other institutions that have nothing to do with your treatment or the payment for your treatment.

The accounting of disclosures will be invaluable if you need to follow the trail of your information and learn who has information about you. If you corrected your record through the amendment process, the accounting should allow you to find out who received the original information and who received the corrected information. It provides a way for you to tell whether the covered entity properly distributed the amendment.

The accounting may reveal some disclosures that are normal (e.g., to your health plan). You may also learn that the covered entity disclosed your records to a researcher, public health agency, or government auditor. These disclosures may not have any immediate consequences for you, but you may be either interested to know about the disclosures or unhappy that they occurred.

However, if you learn that your records were disclosed to law enforcement or health oversight agencies, you might have reason to worry that the information disclosed will be used against you in some manner. By learning the purpose of each disclosure, you will be better able to make judgments.


FAQ 39: How Do I Make a Request for an Accounting of Disclosures?

Start by obtaining a copy of the notice of privacy practices that your provider or insurer publishes. You may already have a copy. If not, each HIPAA covered entity must provide a copy of its notice to anyone who asks for one. In addition, a copy should be available on the website of each covered entity (if the covered entity has a website).

Follow the directions for a request in the notice. You might be asked to write a letter or fill out a form in order to make your request for amendment. The covered entity must act on a request for accounting within 60 days, but it can extend the time limit for another 30 days if it provides a written explanation of the delay.


FAQ 40: Who Has to Provide Me with an Accounting of Disclosures?

Any HIPAA covered entity must provide a copy of an accounting of disclosures. For most individuals, your health care providers (doctors, hospitals, laboratories, pharmacies, etc.) and health insurers (HMOs, health plans, Medicare, etc.) will have accounting records that you may want. You may also want to ask your Pharmacy Benefit Manager or PBM. A PBM is a company that contracts with managed care organizations, self-insured companies, and government programs to manage pharmacy network management, drug utilization review, and other activities. A PBM is likely to be the organization that fills your drug prescriptions by mail.


FAQ 41: What does it Cost to Obtain an Accounting of Disclosures?

You are entitled to receive at no charge one copy of the accounting of your medical record in any 12-month period. If you make more than one request, the institution may impose a reasonable, cost-based fee. The institution must tell you the cost in advance so you have a chance to modify or withdraw your request.


FAQ 42: What are the Limitations of an Accounting of Disclosures?

Limitations in the HIPAA rule make the accounting of disclosures much less valuable than it should be. First, covered entities do not have to account for all disclosures. They don’t have to keep an accounting of disclosures for treatment, payment, or health care operations. Most disclosures are likely to be for one of these purposes so this loophole is large.

Second, covered entities also don’t have to keep an accounting of disclosures if you authorized the disclosure. That means that you may not be able to track if the covered entity actually disclosed records as you directed. If you casually signed an authorization that allowed the disclosure of any or all information about you (e.g., for a background check), a covered entity can disclose your entire medical record and not even keep a record that it did so. This is another large loophole.

Third, health care institutions do not have to account for uses. A use of information occurs when a record is made available to someone within the institution that maintains the record. A disclosure occurs when a covered entity shares a record with someone outside the covered entity. The accounting requirement only covers some disclosures and no uses.

If you are hospitalized, hundreds of different individuals in the hospital may see your record. The use exemption to accounting can seriously undermine your ability to hold an institution accountable for leaks or other inappropriate activities. Still, in hospitals with modern computers, there is a greater likelihood that a complete audit trail, including uses, will be maintained routinely. Unfortunately, HIPAA does not expressly require that a covered entity share that audit trail for uses, although there may be an argument that disclosure of an entire audit trail is required otherwise by HIPAA or by state law. Ask for a copy of the entire accounting because a reasonable institution will share it with you. Institutions with computerized systems that track all activity might find it easier to provide a requester with the entire history rather than part of it.  However, they are not required to do so.  It doesn’t hurt to ask.

Fourth, sometimes a covered entity must withhold a particular accounting record from an individual who requests a copy of the accounting. A covered entity may make some disclosures to law enforcement, for example, without telling the record subject for a limited time.

Fifth, the HIPAA requirement for an accounting started on April 14, 2003. A health care institution covered by HIPAA did not have to maintain accounting records before that date.

