Patient Rights and Responsibilities
Expert-defined terms from the Professional Certificate in HIPAA Compliance in Health Care course at London School of Business and Administration. Free to read, free to share, paired with a professional course.
Access to Protected Health Information (PHI) #
Access to Protected Health Information (PHI)
Patients have the right to inspect and obtain a copy of their PHI maintained by… #
This includes medical records, billing information, and any electronic health data. Practical application: a patient submits a written request to the health‑care provider and receives the records within 30 days. Challenges: ensuring the request is specific enough to locate records, managing electronic formats, and balancing access with security safeguards.
Advance Notice of Privacy Practices (ANPP) #
Advance Notice of Privacy Practices (ANPP)
A written document that outlines how a health‑care entity may use and disclose P… #
Example: a clinic provides the ANPP at the first visit and posts it online. Practical application: patients review the notice to understand consent requirements. Challenge: keeping the notice up‑to‑date with regulatory changes and ensuring patients actually read it.
Authorization for Disclosure #
Authorization for Disclosure
Beneficiary Rights under Medicare #
Beneficiary Rights under Medicare
Rights granted to individuals receiving services covered by Medicare, including… #
Example: a Medicare beneficiary requests a summary of services for a recent hospital stay. Practical application: providers must respond within the statutory timeframes. Challenge: coordinating with multiple providers to assemble a complete record.
Confidentiality of Health Information #
Confidentiality of Health Information
The duty to protect PHI from unauthorized access, ensuring that only permitted i… #
Example: a nurse uses a password‑protected workstation to access patient charts. Practical application: implementing role‑based access controls. Challenge: balancing ease of access for care teams with stringent security measures.
Correction of Inaccurate Information #
Correction of Inaccurate Information
Patients may request that their PHI be amended if they believe it is incorrect o… #
Example: a patient notices a medication error in their chart and submits a correction request. Practical application: the entity must investigate and, if appropriate, amend the record within 60 days. Challenge: determining the validity of the amendment and documenting the decision process.
Data Breach Notification #
Data Breach Notification
Obligation of a covered entity to inform affected individuals, the Secretary of… #
Example: a laptop containing PHI is stolen, prompting a breach notification within 60 days. Practical application: having an incident response plan that outlines notification steps. Challenge: assessing the scope of the breach and determining the level of risk to patients.
Electronic Health Records (EHR) Access #
Electronic Health Records (EHR) Access
Patients may view their health information through secure online portals, enhanc… #
Example: a patient logs into a portal to view lab results and medication lists. Practical application: providing user‑friendly interfaces and mobile access. Challenge: ensuring authentication mechanisms are robust without creating barriers to access.
Fee for Access to PHI #
Fee for Access to PHI
Under HIPAA, a covered entity may charge a reasonable, cost‑based fee for provid… #
Example: a patient is billed for copying and mailing a paper record. Practical application: calculating fees based on labor, supplies, and postage. Challenge: maintaining fee schedules that comply with the “reasonable” standard and are transparent to patients.
Health Information Exchange (HIE) Participation #
Health Information Exchange (HIE) Participation
HIPAA Privacy Rule #
HIPAA Privacy Rule
The federal standard that establishes national protections for PHI, defining pat… #
Example: the Privacy Rule requires entities to provide an ANPP to patients. Practical application: integrating the rule into policies and staff training. Challenge: interpreting the rule’s language in complex clinical scenarios.
Information Blocking #
Information Blocking
Prohibited practices that unreasonably limit the exchange of electronic health i… #
Example: a provider’s system refuses to transmit records to an authorized third‑party app. Practical application: adopting open APIs that comply with ONC standards. Challenge: reconciling legacy systems with modern interoperability requirements.
Informed Consent #
Informed Consent
A process by which a patient voluntarily agrees to a proposed medical interventi… #
Example: a surgeon explains a procedure and obtains written consent. Practical application: documenting consent forms in the medical record. Challenge: ensuring comprehension, especially in language‑limited or cognitively impaired patients.
Minimum Necessary Standard #
Minimum Necessary Standard
Requirement that only the smallest amount of PHI needed to accomplish a task be… #
Example: a billing department extracts only the patient’s name, date of birth, and procedure code for claim submission. Practical application: implementing filters and role‑based access that automatically limit data exposure. Challenge: balancing thoroughness for clinical care with strict minimization.
Patient Access Rights #
Patient Access Rights
The overarching entitlement for patients to obtain copies of their health inform… #
Example: a patient asks for an electronic copy of all records from the past year. Practical application: establishing a standardized request workflow. Challenge: managing high volumes of requests while maintaining privacy and security.
Patient Advocacy #
Patient Advocacy
Support services that assist patients in understanding and exercising their righ… #
Example: a hospital’s patient advocate helps a family appeal a denied service. Practical application: integrating advocates into discharge planning. Challenge: ensuring advocates are trained in HIPAA compliance and confidentiality.
Patient Confidentiality Agreements #
Patient Confidentiality Agreements
Contracts that bind health‑care workers to protect patient information and outli… #
Example: a new hire signs a confidentiality agreement during onboarding. Practical application: periodic refresher training on confidentiality obligations. Challenge: enforcing agreements across large, multi‑site organizations.
Patient Rights to Restrict Disclosure #
Patient Rights to Restrict Disclosure
Patients may ask a covered entity to limit certain disclosures of their PHI, tho… #
Example: a patient requests that their mental health records not be shared with an employer. Practical application: documenting the restriction request and honoring it when feasible. Challenge: determining when a restriction is permissible, especially for treatment or public health purposes.
