Patient Bill of Rights: HIPAA, AHA & State Law Guide

Everything healthcare practices need to know about patient rights — from the six federally enforceable HIPAA rights to the AHA's voluntary guidelines and state-specific additions. Includes a printable summary for your waiting room.

6

Core HIPAA patient rights under the Privacy Rule

1973

Year AHA first published its Patient's Bill of Rights

50

States with additional patient rights laws

The 6 HIPAA Patient Rights

The HIPAA Privacy Rule (45 CFR Part 164) grants patients six federally enforceable rights over their protected health information. Unlike the AHA guidelines, these carry legal penalties for non-compliance. Use our HIPAA compliance checklist to verify your practice addresses each one.

Right to Access

45 CFR 164.524

Patients can inspect and obtain a copy of their PHI held in a designated record set. Practices must respond within 30 days (one 30-day extension allowed).

  • Includes medical records, billing records, and enrollment information
  • Practices may charge a reasonable, cost-based fee for copies
  • Electronic copies must be provided if requested and feasible
  • 2026 update: billing records must now be included when requested

Right to Amendment

45 CFR 164.526

Patients can request corrections to inaccurate or incomplete PHI. Providers may deny the request only under specific circumstances.

  • Request must be in writing and include a reason for the amendment
  • Denial allowed if the record was not created by the provider, is accurate, or is not part of the designated record set
  • If denied, patient may submit a statement of disagreement
  • Amended information must be sent to parties the patient identifies

Right to an Accounting of Disclosures

45 CFR 164.528

Patients can request a list of disclosures of their PHI made by the covered entity in the prior six years.

  • Excludes disclosures for treatment, payment, and healthcare operations
  • Excludes disclosures authorized by the patient
  • Must include date, recipient, description, and purpose of each disclosure
  • First request per 12-month period must be free of charge

Right to Request Restrictions

45 CFR 164.522(a)

Patients can ask to limit the use or disclosure of PHI for treatment, payment, or operations. Providers are not required to agree, with one exception.

  • Must agree if patient pays out-of-pocket in full and the disclosure is to a health plan for payment/operations
  • Agreed restrictions must be honored until terminated by the patient or provider (with notice)
  • Restriction requests should be documented even if denied

Right to Confidential Communications

45 CFR 164.522(b)

Patients can request that communications about their PHI be sent through alternative means or to alternative locations.

  • Example: "Send my appointment reminders to my work email, not my home phone"
  • Providers must accommodate reasonable requests
  • No requirement for the patient to explain why
  • Health plans must comply if the patient states disclosure could endanger them

Right to a Notice of Privacy Practices

45 CFR 164.520

Patients must receive a clear written notice of how their PHI is used, disclosed, and protected, plus an explanation of their rights.

  • Must be provided at first service encounter (or mailed if the encounter is remote)
  • Must be posted prominently in the facility and on the website
  • Must describe uses/disclosures, patient rights, and the entity's legal duties
  • 2026 update: NPPs must now include reproductive health protections

2026 Update: Expanded Access Rights

The HIPAA Privacy Rule updates effective February 16, 2026, require covered entities to include billing records in access requests and update their Notice of Privacy Practices to reflect new reproductive health protections.

The AHA Patient's Bill of Rights

The American Hospital Association first published its Patient's Bill of Rights in 1973, then replaced it with The Patient Care Partnership in 2003. These are voluntary guidelines for hospitals — not federal law. However, many states have enacted them into statute.

Right to Information

Patients have the right to receive accurate, easily understood information about their health plan, professionals, and facilities. Includes the right to know the identity of everyone involved in their care.

Right to Choose

Patients can choose their own healthcare providers and have access to emergency services when and where needed without prior authorization.

Right to Access Records

Patients may access their own medical records and request amendments. This right is now also federally protected under HIPAA.

Right to Participate in Decisions

Patients have the right to make decisions about their care before and during treatment, including the right to refuse a recommended treatment or plan of care.

Right to Respect and Non-Discrimination

Patients should receive considerate, respectful care from all members of the healthcare system regardless of race, ethnicity, national origin, religion, sex, age, disability, or source of payment.