Finally, perhaps the biggest limitation is that the federal health privacy rule does not require an accounting of disclosures for treatment and payment. This means that a lot of information that you would want to find in an accounting will not be available. Covered entities also don’t have to tell you about disclosures for health care operations, an expansive category that covers many management and other functions.

For example, if a hospital gave care to someone in your name and billed your insurance company, you would want to know the details. You may not be able to obtain that information from the accounting of disclosures. Even worse, if a hospital told a credit bureau or collection agency that you did not pay your bill (i.e., a bill run up by an identity thief), the accounting may not reveal the disclosures. These disclosures may be exempt from the accounting requirement because they fall within the exception for disclosures for payment and health care operations.

Sidebar: In 2011, HHS proposed changes to the accounting for disclosures rule. As of 2013, the changes have not yet been made final. It may be a while before covered entities must implement the changes. As proposed, some of the accounting changes were better for patients and some were not. We will have to wait and see when and what will happen.


FAQ 43: Why Bother Asking for an Accounting if It Has so Many Loopholes? 

Why seek an accounting of disclosures?  First, obtaining a copy of the accounting is free. All you have to do is fill out a form or write a simple letter.

Second, an accounting may help even if it isn’t complete. You should be able to learn something about how the covered entity disclosed your records from the accounting. It may point you to some record keepers you didn’t realize had records about you.

Finally, even though there are many exceptions to accounting, some institutions will nevertheless have a record about disclosures (and even uses) even though the records are not required by HIPAA. If you ask for more, you might just get what you want. Nothing in HIPAA prevents a covered entity from providing a more complete accounting than the minimum required by the rule.


FAQ 44: Do I have Greater Rights under State Laws, Other Federal Laws, or Hospital Policies?

Maybe. A few states may have health privacy laws that require health care institutions to maintain better accounting records or to disclose more accounting records to you. If your records are held by the federal government (e.g., Medicare or VA), your rights to have a copy of an accounting under the Privacy Act of 1974 will be greater than under HIPAA. These two sets of privacy rules overlap to your benefit. See FAQ 2 to find other online resources that may help you understand state laws.


FAQ 45: What’s the Best Strategy for Making a Request?

You only are entitled to one free request in any 12-month period. Think about the best timing to make that request. If you learn that you were a medical identity theft victim two years ago, you probably should make the request right now. However, if the reason you are asking relates to a current activity (perhaps a hospitalization that just ended), it can take time for your records to be updated. Actions that follow a hospitalization, such as submitting a bill to an insurer or to the government, may not occur immediately. You might want to wait a week or two before asking for the accounting. If the institution’s privacy officer is helpful, the officer may be able to offer useful advice about timing.



F. Right to Complain to the Secretary of HHS (FAQ 46 – 50)


FAQ 46: Can I File a Federal Complaint about a HIPAA Problem?

Yes. Any person who believes that a covered entity is not complying with the HIPAA privacy rule may file a complaint with the Office of Civil Rights at the Department of Health and Human Services. You do not have to be a patient of a health care provider or a beneficiary of a health insurance plan to file a complaint. For example, if you visit a relative in the hospital and see a violation, you can file a complaint.

You can find information about the complaint process at There is a list of regional offices at including phone numbers. OCR wants you to file a complaint at the regional office for your state, and the website provides addresses and fax numbers.  However, OCR doesn’t necessarily make it easy. There is no email address for each regional office. If you look hard enough through the OCR website, you will find that you can submit a complaint by email to An emailed complaint does not require a signature.

OCR has a complaint form that you can fill out at The complaint website has information in other language about how to file a complaint. You can use email to ask questions or need help. You can e-mail OCR at, but there’s no guarantee that you will get a response.

In recent years, OCR opened a large number of investigations in response to complaints from individuals and otherwise. The total number of investigations that found a violation of HIPAA privacy and security rules averaged 2000 a year for the last ten years. That is a lot of violations and a lot of activity by OCR. There’s a reasonable chance that a well-founded complaint will result in a review and change. Filing a complaint with OCR should be worthwhile.


FAQ 47: What Information Belongs in a Complaint?


The Office of Civil Rights at HHS wants a complaint to be signed and to include:

• Your name, full address, home and work telephone numbers, email address.

• If you are filing a complaint on someone’s behalf, provide the name of the person on whose behalf you are filing.

• Name, full address and phone of the person, agency or organization you believe violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy Rule.