Patient #
Generated Health Data (PGHD)
Health information created by patients outside of clinical settings, such as dat… #
Example: a patient uploads daily blood pressure readings to the portal. Practical application: incorporating PGHD into the EHR for clinician review. Challenge: verifying data accuracy and ensuring that PGHD is stored securely.
Privacy Notice Acknowledgment #
Privacy Notice Acknowledgment
Confirmation that a patient has received and understood the ANPP, often captured… #
Example: a patient clicks “I have read the privacy notice” before completing registration. Practical application: storing acknowledgment logs for audit purposes. Challenge: proving that acknowledgment reflects genuine comprehension.
Protected Health Information (PHI) #
Protected Health Information (PHI)
Any individually identifiable health information, whether oral, paper, or electr… #
Example: a lab result linked to a patient’s name and date of birth. Practical application: classifying data elements as PHI for security controls. Challenge: distinguishing PHI from de‑identified data, especially in mixed datasets.
Qualified Health Information Exchange (QHIE) #
Qualified Health Information Exchange (QHIE)
A health‑information exchange that meets specific technical and governance crite… #
Example: a QHIE facilitates seamless data sharing among hospitals in a state. Practical application: aligning local systems with QHIE protocols. Challenge: achieving compliance with both HIPAA and QHIE standards.
Right to Receive an Accounting of Disclosures #
Right to Receive an Accounting of Disclosures
Patients may request a list of all non‑treatment, payment, or health‑care operat… #
Example: a patient asks for an accounting of who has accessed their mental health records. Practical application: maintaining detailed logs of disclosures. Challenge: generating accurate reports that exclude permissible disclosures while complying with the accounting request timeline.
Right to Request Confidential Communications #
Right to Request Confidential Communications
Patients can ask that communications about PHI be made via alternative means or… #
Example: a patient requests that appointment reminders be sent to a private email rather than a shared work address. Practical application: updating contact preferences in the system. Challenge: ensuring that alternative communication channels are still secure and reliably delivered.
Security Rule Compliance #
Security Rule Compliance
The HIPAA Security Rule mandates safeguards to protect electronic PHI (ePHI), in… #
Example: implementing encryption for data at rest and in transit. Practical application: conducting regular risk assessments. Challenge: staying current with evolving cyber‑threats and updating controls accordingly.
Self‑Determination of Health Information #
Self‑Determination of Health Information
The principle that patients have authority over how their health information is… #
Example: a patient decides to share genomic data with a research study. Practical application: providing tools for patients to manage consent preferences. Challenge: integrating patient choices into existing clinical workflows without disrupting care.
Service Provider Agreements #
Service Provider Agreements
Contracts that bind third‑party vendors (business associates) to protect PHI and… #
Example: a cloud storage vendor signs a Business Associate Agreement (BAA) before storing ePHI. Practical application: reviewing vendor security policies. Challenge: monitoring compliance throughout the contract term and handling subcontractor relationships.
Standard for Electronic Transmission (SET) #
Standard for Electronic Transmission (SET)
Protocols that define how electronic health information is exchanged between ent… #
Example: using HL7 FHIR APIs to transmit patient summaries. Practical application: adopting industry‑standard formats. Challenge: integrating legacy systems that do not support modern standards.
State Laws and HIPAA Interaction #
State Laws and HIPAA Interaction
State statutes may provide greater protections than HIPAA, and entities must com… #
Example: a state law requires additional notice before disclosing genetic information. Practical application: conducting a comparative legal analysis. Challenge: navigating conflicts where state law imposes stricter requirements.
Telehealth Privacy Considerations #
Telehealth Privacy Considerations
Ensuring that virtual visits maintain the confidentiality and security of PHI #
Example: a provider uses an encrypted video platform for a remote consultation. Practical application: verifying platform compliance before adoption. Challenge: balancing patient convenience with robust security controls.
Treatment, Payment, and Health‑Care Operations (TPO) #
Treatment, Payment, and Health‑Care Operations (TPO)
The three core categories under which PHI may be used or disclosed without patie… #
Example: using PHI to process a claim (payment) or to conduct quality improvement (operations). Practical application: classifying each use appropriately. Challenge: distinguishing TPO activities from research or marketing, which require consent.
Unauthorized Disclosure of PHI #
Unauthorized Disclosure of PHI
Any release of PHI that occurs without a valid authorization or permissible purp… #
Example: an employee inadvertently emails a patient’s chart to the wrong address. Practical application: incident response and corrective action plans. Challenge: minimizing human error through training and technical safeguards.
Verification of Identity for Access Requests #
Verification of Identity for Access Requests
Procedures to confirm that a request for PHI is made by the patient or an author… #
Example: requiring two forms of identification before releasing records. Practical application: using knowledge‑based authentication questions. Challenge: balancing verification rigor with patient convenience.
Virtual Health Records (VHR) #
Virtual Health Records (VHR)
Electronic platforms that aggregate a patient’s health data across multiple prov… #
Example: a VHR app displays immunizations, lab results, and imaging from various hospitals. Practical application: enabling data import via standardized APIs. Challenge: ensuring data integrity and consent across disparate sources.
Wrongful Disclosure Remedies #
Wrongful Disclosure Remedies
Legal and administrative remedies available to patients when their PHI is improp… #
Example: a patient sues for breach of privacy after a data leak. Practical application: having a remediation plan that includes notification, mitigation, and settlement negotiation. Challenge: anticipating potential liabilities and maintaining adequate insurance coverage.