Federal law · 45 CFR Part 164

The 8 Patient Rights Under HIPAA (Complete List 2026)

Plain English. Cited to the regulation. What each right gives you, and the one sentence you need to use it.

8

Federal rights

1

Mandatory restriction

180d

To file a complaint

01 45 CFR § 164.524

Right to Access

Get copies of your medical records.

You have the right to inspect and obtain a copy of your protected health information held by any covered entity. Providers must respond within 30 days, with one 30-day extension permitted for cause. Electronic records must be delivered in electronic format if you request it. An unpaid bill is not grounds for refusal. Your records are not held hostage to fee disputes.

Submit a written request to the entity's records department.

02 45 CFR § 164.526

Right to Amendment

Correct information that is wrong or incomplete.

If something in your record is inaccurate or incomplete, you can require correction. The entity must respond within 60 days. The original record is preserved for the statutory retention period, but the corrected version is what propagates forward to anyone who received the file. If amendment is denied, you can file a statement of disagreement that becomes part of the record.

Submit a written amendment request stating what is wrong and what it should say.

03 45 CFR § 164.522(a)

Right to Restriction

Limit how your information is used and shared.

You may request restrictions on use and disclosure of your information. Providers are generally not obligated to agree, with one critical exception. HIPAA requires providers to honor restrictions on disclosure to your health plan when you paid for the service in full out of pocket. This is the only mandatory restriction under HIPAA, and it is the strongest individual lever the regulation gives you.

Submit a restriction request. For the cash-pay version, state the service and that you paid in full out of pocket.

04 45 CFR § 164.404

Right to Breach Notification

Be told when your information is breached.

Covered entities must notify you within 60 days of discovering a breach of your unsecured protected health information. The notice must describe what happened, what data was involved, what is being done to mitigate harm, what steps you can take to protect yourself, and contact information for follow-up questions.

No action required to receive notice. State breach laws often shorten the timeline further.

05 45 CFR § 164.522(b)

Right to Confidential Communications

Choose how and where the entity contacts you.

You may direct that the entity communicate with you by a particular means or at a particular location: an alternate phone number, a separate mailing address, electronic-only correspondence. Reasonable requests must be accommodated without inquiry into your reason.

Submit a written request specifying the channel you prefer.

06 45 CFR § 164.528

Right to Accounting of Disclosures

See who your information was shared with.

You can request a list of disclosures of your information made by a covered entity in the preceding six years. Routine disclosures for treatment, payment, and operations are excluded. The first accounting in any twelve-month period is free.

Submit a written request for an accounting of disclosures.

07 45 CFR § 164.520

Right to Notice of Privacy Practices

Receive a written notice of how your data is used.

Covered entities must provide you with a written notice describing how your information is used and disclosed, your rights with respect to your information, and the entity's legal duties. The notice is provided at your first encounter and on request thereafter.

Ask the front desk on your first visit. The notice is also typically posted on the entity's website.

08 45 CFR § 164.530(j)

Right to File a Complaint

Report a violation without fear of retaliation.

If you believe your rights have been violated, you can file a complaint with the entity's privacy officer, with the U.S. Department of Health and Human Services Office for Civil Rights, or with your state attorney general. Complaints to OCR must be filed within 180 days of the violation. Retaliation against a complainant is prohibited.

OCR online portal: ocrportal.hhs.gov/ocr/smartscreen/main.jsf.

Beyond the federal floor

HIPAA is the federal floor.
State law often goes further.

When state law gives you more, the state law applies. These are the categories where extra protections matter most.

Side-by-side

Where state law beats the federal floor

Right / protection
HIPAA (federal)
State law (examples)
Medical records access
30 days, extendable to 60
California CMIA: 15 days ↑ Stronger
Breach notification
Within 60 days
Pennsylvania: 72 hours to AG.
California: 15 days. ↑ Faster
Private right to sue
No private right of action
California CMIA: yes, sue directly. $1,000 statutory damages per violation. ↑ Much stronger
Marketing opt-out
Limited opt-out rights
Washington MHMDA: explicit consent required. ↑ Stronger
Data sharing controls
Can request restrictions; provider must consider
Colorado CPA: right to delete + opt out of sale.
Connecticut CTDPA: comprehensive data rights.
Mental health records
Standard HIPAA protections
Illinois: enhanced mental health confidentiality.
Pennsylvania: stricter consent rules.
See your state's privacy rights

Mental health

Psychotherapy notes need a separate, standalone authorization under 45 CFR § 164.508(a)(2). A plan cannot demand them as a condition of payment. California (CMIA § 56.104) and New York (Mental Hygiene Law § 33.13) layer on civil damages.