• Briefly describe what happened. How, why, and when do believe your (or someone else’s) health information privacy rights were violated, or the Privacy Rule otherwise was violated?

• Any other relevant information.

• Your name and the date of the complaint.

Optional information that OCR requests includes:

• Do you need special accommodations for us to communicate with you about this complaint?

• If HHS cannot reach you directly, is there someone else to contact?

• Have you filed your complaint somewhere else?


FAQ 48: Will Filing a Complaint Really Help?

There’s now a reasonable chance that filing a complaint will produce a response and may lead to action. For a long time, enforcement of the Rule by the Office of Civil Rights was rare. In the last few years, OCR has become much more aggressive in enforcing the HIPAA privacy and security rules. Some of the penalties imposed on covered entities run in to the millions of dollars. If you file a complaint, it should receive appropriate attention. Remember, however, that the Privacy Rule complaint process is for HIPAA complaints. OCR receives and rejects many complaints because they are not about HIPAA matters.

We wouldn’t hesitate to file a complaint if we thought that a covered entity violated HIPAA.  But we remind you that filing a complaint may have the effect of spreading your health information around more widely. Not all complaint investigations will involve disclosure of the intimate details of your medical history, but some may. It is for you to judge whether a complaint will invade your privacy more than you can tolerate. Nevertheless, if you are just trying to get a hospital to respond to your request for a copy of your record, the additional threat to privacy may be small and your complaint to OCR may help you get what you want.


FAQ 49: What Should I do if I See a Privacy Violation?

Now that the complaint process is working, filing a complaint with OCR has real potential to help. There is a real reason for the public to show interest in privacy laws and to use the process to protect individual rights guaranteed by law.

However, we think that the first step should be to complain directly to the covered entity that did something you think was wrong. Each covered entity has a privacy officer, and the name, address, and telephone number of the privacy officer should be included in the notice of privacy practices. Everyone makes mistakes, and everyone deserves the chance to make things right. It is also important for covered entities to know that people pay attention to privacy and that people care when privacy violations occur.

If the covered entity does not satisfy you, then you can look elsewhere. We don’t think that every minor violation should become a federal case. Our first choice is to complain locally about any violation. If you do not get satisfaction locally, then consider a complaint to OCR. Remember that filing a formal complaint may bring more attention to you and to your health record. You may want to be guarded about how much of your personal medical information you include in the complaint. In other words, the complaint process may further invade your privacy.

Here are some ideas if you want to pursue a federal complaint.

• Complain to OCR as described above.

• If you do complain to OCR, consider sending a copy of your complaint to your congressman or Senators. Ask them to write to the Secretary of HHS and report back about what happens to the complaint. When an elected official writes to an agency on behalf of a constituent, the constituent’s file gets a pink slip and that may get your complaint faster attention. The downside may be sharing your personal information more widely.

• You might be able to complain to a state official. Every state has a health department and an insurance department. If your complaint is about a health care provider, complain to the health department. If the complaint is about an insurer, complain to the insurance department.

• Health care providers hold licenses from state boards. If the violation is serious, see if the state licensing board accepts public complaints.

• If your problem is newsworthy and you are willing to make it public, you might look for a local reporter who covers health issues and who may be interested in your story. Remember that going public may just make the privacy violation worse, but it may get better results. A hospital may be very unhappy to see a news story that said it violated someone’s privacy or denied a patient rights guaranteed by law. A call from a reporter may produce a response that you couldn’t get on your own.

• Use the Web. You may find websites where you can post your story and the basics of your complaint. Posting a complaint about a health care provider may help others and may be satisfying all by itself. If you post information publicly, be sure that you are not revealing too much of your personal health information.

• Tell your friends and neighbors. A national insurance company may not care what you say. However, local providers and local hospitals care a lot. A bad reputation can result in the loss of clients and revenues.

• You may be able to file a lawsuit. HIPAA does not provide patients with the right to sue covered entities. However, other laws may allow you to sue. If the courts recognize that HIPAA establishes a standard of care, then it may be possible to sue for breach of contract, malpractice, violation of standards of professional conduct, or on other grounds to enforce HIPAA requirements. However, remember that lawsuits are not fun, take a long time, and can be expensive. Finding a lawyer willing to take a privacy case can be hard. Obtaining monetary damages can be highly uncertain. Lawsuits are remedies you should consider pursuing only after you tried other potential remedies and then only for major problems.


