Rules & Requirements —
How the HIPAA Privacy Rule Protects PHI
The HIPAA Privacy Rule limits PHI use, grants patient rights, and ensures privacy across all data formats and systems.
Share this article
How the HIPAA Privacy Rule Protects PHI
"Access and amendment rights" is two of what's actually seven distinct rights the Privacy Rule grants patients, each with its own specific deadline and scope. Compressing them loses exactly the detail that determines whether a covered entity is actually compliant — OCR's enforcement data shows failure to respond to these requests within the required time is one of the most common sources of complaints, more often than dramatic breach scenarios.
What Governs Whether PHI Can Move At All
Before getting to patient rights, the Privacy Rule's core structure is about permitted uses and disclosures. Three categories — treatment, payment, and healthcare operations (TPO) — can happen without the patient's specific authorization, because requiring authorization for every routine clinical and billing function would make care delivery unworkable. A handful of narrow public-interest categories (public health reporting, certain law enforcement needs, averting a serious threat, judicial proceedings) are also permitted without authorization, subject to specific conditions. Everything else — most notably marketing, most sales of PHI, and most uses of psychotherapy notes — requires the patient's written authorization. The minimum necessary standard applies across most of this, with the specific exceptions covered in Understanding the HIPAA Minimum Necessary Rule.
The Seven Patient Rights
Right to access (45 CFR §164.524) — patients can inspect and obtain a copy of their PHI in a designated record set, including electronic copies, and can direct that a copy be sent directly to a third party. Response is due within 30 days, with one permitted 30-day extension. Notably, the minimum necessary standard does not apply when a patient is exercising their own access right — a covered entity can't invoke "minimum necessary" to withhold parts of a patient's own record from them.
Right to amendment — patients can request correction of inaccurate or incomplete information in their designated record set. Response is due within 60 days, with one permitted 30-day extension. If denied, the covered entity must explain why in writing and allow the patient to submit a statement of disagreement, which then has to be included with future disclosures of the disputed information.
Right to an accounting of disclosures (45 CFR §164.528) — a list of certain non-routine disclosures made over the prior six years, excluding TPO disclosures, disclosures to the patient themselves, and disclosures the patient already authorized. Due within 60 days, with one extension. The first request in any 12-month period is free.
Right to request restrictions — patients can ask a covered entity to limit how their PHI is used or disclosed for TPO, or to family and others involved in care. Covered entities aren't generally required to agree — except for one specific, mandatory exception: if a patient pays in full out of pocket for an item or service and requests it, the provider must restrict disclosure of that information to the patient's health plan.
Right to confidential communications — patients can request to be contacted through an alternative method or address (a different phone number, a different mailing address), and providers must accommodate reasonable requests.
Right to a Notice of Privacy Practices — every patient must receive a clear, plain-language notice explaining what PHI may be disclosed, to whom, for what purposes, and how to exercise their other rights — provided at first encounter and posted publicly, with material changes triggering a re-issued notice.
Right to file a complaint without retaliation — patients can complain to the covered entity directly or to OCR, and cannot be retaliated against for a good-faith complaint.
Why This Specific Area Draws Disproportionate Enforcement Attention
OCR's Right of Access Initiative, launched in 2019, has produced roughly 50 enforcement actions over five years specifically targeting failures to honor the access right within required timeframes — not breaches, not technical failures, just organizations that didn't respond to a patient's records request on time. This makes patient rights compliance one of the more procedurally straightforward areas to get wrong, since the failure mode isn't a sophisticated security gap, it's a missed deadline or an under-trained front-desk process.
Building a Compliant Process
A workable approach typically includes:
A single designated point of contact for all access, amendment, restriction, and accounting requests — not a process scattered across whoever happens to receive the request
Immediate logging with the clock started at receipt, since the 30- and 60-day windows run from when the request was received, not when work on it began
A documented identity verification step before fulfilling any request, balanced against not creating unreasonable barriers to a patient's own information
Written extension notices sent before the original deadline, not after, if more time is genuinely needed
A complete paper trail — the request, the response, the date fulfilled, and any related communications — since this is exactly the documentation OCR's Right of Access investigations ask for first
PHI in Every Form, Not Just Electronic
The Privacy Rule applies to PHI regardless of format — paper records, verbal conversations, electronic systems — which is a meaningful distinction from the Security Rule's safeguards, which apply specifically to electronic PHI. A compliance program built entirely around technical safeguards while neglecting paper records and verbal disclosure practices satisfies only half of what the Privacy Rule actually requires.
Aligning With Other Privacy Frameworks
The Privacy Rule's core logic — individuals have enforceable rights over their own data, organizations have to justify uses beyond the obvious necessary ones — parallels GDPR's data subject rights structure and ISO 27001's access-governance requirements, though the specific mechanics (deadlines, exceptions, permitted categories) are HIPAA-specific and don't transfer automatically. Organizations operating internationally need both sets of specifics handled, not just one general privacy framework assumed to cover both.
In the Spotlight

Start your HIPAA compliance journey with DSALTA's complete checklist.
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive health information. Any organization handling protected health information (PHI)— from hospitals to SaaS vendors serving healthcare—must comply.
HIPAA compliance may feel overwhelming, but with DSALTA®’s automation, you can reduce manual work, continuously monitor safeguards, and stay prepared for audits. This checklist outlines the essential steps to meet HIPAA requirements.
Read more about HIPAA compliance with DSALTA.
Stop losing deals to compliance.
Get compliant. Keep building.
Join 100s of startups who got audit-ready in days, not months.




