The HIPAA (Health Insurance) Act Privacy Rule

The HIPAA is a federal statute that mandated the development of national standards to prevent critical patient health data from being revealed without the patient’s knowledge or permission. Individuals’ rights to know and regulate the use of their health information are likewise spelled out in the Privacy Rule’s criteria. Patients are granted access to certain data, such as billing information, but are restricted from seeing specific data; patients who believe they have been refused access to their data or that the policy has been violated may file a complaint.

Under the HIPAA Privacy Rule, persons have the right to see and get copies of their health records from healthcare providers and insurers, with a few exceptions. Patients have access to their health and billing records kept by or on behalf of a covered healthcare provider (Health Information Privacy, 2019). Patients have access to all the health plan’s electronic record systems, including those used for enrollment, billing, dispute resolution, and case or treatment planning. They may also access any additional files utilized by or on behalf of the covered company in the decision-making process impacting specific persons.

A person has no right to examine information not part of a certain record set since it is not used to draw judgments about persons. It includes quality control and improvement documents, patient safety measures, and company strategy and planning (Centers for Disease Control and Prevention, 2019). Furthermore, access is restricted to management records for broad corporate decisions rather than individual personnel decisions. An individual’s data may have been used to build quality control records for improving customer service or health plan development records. Because the mental health professional maintains psychotherapy records separate from the rest of the patient’s medical records, the patient does not have access to them. The patient is not permitted to see documents prepared in advance of or in conjunction with a civil, criminal, or regulatory action or procedure.

Federal legislation was created to safeguard the privacy and security of patient health data. These safeguards should be made known to patients by recognized authorities. They can speak out, ask questions, and file complaints if they believe their rights are being abused or their health data is not being kept secret (Centers for Disease Control and Prevention, 2019). Patients have the right to be informed of any incident that may threaten their medical data’s confidentiality.

A person can file complaints regarding HIPAA violation Office for Civil Rights (OCR) through a letter or online portal. If it is through a letter, individuals who claim a breach of privacy involving their health information or another violation of the Privacy or Security Rule must disclose their personal information and the personal data of the person, institution, or organization they feel breached their privacy (HIPAA Journal, 2021). They must describe what occurred in as few words as possible. Those who believe their privacy rights to protected health information have been violated must provide detailed explanations. The complainant may provide more information and sign the paper. If a patient is filing a complaint on behalf of another person, that person’s name should also be provided. The Health Information Privacy Complaint Package and the OCR Complaint Portal make it simple for patients to file complaints under the Security Rule.

Following a compromise of unprotected PHI, covered organizations must notify persons impacted. Covered organizations must provide this notification by first-class mail or email if the affected person agrees to receive electronic communications. Assume the covered entity lacks or possesses out-of-date contact information for ten or more persons. In such circumstances, it must issue an alternative individual warning by publishing the statement for at least 90 days on its website or in significant print or broadcast media in the region where the persons are expected to live (Health Information Privacy, 2019). To assess whether their personal information has been compromised, the covered firm must give a toll-free phone number that is operational for at least 90 days (Health Information Privacy, 2019). If the covered entity does not have adequate or outdated contact information for fewer than ten people, it may offer alternative notification through phone, email, or other methods.

The Office for Civil Rights is to implement HIPAA’s privacy and security standards. OCR’s duties include investigating complaints as it may undertake compliance inspections to assess compliance inside covered companies, besides providing education and outreach in line with the Security and Privacy Rules (Health Information Privacy, 2019). It has the power to investigate individual complaints and will notify both the claimant and the covered firm if this occurs. The next step is interviewing the complainant and the covered entity to learn more about the event or concern. OCR may request information from each to better understand the facts. Companies that are covered are required to participate in complaint investigations. If a complaint alleges a criminal violation of HIPAA, OCR may refer it to the Department of Justice. It looks at the evidence in specific instances. In rare situations, it may decide that the covered entity did not violate the Privacy or Security Rule. If the contractual party cannot comply, OCR will work with the covered company to fix the situation by gathering the information.

In conclusion, with certain exclusions, individuals have the right to view and get copies of their patient records maintained by healthcare insurers and providers following the HIPAA Privacy Rule. A patient’s medical and billing information is open to them, whether created by or for the provider. Because it is not utilized to make decisions about specific individuals, a person does not have a right to access information that is not included in a specific record set.


Centers for Disease Control and Prevention. (2019). Health insurance portability and accountability act of 1996 (HIPAA) | CDC. Web.

Health Information Privacy. (2019). Health Information Privacy. Web.

HIPAA Journal. (2021). How to Report a HIPAA Violation. HIPAA Journal. Web.

Cite this paper

Select style


LawBirdie. (2023, August 12). The HIPAA (Health Insurance) Act Privacy Rule. Retrieved from


LawBirdie. (2023, August 12). The HIPAA (Health Insurance) Act Privacy Rule.

Work Cited

"The HIPAA (Health Insurance) Act Privacy Rule." LawBirdie, 12 Aug. 2023,


LawBirdie. (2023) 'The HIPAA (Health Insurance) Act Privacy Rule'. 12 August.


LawBirdie. 2023. "The HIPAA (Health Insurance) Act Privacy Rule." August 12, 2023.

1. LawBirdie. "The HIPAA (Health Insurance) Act Privacy Rule." August 12, 2023.


LawBirdie. "The HIPAA (Health Insurance) Act Privacy Rule." August 12, 2023.