FAQ 50: Should I Worry that a Covered Entity will Retaliate if I File a Complaint?

Each covered entity’s notice of privacy practices must say that there will be no retaliation against a person who files a complaint. We would like to believe that.

But in the real world, there are no guarantees. We have seen, for example, a notice from a hospital that says – as required by the rule – that there will be no retaliation. The next sentence in the notice says more ominously that the hospital reserves the right “to take necessary and appropriate action to maintain an environment that serves the best interests of out patients and staff.”  We have no idea what that means or why the hospital chose to add that statement directly after the required language about not taking retaliation. But it sure sounds like a threat to us.

We would be happier to see a privacy notice that included a statement to the effect that the hospital reserves the right to take additional actions to protect the privacy of its patients. However, hospital lawyers don’t like statements like that, lest they be interpreted to oblige the hospital to do more than the bare minimum.



G. Right to Request Restrictions on Uses and Disclosures (FAQ 51 – 53)


FAQ 51: What is the Right to Request Restrictions on Uses and Disclosures?

The right to request restrictions is the least meaningful of the seven HIPAA patient rights. A covered entity must allow a patient to request a restriction on the uses or disclosures of the patient’s information to carry out treatment, payment, or health care operations. A patient can also ask for a restriction on disclosures to a family member, relative, or close personal friend. However, there’s a new element that came with the 2013 changes. You have the firm right to demand (not just request) that a provider not disclose PHI to a health plan if the disclosure is for treatment or payment, the disclosure isn’t required by law, and if the PHI pertains solely to health care for which the patient (or someone on behalf of the patient) paid in full. We’ll explain that new option in the next FAQ. It’s well-intentioned but very messy to use.

You can read later in this document about the scope of permissible uses and disclosures for treatment, payment, and health care operations. (See FAQs 56 & 57.)  No covered entity needs your consent to make disclosures for those purposes. Health care operations is a particularly broad term that includes many activities that are in the interest of the covered entity and not necessarily in the interest of the patient.

FAQ 52: Why is the Right to Request Restrictions Almost Meaningless?

The rule does not require a covered entity to agree to a restriction requested by a patient. The covered entity does not have to agree even if the patient’s request is reasonable. Contrast this provision with the right to request confidential communication.  (See FAQs 25-28). A covered entity must agree to a reasonable request for confidential communication. However, if you ask for a restriction on use or disclosure, the covered entity does not have to agree, does not have to state a reason for denying a request, and does not have to even respond to your request. Because it is a patient right without a corresponding obligation on the part of a covered entity, we conclude that the right is almost meaningless.

It gets worse. The rule expressly provides that some restrictions that an institution might agree to are not effective. These are uses or disclosures that are permitted for facility directories (separate rules govern facility directories), to the Department for oversight of the rule, or for any of the scores of other permissible disclosures allowed under the law. Thus, if an institution agrees to your request not to make a discretionary disclosure to the Central Intelligence Agency, that agreement is not effective under the rule.

If the event that a covered entity agreed to a patient request and violated the agreement, OCR might respond to a complaint from a patient. However, if OCR took aggressive action, covered entities would see that as a reason not to agree to any restrictions. Enforcement would only add to the existing disincentive to agree to disclosure restrictions. To be blunt, there is not much in it for a covered entity that agrees not to disclose other than potential liability. A patient who had an agreement from a covered entity might be able to enforce an agreement through a complaint about professional misconduct or through a legal action for breach of contract. This is all rather hypothetical because it will be hard to convince any covered entity to agree to your request in the first place. It would be much easier to enforce an agreement if it were in writing.

It is unlikely that any large institution will agree to any restriction on use or disclosure. It is conceivable that you might get a small provider – e.g., a psychiatrist in a solo practice – to agree with your request. A bigger institution – especially one with a staff of lawyers – will probably never agree. Frankly, trying to get a voluntary agreement for a large covered entity is not likely to be worth the time and trouble. We would be happy if it turns out that we are wrong.

The 2013 change offers a new and mandatory restriction. You have the firm right to demand (not just request) that a provider not disclose PHI to a health plan if the disclosure is for payment or health care operations, the disclosure isn’t required by law, and if the PHI pertains solely to health care for which the patient (or someone on behalf of the patient) paid in full.

