When it comes to PHI, patients have certain rights under the HIPAA Privacy Rule. All covered entities must follow these rules and guidelines and communicate these rights to every patient, via a Notice of Privacy Practices. This Notice of Privacy Practices can be presented to patients either in written format or electronic format, and you must acquire their signature as acknowledgment that they have received and understand them.
Every patient must receive the Notice at their first service encounter with your office, or in an emergency situation, at the earliest time possible after the emergency situation abates. In addition, the Notice should also be posted in areas where it is visible and able to be read by any patient.
Below are the patient’s rights regarding access to their PHI:
- Right to access PHI – every patient has the right to request a copy or access to their PHI. You must provide this information within 30 days of receiving the request, and you may charge a small, reasonable fee for printing or copying. It is best practice to post fees or inform patients during their request about the fees.
- Right to request an amendment of their PHI – if a patient feels something is inaccurate in their PHI, they may ask for a correction to be made. You must review and inform the patient either yes the change will be made, or no you will not with the reason why you will not, within 60 days of the request.
- Right to request confidential communications – a patient can request you send communications to another email or phone number. In addition, they can request no postcards be sent to them, unless in a sealed envelope.
- Right to restrict use and disclosure of PHI – a patient can ask you to limit what you can share and who you can share it with. As a provider, you can deny the request if it will affect your care of the patient. If a patient pays for the service out-of-pocket, they can ask you not to share with any insurers.
- Right to Disclosure Accounting – a patient can ask at any time for a list of everyone that their PHI has been shared with. The time limit is for six years from the date they make the request, and you may charge a small, reasonable fee for printing or copying. It is best practice to post fees or inform patients during their request about the fees.
Make sure that you understand your patient’s rights. If you deny them one of their rights, they can file a complaint against you with the OCR, which can trigger an audit of your HIPAA policies and procedures.