Reproductive health

State shield laws are the real protection. California (AB 352), New York (Shield Law 2.0), Washington (HB 1469), Colorado, Massachusetts, Illinois block your provider from honoring out-of-state subpoenas, with statutory damages of $1,000–$10,000 per disclosure.

Addiction treatment

42 CFR Part 2 federally bars a treatment program from even confirming you are a patient absent your written consent (§ 2.13(c)), and blocks your records from civil, criminal, or administrative proceedings without a separate court order.

Gender-affirming care

Eleven states (CA, WA, OR, MA, MN, NM, IL, CO, VT, NJ, NY) have shield laws blocking out-of-state subpoenas and extradition tied to lawful care, with civil damages in several.

The question everyone asks

Can I have my medical records deleted?

Yes, but it depends on who holds your data and whether the retention clock has run out. HIPAA gives you three mechanisms to restrict how clinical records are used. Two more get data actually erased: a standing demand that fires the moment a provider's retention period expires, and immediate deletion of anything kept longer than the law allows or held by non-HIPAA companies (apps, brokers, wellness platforms).

Path 1 · Strongest

The cash-pay restriction

If you paid for a service in full out of pocket, HIPAA requires your provider to not disclose that service to your health plan when you request the restriction.

45 CFR § 164.522(a)(1)(vi)

Path 2 · Restriction

Request restrictions on sharing

You can request restrictions on any sharing of your records. Providers must consider every request and may agree as a matter of policy.

45 CFR § 164.522(a)(1)

Path 3 · Amendment

Correct what's wrong

If information is inaccurate or incomplete, you can require correction. The original is retained for the statutory period; the amendment is appended.

45 CFR § 164.526

When deletion is actually on the table

Path 4 · Standing demand

Delete at retention expiry

State law sets how long a provider must keep your records: commonly 5 to 10 years for adults, longer for minors. Once it expires, the legal reason to hold them is gone. Send a standing demand now that puts your provider on notice to delete the instant their retention obligation ends.

State medical-records retention laws

Path 5 · Kept too long

Delete what's overdue

California's CPRA bars any business from keeping your data longer than reasonably necessary. Held past its own retention schedule, you can demand deletion now. The same applies in full to data brokers, health apps, and other non-HIPAA holders.

Cal. Civ. Code § 1798.100 · 11 CCR § 7026

Beyond the federal floor

Four categories with legally enforceable protections beyond baseline HIPAA

HIPAA is the baseline. Four categories of health records carry additional, enumerable, legally enforceable protections that are written into statute, not left to policy.

Category 01

Substance use disorder records

Records held by a federally assisted substance use program cannot even be confirmed to exist without your written consent, and they are off-limits to civil, criminal, or administrative process absent a separate court order. The 2024 final rule (89 Fed. Reg. 12472) aligned Part 2 more closely with HIPAA while preserving these core protections.

42 CFR Part 2

Category 02

Psychotherapy notes

The therapist's private process notes, kept separate from your medical chart, require their own standalone written authorization. They cannot be released even with a routine medical-records authorization, and the request cannot be conditioned on payment.

45 CFR § 164.508(a)(2)

Category 03

Reproductive-health records (state-level)

Statutes in roughly two dozen states (including CA AB 352, NY Shield Law 2.0, WA HB 1469, CO SB 23-188, MA Ch. 127, IL HB 4664, MN HF 146, NM HB 7, OR HB 2002, VT Act 14) prohibit your provider from cooperating with out-of-state subpoenas seeking reproductive-care records. Several carry statutory damages of $1,000 to $10,000 per disclosure plus attorney's fees.

~24 state statutes

Category 04

Gender-affirming-care records (state-level)

Many of the same state statutes that shield reproductive-care records extend equal protection to gender-affirming care: similar prohibitions on out-of-state subpoena cooperation, similar private-right-of-action structures, similar statutory damages. These are concrete rights you can compel, refuse, and sue over, not policy.

~20 state statutes

Letters you actually send

Three ready-to-send letters. Just copy and send.

Each letter already cites the rule that requires your provider to respond. Fill in your details, send by email or certified mail, and save a copy. The 30 or 60-day clock starts the moment they receive it.

Template 01 · 45 CFR § 164.524

Records access request

Use when you want copies of your medical records in any format.

[Your name]
[Your address]
[Your phone or email]
[Date]

[Provider/practice name]
Attn: Privacy Officer or Medical Records
[Provider address]

Re: Request for access to my health records

To whom it may concern:

Pursuant to 45 CFR § 164.524, I am requesting a copy of my designated record set. Please provide records from [date range] in electronic format (PDF), delivered by [secure email / certified mail / portal].