This looks like it is more helpful than the right to request a restriction. If you meet the terms and make the request properly and in a timely fashion, a covered entity must agree. However, it will be hard for most patients to meet the requirements. As you read the following discussion of the problems with the new mandatory restriction, you will see what we mean.

  • The PHI must relate to fully paid health care: If a treatment included a service partly paid by insurance and partly by you, the treatment does not qualify. So if you have surgery for a deviated septum paid for by your health insurance with a little added cosmetic surgery at the same time that you pay for, you cannot make a request to keep the cosmetic surgery restricted. You didn’t pay for the surgery solely by yourself. If you pay for a treatment, but let your insurer pay for a related blood test, it will probably not qualify as a treatment solely paid by you. It may be hard at times to tell when a treatment for one purpose ends and another one starts.
  • Paying in full may be difficult for many patients. Many patients are not able to afford to pay for their own care.  For them, the right will be unavailable. Further, a patient that pays out of pocket may not receive the negotiated lower prices that health plans often pay. The price may be even higher than most patients anticipate.  Further, Medicare may prohibit providers taking any payment from some patients, so the option may not be available when a patient on Medicare uses some providers. At some HMOs, payments by patients for some services are not allowed, even if service came from someone outside the HMO. When the health plan is also the provider, the right may not be meaningful unless the patient uses a separate provider.
  • The health care system is complicated and interconnected. You may pay for a service out of pocket and tell your doctor not to disclose information to the health plan. Yet if the doctor sends a prescription electronically to a drug store, the drug store may not be aware of the restriction and is likely to automatically query the health plan before the patient has a chance to contact the pharmacy. Even if a patient obtains a paper prescription and takes it to a pharmacy, pharmacies may report the prescription to a pharmacy benefit manager, a state database (e.g., for narcotics), or some other intermediary that can the pharmacy can lawfully disclose the information to. The same problem can arise with a laboratory, x-ray facility, or other provider.

A patient seeking to keep treatment information from a health plan will have to think ahead and be adept at finding non-standard ways of managing referrals or ordering tests. Requests to restrict may need to be made in advance of treatment or billing. Covered entities are sure to insist (as the rule allows) that requests be made in writing, and there could be delays before a provider can add request for disclosure restriction to the patient’s record and make it effective.

From the perspective of a covered entity, managing a mandatory request not to tell a health plan can be challenging. A health care provider will have to think how to tag or separate restricted information so that it remains available to those treating patients but does not casually slip off to insurers. Even a provider trying to act in good faith will face problems. All providers will have to think long and hard how to handle mandatory requests.

For most patients, paying in full out of pocket is not realistic. Some patients have the ability to pay and will want to use the mandatory restriction provision. For example, some individuals receiving mental health treatment are zealously protective of their privacy and pay for their own treatment. Others will also want treatment to be as confidential as possible. For any patient who wants to make use of the mandatory restriction in the Rule, we tentatively offer this advice.

1. Recognize up front that getting a mandatory restriction to work will require a lot of advance planning. Find out the covered entity’s requirements for a mandatory restriction. A provider may require advance notice. Be prepared to make your written request before you make the actual appointment. Come to that appointment with multiple copies of a written request in hand. For a large provider, consider talking in advance to the provider’s privacy officer to make sure that you can meet the provider’s requirements. A larger provider is more likely to have a formal procedure, and you will want to make sure that you do the things necessary to follow that procedure.

2. If your treatment you need normally requires pre-certification from your health plan, you may need to take action well before your appointment. A provider may routinely seek pre-certification on your behalf after you make an appointment if you don’t make it clear that you do not want the information shared with the insurer. Telling your doctor may not be enough if the clerk who handles the pre-certifications did not know about your request. Work this out well in advance with the provider’s administrative staff. Try to talk to the office manager rather than to a receptionist.

3. If you get a referral to a second provider, your request for restriction will not automatically follow with the referral. You have to ask the second provider for a restriction, which may mean doing the same advance work that you did with the first provider. In emergencies, this could prove to be especially difficult or impossible.

4. If you are having an outpatient surgical procedure, it’s possible that the same procedure will involve a surgeon, anesthetist, and a hospital, each of which is a separate provider who bills separately to your health insurer. You are likely to have to make a separate request to each provider. There may well be other circumstances in which a single type of treatment involves more than one covered entity. You will have to ask many questions to be sure.

