Your medical information belongs to you. Know your HIPAA rights — access records, correct errors, control your data, and report violations.
📋 Access Your Medical Records
●You have the right to inspect and receive a copy of your health information held by covered entities (doctors, hospitals, insurers, labs).
●They must respond within 30 days. They may ask for one 30-day extension if they notify you in writing.
●They can charge a reasonable, cost-based fee for copying — but cannot deny access because you owe them money.
●You can request records in electronic format if they maintain them electronically.
●They cannot require you to explain why you want your records.
✏️ Correct Errors in Your Records
●You can request an amendment to any information in your record that you believe is incorrect or incomplete.
●The provider has 60 days to respond (one 30-day extension allowed).
●If they deny your request, they must explain why and you may submit a written statement of disagreement to be permanently added to your file.
●If they agree, they must notify others who received the incorrect information.
👁️ Know Who Accessed Your Records
●You can request an 'Accounting of Disclosures' — a record of everyone who received your health information in the past 6 years, for purposes other than treatment, payment, or operations.
●Includes disclosures for research, legal proceedings, public health reporting, and law enforcement.
●The first accounting per year is free. Subsequent requests may have a reasonable fee.
●Submit your request in writing to the provider's Privacy Officer.
🔒 Control How Your Information Is Used
●You can request restrictions on how your information is used or disclosed for treatment, payment, and operations — though they aren't required to agree.
●Exception: if you pay for a service entirely out of pocket, you CAN require them not to share that information with your health plan.
●You can request confidential communications (e.g., calling you only at work, not home).
●You can opt out of the hospital directory — meaning staff won't confirm you're a patient to callers or visitors.
🚨 Report Violations
●File a complaint with the HHS Office for Civil Rights (OCR) at hhs.gov/hipaa/filing-a-complaint
●You must file within 180 days of when you knew (or should have known) of the violation.
●You can also complain directly to the covered entity — they cannot retaliate against you for filing.
●OCR can impose civil fines from $100 to $50,000 per violation (up to $1.9M per year per violation type).
●Criminal violations (selling data, using data for personal gain) can result in jail time.