Your Rights Under HIPAA

Overview: The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects your medical and health information privacy, ensuring you have rights regarding access to your records. Under HIPAA, you can request copies of your health information, understand how it is used, and control who can view or receive it. The main cost components associated with HIPAA-related requests typically include administrative fees for copying, mailing, or preparing records. To avoid unexpected charges, it is wise to ask your provider for a detailed, itemized estimate of any fees before requesting your medical records.

Key Cost Components

  • Administrative processing (labor/time to gather records)
  • Copying fees (per page or flat fee, depending on state law)
  • Mailing or electronic transmission costs
  • Preparation of summaries or explanations (if requested)

Insurance & Payment Advice

  • Insurance generally does not cover the cost of obtaining your own medical records.
  • Check with your healthcare provider for their specific fee schedule and allowable charges under state law.
  • Request records electronically when possible, as this may reduce or eliminate some fees.
  • Ask if fee waivers or reductions are available for financial hardship.

Associated Costs to Consider

  • Additional provider fees for expedited processing
  • Third-party vendor charges if records are managed externally
  • Potential notarization fees if required for certain documents

Actionable Tips

  • Always request an itemized estimate before authorizing record release.
  • Specify the minimum necessary information or date range to minimize fees.
  • Determine if there is a free patient portal where records can be downloaded at no cost.
  • Keep documentation of your requests and any correspondence for your records.

Frequently Asked Questions

  • What is HIPAA and how does it protect my health information? HIPAA is a federal law that sets standards for protecting your health information and gives you rights over how your information is used and shared.
  • Can I access my own medical records under HIPAA? Yes, HIPAA gives you the right to access and obtain copies of your health information from your healthcare provider.
  • Are there fees for requesting my medical records? Providers may charge reasonable, cost-based fees for copying and mailing records, but charges must comply with HIPAA and state law.
  • How can I minimize the costs when requesting my records? Request only the specific information you need and ask for electronic copies, which are often less expensive than paper copies.
  • Do I need to pay for accessing my records through an online portal? Many providers offer free access to records via secure patient portals, so check if this option is available before requesting paper copies.
  • Can I request my records be sent directly to a third party? Yes, you can direct your provider to send your records to another person or entity, but you may be required to sign a specific authorization.
  • How long does it take to receive my medical records after I request them? HIPAA requires providers to respond within 30 days, though some may deliver records sooner depending on their policies.
  • What should I do if I am charged excessive fees? Contact your provider first for clarification; if the issue is not resolved, you may file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights.
  • Are there circumstances where I may be denied access to my records? Access can be denied in limited situations, such as if the information could endanger your life or someone else’s, but you are entitled to a review of most denials.
  • Do I have to provide a reason for requesting my records? No, under HIPAA you do not need to provide a reason for accessing your health information.
  • Will insurance pay for the cost of obtaining my records? Health insurance does not typically cover administrative costs related to record requests; these are usually your responsibility.
  • Can I request an itemized statement of the fees before paying? Yes, you have the right to ask for an itemized estimate of all applicable fees before completing your request.

This guidance remains in effect only to the extent that it is consistent with the court’s order in Ciox Health, LLC v. Azar, No. 18-cv-0040 (D.D.C. January 23, 2020), which may be found at https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51. More information about the order is available at https://www.hhs.gov/hipaa/court-order-right-of-access/index.html. Any provision within this guidance that has been vacated by the Ciox Health decision is rescinded.

https://youtube.com/watch?v=FKTHncn-5Vs%3Flist%3DPLACD9536723837201%26hl%3Den_USrel%3D0%26showinfo%3D1%26enablejsapi%3D1%26origin%3Dhttps%253A%252F%252Fwww.hhs.gov%26html5%3D1

Most of us believe that our medical and other health information is private and should be protected, and we want to know who has this information. The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals’ protected health information, whether electronic, written, or oral. The Security Rule is a Federal law that requires security for health information in electronic form.

HIPAA Right of Access Videos

OCR has teamed up with the HHS Office of the National Coordinator for Health IT to create Your Health Information, Your Rights!, a series of three short, educational videos (in English and option for Spanish captions) to help you understand your right under HIPAA to access and receive a copy of your health information.

HIPAA Right of Access Infographic

OCR has teamed up with the HHS Office of the National Coordinator for Health IT to create this one-page fact sheet, with illustrations, that provides an overall summary of your rights under HIPAA:

HIPAA General Fact Sheets

Who Must Follow These Laws

We call the entities that must follow the HIPAA regulations “covered entities.”

Covered entities include:

  • Health Plans, including health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
  • Most Health Care Providers—those that conduct certain business electronically, such as electronically billing your health insurance—including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
  • Health Care Clearinghouses—entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

In addition, business associates of covered entities must follow parts of the HIPAA regulations.

Often, contractors, subcontractors, and other outside persons and companies that are not employees of a covered entity will need to have access to your health information when providing services to the covered entity. We call these entities “business associates.” Examples of business associates include:

  • Companies that help your doctors get paid for providing health care, including billing companies and companies that process your health care claims
  • Companies that help administer health plans
  • People like outside lawyers, accountants, and IT specialists
  • Companies that store or destroy medical records

Covered entities must have contracts in place with their business associates, ensuring that they use and disclose your health information properly and safeguard it appropriately. Business associates must also have similar contracts with subcontractors. Business associates (including subcontractors) must follow the use and disclosure provisions of their contracts and the Privacy Rule, and the safeguard requirements of the Security Rule.

Who Is Not Required to Follow These Laws

Many organizations that have health information about you do not have to follow these laws.