5. If your provider orders lab tests or x-rays, your request for restriction will not automatically go along with the sample or order. You will have to make the same request for restriction with each subsequent provider (a lab is a provider). You may want to decline to let your provider take a blood sample to send to the lab. Consider getting an order for a test from the doctor. Take the order to a lab, pay in cash, and don’t let the lab bill your insurance company. Remember, however, that the cash price may be much higher than the insurance price. Negotiating an appropriate price may be even more challenging than successfully negotiating a confidentiality request.

6. Make sure that you can pay for your care. If you don’t pay or if your check bounces, a provider may bill your insurance company anyway. If possible, pay for your care at the time of receipt so there is no question about the need to bill your insurer.

7. See if you can arrange for care from a small provider rather than a large provider. A psychiatrist in solo private practice may be much more adept at billing you than a university hospital with many formal procedures, separate billing offices, automated claims submissions, and the like. There’s no guarantee that a small provider will do better, but we guess that you have a better chance. You certainly have a better chance of conveying your request to everyone in a small office than in a big hospital.

8. Consider having the treatment you want to keep confidential from your health plan at a health care provider that you do not see for other types of treatment. If you establish a relationship with a new provider, make it clear that you will pay for the care yourself. You may be able to avoid telling the provider about your insurance at all. A provider who does not know your insurer will find it hard to disclose information to your insurer. Remember to discuss the price of your care, because insurance companies often pay less than the list price for health care. Some providers may fear that you may not pay the bill, and they may demand health insurance information as a backup.

Here’s an example. Suppose that you usually fill your prescriptions at the “ABC Pharmacy” that has your health plan information on file. It could be easy for a pharmacy to accidentally bill your health plan despite your request. It’s also possible that when you fill your next unrestricted prescription, the record of your restricted prescription will go along to the insurer anyway. Avoid the risk, if possible, by filling a restricted prescription at a different pharmacy where you do not do business otherwise. Don’t give the second pharmacy your health plan information.

There’s a real downside here, however. There’s a risk here that if the new drug conflicts with another drug you already are taking, you could have a serious or fatal reaction. It is important to discuss the issue with the prescribing physician. You could encounter the same type of conflict if you receive care from one provider that your regular provider does not know about. You could endanger your health or even your life. It’s definitely something to consider. You will accomplish nothing if you succeed in protecting your confidentiality and ruining your health or losing your life..

Second example: if you need treatment for a sexually transmitted disease and you don’t want the information to circulate in the health care payment system, go to a walk-in clinic that takes cash. We can’t advise you to use a pseudonym. We don’t know that it is legal to do so. However, some people do. We do not offer legal advice here, but we observe that using a pseudonym when obtaining narcotics may land you in jail.

9. If the provider is part of a local Health Information Exchange, ask about keeping your information out of a shared record system. You don’t have a right to keep one provider from sharing your PHI with other providers, but once information is shared, it is more vulnerable to inadvertent disclosure to your insurer. However, as we just pointed out, it is possible that treatments or drugs from different providers could conflict in some way and endanger your life or your health. There’s an advantage when your provider has a more complete medical history.

10. Remember that the mandatory restriction is new to everyone in the health care system. As should be clear from the above discussion, it raises many complications for patients and for providers. If you happen to be the first person who wants a mandatory restriction, you may have to work carefully with the provider to work out the proper arrangements. Put another way, you may have to be highly motivated and persistent to have your restriction properly honored.

11. Document everything. Keep copies of your restriction request letters. Try to get receipts for the restriction letters. Keep a log of everyone you talked to in every provider’s office and what they said. Write down who you gave your restriction request letter to, what their job is, and when you gave them the letter.

12. Don’t assume that your doctor will remember that you have a restriction demand on file when you show up for a second, third, or tenth visit. Repeat your demand before every appointment, during each visit, and when you check out of the provider’s office. You can’t be too careful. In many offices, providers automatically bill insurers after a visit, and they may do so if you don’t remind everyone about your restriction demand. The right to restrict the flow of information to an insurer is a firm right, not just a request that a provider can decline to honor. You may have to fight to have your rights honored.

13. Unfortunately, we have not yet exhausted the problems presented by the new disclosure restriction mandate. Here’s another possibility. You go to a provider and successfully impose a restriction on disclosure to your health plan. The treatment results in a complication that requires additional treatment, possibly including hospitalization, additional tests, and new prescriptions. If you cannot afford to pay out of pocket for the additional treatment, your health care will begin to receive claims and may ask why you needed the additional treatment It is also likely that the additional treatment itself will identify to the plan something about the treatment that you kept secret.