This request includes all records held by your practice and any business associates: clinical notes, lab results, imaging reports, correspondence, and billing records.

Under federal law you must respond within 30 days. Please confirm receipt and provide an estimated delivery date.

Sincerely,
[Your name]
[Date of birth]
[Medical record number, if known]

Send by email to the practice's privacy officer or by certified mail. Keep proof of delivery; the 30-day clock starts the day they receive it.

Template 02 · 45 CFR § 164.526

Amendment / correction request

Use when your record contains a factual error: wrong diagnosis, wrong medication, wrong allergy.

[Your name]
[Your address]
[Your phone or email]
[Date]

[Provider name]
Attn: Privacy Officer

Re: Request for amendment to my health record (45 CFR § 164.526)

To whom it may concern:

I am requesting an amendment to my health record. The information at issue:

  Record: [describe the document or entry]
  Date of record: [date]
  What is inaccurate: [specific error]
  What the record should say: [correct information]
  Why this matters: [wrong diagnosis, wrong medication, etc.]

Under 45 CFR § 164.526 you must act on this request within 60 days. If you deny the amendment, I am entitled to submit a statement of disagreement that becomes part of my record.

Please confirm receipt and provide your written decision.

Sincerely,
[Your name]
[Date of birth]

Attach the page of the record with the error if you have it. If the provider denies the amendment, follow up with a statement of disagreement under the same regulation.

Template 03 · 45 CFR § 164.522(a)(1)(vi)

Cash-pay restriction request

Use when you paid for a service entirely out-of-pocket and don't want it shared with your insurer. This is the one HIPAA request your provider can't refuse.

[Your name]
[Your address]
[Date]

[Provider name]
Attn: Privacy Officer

Re: Mandatory restriction request (45 CFR § 164.522(a)(1)(vi))

To whom it may concern:

I am paying for the following service in full and out-of-pocket:

  Service / item: [description]
  Date of service: [date or date range]
  Provider: [provider name if multiple in practice]

Under 45 CFR § 164.522(a)(1)(vi), I am requesting that you not disclose any protected health information related to this service to my health plan, [plan name], for payment or healthcare operations purposes. This restriction is mandatory under federal law when the patient pays for the service in full.

Please confirm receipt and acknowledge that this restriction will be honored.

Sincerely,
[Your name]
[Date of birth]

Submit before the service if possible. Restrictions are easier to honor at billing time than to retroactively unwind. Some practices require an "intent to pay" form at check-in.

If your provider says no

The escalation path, in order.

Most providers fold at step one once you cite the regulation. Here's what to do when they don't.

  1. 01 No cost

    Put it in writing to the provider

    Send a written request citing the specific regulation (e.g., "Pursuant to 45 CFR § 164.524, I request a copy of..."). Email is fine. Keep a copy. By rule the provider has 30 days to comply, with one 30-day extension if they notify you in writing.

    Timeline 30 days, extendable once to 60
    When it fails Provider ignores you, charges more than reasonable copy costs, or refuses outright
  2. 02 No cost · no lawyer

    File a complaint with HHS OCR

    The federal regulator. File online via the OCR Complaint Portal within 180 days of the violation. No lawyer needed. OCR investigates, can compel corrective action, and has fined providers under the Right of Access Initiative for refusing records requests, but OCR does not award you damages.

    Deadline 180 days from the violation
  3. 03 No cost

    File with your state Attorney General

    Since 2009 (HITECH § 13410), state AGs can bring HIPAA enforcement actions. Some states accept consumer complaints directly. State AGs often move faster than OCR on egregious cases, and a state-level filing can run parallel to your OCR complaint.

  4. 04 Counsel recommended

    Sue under state law

    HIPAA itself has no private right of action. You cannot sue under HIPAA. But many states do allow direct suits. California CMIA awards $1,000 in statutory damages per violation without proving harm. Illinois, New York, and Texas each have specialized state-law claims for medical privacy. If actual harm occurred (identity theft, denied insurance, employment fallout), a state-law claim is the path to recovery.

    Reality check This is the slow, expensive path. Steps 1–3 resolve most violations.
If this feels like a lot

HealthConsent files the request, tracks the 30-day clock, and escalates to OCR automatically if the provider misses the deadline. Across the providers, insurers, and brokers that hold your data.

See how it works
Common questions

Frequently asked, plainly answered.

The questions readers send most often, with the rule citations to back up each answer.