Examples of organizations that do not have to follow the Privacy and Security Rules include:

  • Life insurers
  • Employers
  • Workers compensation carriers
  • Most schools and school districts
  • Many state agencies like child protective service agencies
  • Most law enforcement agencies
  • Many municipal offices

What Information Is Protected 

  • Information your doctors, nurses, and other health care providers put in your medical record
  • Conversations your doctor has about your care or treatment with nurses and others
  • Information about you in your health insurer’s computer system
  • Billing information about you at your clinic
  • Most other health information about you held by those who must follow these laws

How This Information Is Protected

  • Covered entities must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly.
  • Covered entities must reasonably limit uses and disclosures to the minimum necessary to accomplish their intended purpose.
  • Covered entities must have procedures in place to limit who can view and access your health information as well as implement training programs for employees about how to protect your health information.
  • Business associates also must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly.

What Rights Does the Privacy Rule Give Me over My Health Information?

Health insurers and providers who are covered entities must comply with your right to: 

  • Ask to see and get a copy of your health records
  • Have corrections added to your health information
  • Receive a notice that tells you how your health information may be used and shared
  • Decide if you want to give your permission before your health information can be used or shared for certain purposes, such as for marketing
  • Request that a covered entity restrict how it uses or discloses your health information
  • Get a report on when and why your health information was shared for certain purposes
  • If you believe your rights are being denied or your health information isn’t being protected, you can

You should get to know these important rights, which help you protect your health information.

You can ask your provider or health insurer questions about your rights.

Learn more about your health information privacy rights – PDF.

Who Can Look at and Receive Your Health Information

The Privacy Rule sets rules and limits on who can look at and receive your health information

To make sure that your health information is protected in a way that does not interfere with your health care, your information can be used and shared:

  • For your treatment and care coordination
  • To pay doctors and hospitals for your health care and to help run their businesses
  • With your family, relatives, friends, or others you identify who are involved with your health care or your health care bills, unless you object
  • To make sure doctors give good care and nursing homes are clean and safe
  • To protect the public’s health, such as by reporting when the flu is in your area
  • To make required reports to the police, such as reporting gunshot wounds

Your health information cannot be used or shared without your written permission unless this law allows it. For example, without your authorization, your provider generally cannot:

  • Give your information to your employer
  • Use or share your information for marketing or advertising purposes or sell your information

Sign Up for the OCR Privacy Listserv 
Keep up-to-date as OCR releases updated health information privacy FAQs, guidance, and technical assistance materials.

Brian Bateman is a seasoned Medical and Dental Researcher and Journalist with over a decade of experience in the healthcare industry. His work is characterized by a deep commitment to providing accurate, comprehensive, and accessible information to patients, families, and healthcare professionals. Brian's expertise spans web development, search optimization, and social media management, particularly for dentists and healthcare providers, making him a valuable resource in the field of medical and dental journalism.

In addition to his research and writing, Brian has a strong technical background, specializing in WordPress development and the Kadence Blocks theme. He creates e-commerce sites, integrates AI chatbots and assistants, and manages security, caching, content delivery, backups, updates, and WHM/cPanel server administration. His current projects include writing extensively on procedure and diagnostic prices for Aurora Healthcare, and covering local events for SheboyganLife.com. Brian's dedication to mastering success and essential strategies for startups is also evident in his work for splinternetmarketing.com.

Similar Posts

  • Patient registration documents

    Contact Information Website: aurorahealthcare.org Overview: During your clinic or hospital visit, you will be required to complete key patient registration documents as part of the intake process. These documents are essential for confirming your identity, outlining your financial responsibilities, and securing your consent for treatment. The registration fee primarily covers administrative processing, verification of insurance,…

  • Aurora Health Care Mask Mandate Begins Amid Rising Illness in Wisconsin

    Contact Information Website: auroraprices.com Aurora Health Care has implemented a temporary mask mandate beginning January 6, responding to a significant rise in infectious illnesses across Wisconsin. This policy requires all patients and visitors to wear masks in patient rooms and congregate areas, aiming to curb the spread of diseases such as whooping cough and norovirus….

  • Patient rights & responsibilities

    Contact Information Phone: 608-266-8481, 800-642-6552, 608-267-0352, 800-994-6610, 630-792-5636, 866-496-9647, 513-947-1250 Website: aurorahealthcare.org, dhs.wisconsin.gov, jointcommission.org Understanding your rights and responsibilities as a patient is essential for navigating healthcare decisions and costs. The American Hospital Association’s “Patient’s Bill of Rights” ensures you are entitled to make informed choices about your care, privacy, and treatment planning. Key cost…

  • Get payment summaries

    Contact Information Website: aurorahealthcare.org, aurorahealthcare.org, livewell.aah.org When managing medical expenses, understanding the various types of payment summaries available is essential, especially for Flexible Spending Account (FSA) reimbursements or tax documentation. Key components included in these summaries are detailed listings of all charges, payments made by you or your insurance, and any outstanding balances. These documents…

  • Notice of Privacy Practices

    Contact Information Website: hhs.gov The Notice of Privacy Practices is an essential document provided by your healthcare provider or health plan, required under HIPAA regulations. This notice outlines how your protected health information may be used and shared, and clearly explains your rights regarding your medical privacy. The fee for this administrative process typically covers…

  • Preparing for your hospital visit

    Overview: Preparing for a hospital visit—whether for an outpatient or routine procedure—is an important step to ensure your experience is as smooth and cost-effective as possible. Hospital fees typically include components such as the facility charge, professional fees, and sometimes anesthesia or supply costs. To avoid unexpected expenses, it’s wise to request an itemized estimate…