University Integrity and Compliance

Providing independent oversight of the university's compliance programs

Patient Privacy Rights under HIPAA

Submitted by Privacy Office 12/9/2020

Many people associate the phrase “HIPAA” with the piece of paper known as the Notice of Privacy Practices, which is given to patients in doctor's offices, clinics and hospitals.  Often, providing the paper “Notice” may seem like an afterthought to the registration process itself, with the expectation that neither the giver nor the recipient wants to bother with the exchange of information.  However, the Notice of Privacy Practices is actually an important way to find out what your rights are when you visit a doctor's office, clinic, or hospital.  The Notice explains not only how doctor's offices, clinics and hospitals can use your health information, but also outlines your privacy rights.

HIPAA permits you to:

  1. Access your health information – You can ask for access to (read or obtain a copy of) your health information.  Some exceptions exist; for example, you may not be able to access notes from mental health therapy sessions or information that might endanger you or someone else.  Generally, access or a copy can be provided to you within 30 days, although time extensions are sometimes allowable under HIPAA.  You can also ask for information in an electronic or paper format.  If the doctor's office, clinic or hospital is able to provide the information in the format requested, it must do so.
  2. Request confidential communications – You can ask the doctor's office, clinic or hospital to contact you in a particular manner.  For example, you may ask to be contacted at work instead of home, or to have correspondence mailed in an envelope rather than on a post card. If the request is reasonable, the doctor's office, clinic or hospital must honor the request. There may be specific instructions from the clinic or hospital for how to make your request.
  3. Request restrictions on how your information is used or shared – There are two areas of privacy restrictions that you can request.  First, you can ask the doctor's office, clinic or hospital not to share your information with certain people or groups.  For example, you can ask the clinic not to share your information with your sister.  Health care providers are not required to honor this request, but you do have the right to ask.  Second, you can ask the health care provider not to share your information with your health plan (insurance) for payment or health care operations purposes if the item or service provided is paid in full out-of-pocket.  The doctor's office, clinic or hospital must agree to this request as long as the service is paid in full and completely out-of-pocket. (Payments from FSA or HSA funds do not qualify.)  It is important to note that each provider/facility is only responsible for the information residing in its records, so you must also ask any other (“downstream”) providers involved in the service (i.e., labs, pharmacies, hospital, etc.,) or else they may share this information with your health plan.
  4. Receive an accounting of disclosures – You can ask for a listing of how (and with whom) your information has been shared for certain purposes. For example, clinics and hospitals must track when patient information is used for reporting flu outbreaks, gunshot wounds, or for ensuring doctors are qualified and providing good care. Doctor's offices, clinics and hospitals must provide this listing within 60 days of your request, although time extensions are sometimes allowable under HIPAA.
  5. Request corrections to your health record – You can ask the doctor's office, clinic or hospital to correct any information in your record that is wrong or add information that is incomplete.  If the doctor's office, clinic or hospital does not agree that the information is wrong, you can have the record amended to reflect your disagreement with the information.
  6. File a complaint – If you believe your privacy rights were violated or your information was shared in a way not permitted by the law, you can file a complaint with the doctor's office, clinic or hospital, or with the Office of Civil Rights. Doctor's offices, clinics or hospitals are not permitted to retaliate against you if you file a complaint.


For more information regarding patient privacy rights or other HIPAA topics, please contact the University of Louisville Privacy Office at (502) 852-3803 or privacy@louisville.edu.