Does HIPAA give patients the right to delete their medical records?

Yes, within specific bounds. HIPAA gives you three concrete deletion-style rights. (1) Cash-pay restriction (45 CFR § 164.522): if you paid out-of-pocket for a service, HIPAA REQUIRES your provider to not disclose that information to your health plan. This is the only mandatory restriction under HIPAA. Providers must honor it. (2) Restriction requests: you can ask your provider to restrict any sharing of your records; they must consider every request. (3) Amendment (45 CFR § 164.526): if information is wrong or incomplete, you can require correction. State laws like California CMIA, Washington MHMDA, CCPA/CPRA, and VCDPA strengthen these rights significantly. And for non-provider entities holding your health data (health apps, data brokers, wellness platforms, insurer ancillary records), you have full deletion rights under state privacy laws and the FTC Health Breach Notification Rule. HealthConsent automates all of these requests across 7M+ healthcare entities.

Can I request that my doctor delete my health information under HIPAA?

Yes, and here is exactly how. The strongest path is the cash-pay restriction under 45 CFR § 164.522(a)(1)(vi): if you paid for a service entirely out-of-pocket, your provider MUST not disclose that information to your health plan when you request it. For other restrictions on sharing, you can request them and the provider must consider them. You can also request amendment of inaccurate records under 45 CFR § 164.526. Beyond your provider, if your records are held by a HIPAA-covered entity that isn't the originating provider (a health plan, clearinghouse, or business associate), state privacy laws often grant stronger deletion rights. California CMIA, Washington MHMDA, and comprehensive consumer-privacy laws in CO/CT/VA all provide deletion mechanisms. HealthConsent files these requests on your behalf, automatically.

What is the difference between amendment and deletion of medical records under HIPAA?

Amendment under HIPAA (45 CFR § 164.526) corrects inaccurate or incomplete information in your record. Deletion removes the record entirely. HIPAA grants amendment as a patient right and grants restriction rights (45 CFR § 164.522) that effectively block specific disclosures, including the mandatory cash-pay restriction that requires providers not share out-of-pocket service info with your health plan. Where HIPAA itself doesn't mandate full deletion, state laws often do, especially for non-provider entities like health apps (FTC HBNR), data brokers (state privacy laws), and consumer health platforms (CCPA/CPRA, MHMDA, CDPA, CPA). HealthConsent helps you exercise every right you have across all of these channels.

What are the 8 patient rights under HIPAA?

The 8 patient rights under HIPAA are: 1) Right to Access - Get copies of your medical records within 30 days, 2) Right to Amendment - Request corrections to inaccurate health information, 3) Right to Restriction - Limit how your health information is used or shared, 4) Right to Breach Notification - Be notified within 60 days if your data is breached, 5) Right to Confidential Communications - Choose how and where you receive health information, 6) Right to Accounting of Disclosures - See who your health information was shared with, 7) Right to Notice of Privacy Practices - Receive written notice of how your data is used, and 8) Right to File a Complaint - Report privacy violations without fear of retaliation.

How many patient privacy rights are there under HIPAA?

There are 8 core patient privacy rights under federal HIPAA law. These rights give you control over your health information and protect your medical privacy across all 50 states.

What is the difference between HIPAA rights and state privacy rights?

Under federal HIPAA regulations, state health privacy laws prevail when they provide stronger protections. For example, California's CMIA requires 15-day medical records access (vs HIPAA's 30 days) and allows patients to sue directly for violations. Pennsylvania requires 72-hour breach notification to the Attorney General (vs HIPAA's 60 days). If your state law gives you more rights or faster timelines than HIPAA, the state law applies.

Can I request copies of my medical records under HIPAA?

Yes. Under HIPAA's Right to Access, you can request copies of your medical records and healthcare providers must provide them within 30 days (extendable to 60 days in limited circumstances). Electronic records must be provided in electronic format if requested. Providers may charge reasonable, cost-based copying fees but cannot charge retrieval fees.

Can I file a complaint if my HIPAA rights are violated?

Yes. Under HIPAA's Right to File a Complaint, you can file complaints with both your healthcare provider's privacy officer and with the HHS Office for Civil Rights (OCR). Complaints must be filed within 180 days of the violation. Healthcare providers cannot retaliate against you for filing a complaint.

What is the HIPAA right to restriction?

The HIPAA Right to Restriction allows you to request limits on how your health information is used or shared. While providers are not required to agree to all restrictions, they MUST agree to restrictions on disclosures to health plans for services you paid for out-of-pocket in full. Once a provider agrees to a restriction, it applies to all covered entities.