University Integrity and Compliance

Providing independent oversight of the university's compliance programs

Patient Privacy Rights under HIPAA

Submitted by Privacy Office 3/12/13

Many people associate the phrase “HIPAA” with the piece of paper known as the Notice of Privacy Practices, which is given to patients in clinics and hospitals.  Often, providing the paper “Notice” may seem like an afterthought to the registration process itself, with the expectation that neither the giver nor the recipient wants to bother with the exchange of information.  Most patients now decline to receive the Notice, since it has been provided multiple times by numerous entities in the 10 years since HIPAA was enacted.

Despite this trend, a wide gap in knowledge appears to exist around the information contained in the Notice, from both clinical staff and patient perspectives. The Notice explains not only how clinics and hospitals can use a patient’s health information, but also outlines a patient’s privacy rights.

Consider how many of the following patient privacy rights under HIPAA are familiar to you:

  1. To access your health information – You can ask for access to (read or obtain a copy of) your health information.  Some exceptions exist; for example, you may not be able to access notes from mental health therapy sessions or information that might endanger you or someone else.  Generally, access or a copy can be provided to you within 30 days, although time extensions are sometimes allowable under HIPAA.  You can also ask for information in an electronic or paper format.  If the clinic or hospital is able to provide the information in the format requested, it must do so.
  2. To request confidential communications – You can ask the clinic or hospital to contact you in a particular manner.  For example, you may ask to be contacted at work instead of home, or to have correspondence mailed in an envelope rather than on a post card. If the request is reasonable, the clinic or hospital must honor the request. There may be specific instructions from the clinic or hospital for how to make your request.
  3. To request restrictions on how your information is used or shared – There are two areas of privacy restrictions that you can request.  First, you can ask the clinic or hospital not to share your information with certain people or groups.  For example, you can ask the clinic not to share your information with your sister, or you could ask the doctor not to share your information with other hospital employees, such as your neighbor who works in the hospital pharmacy.  Health care providers are not required to honor this request, but you do have the right to ask.  Second, you can ask the health care provider not to share your information with your health plan (insurance) for payment or health care operations purposes if the item or service provided is paid in full out-of-pocket.  The clinic or hospital must agree to this request as long as the service is paid in full and completely out-of-pocket. (Payments from FSA or HSA funds do not qualify.)  It is important to note that each provider/facility is only responsible for the information residing in its records, so you must also ask any other (“downstream”) providers involved in the service (i.e., labs, pharmacies, hospital, etc.,) or else they may share this information with your health plan.
  4. To receive an accounting of disclosures – You can ask for a listing of how (and with whom) your information has been shared for certain purposes. For example, clinics and hospitals must track when patient information is used for reporting flu outbreaks, gunshot wounds, or for ensuring doctors are qualified and providing good care. Clinics and hospitals must provide this listing within 60 days of your request, although time extensions are sometimes allowable under HIPAA.
  5. To have corrections made to your health record – You can ask the clinic or hospital to correct any information in your record that is wrong or add information that is incomplete.  If the clinic or hospital does not agree that the information is wrong, you can have the record amended to reflect your disagreement with the information.
  6. To file a complaint – If you believe your privacy rights were violated or your information was shared in a way not permitted by the law, you can file a complaint with the clinic or hospital, or with the Office of Civil Rights. Clinics or hospitals are not permitted to retaliate against you if you lodge a complaint.


For more information regarding patient privacy rights or other HIPAA topics, please contact the University of Louisville Privacy Office at (502) 852-3803 or