Here’s another example. You pay out of pocket for a genetic test to see if you have a gene that predisposes you to colon cancer. The test is positive, and you schedule a colonoscopy that you cannot afford to pay for yourself. Your health plan may ask why it should pay for a colonoscopy for someone of your age when the test is only recommended for someone much older. You may be forced to reveal the test and the result that you wanted to keep secret. All the effort and expense that went into keeping the test from your health plan may be wasted in that case.

14. Will a restriction demand really make your health record completely private? Sadly, the answer is no. Don’t get your expectations raised too much. The restriction only applies to disclosures to health plans. Other disclosures allowed by the Privacy Rule – to public health agencies, researchers, law enforcement, private litigants, the CIA, and others – are not affected in any way by a patient’s restriction. Also unaffected are disclosures to other health care providers for treatment. Think about that if you want to undertake the efforts to ask for a restriction and make it work. The right to restrict provides a narrow degree of confidentiality. That may be what you need, but don’t expect any more. Only you can decide if the expense and the effort are worth the limited result.

So why did OCR adopt this messy, complicated, nearly-impossible-to implement change in the Privacy Rule? Because Congress directed the change in the HITECH Act. It’s a well-intentioned provision, but we have many doubts that it will work well in the real world. We will all find out together over the next few years. If a provider does not provide you with the confidentiality required by law, you can complain to OCR. However, any complaint is only likely to exacerbating sharing of the information that you wanted kept secret in the first place.

In this FAQ, we emphasized the burden that falls on a patient who wants confidentiality. We observe that HIPAA place most of the responsibility on provider. We think that providers must do a lot of work to be able to honor patient requests. That is what the law demands. However, a patient who wants privacy must anticipate the problems that a provider faces in honoring a request. The patient will suffer if the request is not handled properly. Indeed, the patient whose request is not successfully handled by a provider will pay twice. First, the patient will lose privacy protection available under law. Second, the patient will pay for care that a health insurer might have paid for otherwise. A patient will do well to approach a confidentiality request as a joint effort by the patient and the provider.




FAQ 53: Is the Right to Limit Disclosures to Relatives and Friends Meaningless Too?

Not entirely. There is a bit of hope if you want a provider to agree to limit disclosures to relatives and friends. If you tell your doctor or nurse not to talk to a relative, that provider is likely to comply regardless of the rule. The rule doesn’t make those disclosures mandatory. It does, however, make it harder for a patient to obtain or enforce an agreement.

If, for example, you ask your provider not to disclose your diagnosis to your children, the rule requires the provider to document the request. Since formal documentation is less likely to be done for casual requests, any agreement may be unenforceable under the rule. Further, the required formality of the rule allows providers to insist that patients make requests in writing, and most will demand a letter. If you are a patient in a hospital about to receive a visit from a relative, how can you possibly make a written request and get a timely agreement from the hospital?

Even if you do make a written request, the rule doesn’t require any response to your request or any response in a reasonable period. If you are prepared enough to present a formal request at the start of your hospitalization, the hospital could take 30 days or more before it agreed. Your hospitalization will likely have ended well before any response, if you even get a response.

Luckily, while the rule makes these requests to limit disclosure mostly meaningless, the human element that still exists in the health care system may supply what the rule does not. If you make a personal request to your provider, that provider will likely abide by your wishes regardless of the rule and its required formality. Your request may not be legally enforceable under the HIPAA rule, but enforcement may not be important.

Generally, we don’t see much of a reason to bother with formal requests for use and disclosure restrictions, although it remains to be seen if the new right to prevent disclosure to insurers will be meaningful. If you read many notices of privacy practices, you will find that covered entities say that they won’t agree to most requests. That is a polite way of saying that they won’t agree to any requests.

If you want to control disclosures to family members or friends, the formal process under the rule isn’t likely to help you at all. Make your requests orally and informally to your providers, just the same way that patients have always done. Be clear. Be repetitive. Hope for the best. The HIPAA rule does almost nothing for you.



Roadmap: Patient’s Guide to HIPPA: Part 2: Basic Patient Rights: (FAQ 13-53)

Jump to list of FAQs 1-65 | See all of Part 2