Right to Confidentiality

Patients have the right to talk privately with healthcare providers and have personal health information protected. Overlaps significantly with HIPAA Privacy Rule requirements.

Guidelines, not law — with an important caveat

The AHA guidelines are not directly enforceable by federal agencies. But many have been codified into state law, and The Joint Commission requires accredited hospitals to inform patients of their rights. If you accept Medicare/Medicaid, the CMS Conditions of Participation mandate a written patient rights document. Use our informed consent form builder to formalize these protections.

HIPAA Rights vs. AHA Bill of Rights

HIPAA and the AHA Bill of Rights overlap in areas like record access and confidentiality, but they serve different purposes and carry different weight. This comparison helps compliance officers understand which protections come from federal law versus voluntary standards. Document your approach using our HIPAA risk assessment tool.

AspectHIPAA RightsAHA Bill of Rights
Legal statusFederal law (enforceable by OCR)Voluntary guidelines (not directly enforceable)
Year established1996 (Privacy Rule effective 2003)1973 (replaced by Patient Care Partnership, 2003)
ScopePHI privacy, access, and securityBroad patient treatment, autonomy, and dignity
Applies toCovered entities and business associatesHospitals and healthcare facilities (voluntary)
Record accessFederally guaranteed within 30 daysRecommended as best practice
Privacy protectionsDetailed rules on PHI use, disclosure, and safeguardsGeneral right to confidentiality
Right to amend recordsYes, with formal request/response processMentioned but no enforcement mechanism
Penalties for violationUp to $2.19M per category per year (2026); criminal penalties possibleNo federal penalties (state laws may apply)
Informed consentNot directly addressed (state law governs)Core principle since 1973
Non-discriminationNot directly addressed (other federal laws apply)Explicit right to non-discriminatory care

State-Specific Patient Rights

Every state has adopted some form of patient rights law, often going beyond federal HIPAA requirements. These laws typically address informed consent, emergency care, billing transparency, and non-discrimination protections not covered by HIPAA. Multi-state practices must comply with the strictest applicable standard in each jurisdiction.

California

Health & Safety Code 1262.6

  • Right to an itemized, detailed billing statement
  • Right to language assistance and interpreter services
  • Right to refuse participation in experimental research

New York

Public Health Law 2803

  • Right to receive treatment regardless of ability to pay
  • Right to pain management as a basic human right
  • Right to designate a health care proxy

Texas

Health & Safety Code Ch. 326

  • Right to refuse transfer to another facility
  • Right to be informed of facility policies in advance
  • Right to file complaints without retaliation

Florida

FL Stat. 381.026

  • Right to receive a summary of the Patient's Bill of Rights at admission
  • Right to expect emergency procedures without delay
  • Right to know the names and roles of all caregivers

Need to check your state? The National Academy for State Health Policy maintains a database of state patient rights laws. For HIPAA-specific compliance, start with our compliance checklist

How to Implement Patient Rights in Your Practice

Knowing the rules is step one. Building systems to consistently honor patient rights is what separates compliant practices from those facing OCR investigations. Start with a risk assessment to identify gaps, then follow this five-step implementation plan.

1

Draft Your Patient Rights Document

Combine HIPAA-required rights, state-specific additions, and AHA best practices into a single plain-language document. Avoid legal jargon where possible.

  • Start with the 6 HIPAA rights as the foundation
  • Layer in state-specific rights for your jurisdiction(s)
  • Add AHA/Joint Commission requirements if accredited
  • Include your facility's complaint process and contact info
  • Have legal counsel review before distribution
2

Train All Staff

Every staff member who interacts with patients should understand the rights document and know how to respond to common requests.

  • Include patient rights in new-hire orientation
  • Annual refresher training for existing staff
  • Role-play scenarios: record access requests, amendment requests, restriction requests
  • Document training completion in personnel files
3

Display and Distribute

HIPAA and CMS require that patients receive the Notice of Privacy Practices. Going beyond the minimum with visible posting builds trust.

  • Post in waiting rooms, exam rooms, and admission areas
  • Include in new-patient packets and on your website
  • Provide copies in the primary languages of your patient population
  • Make available in accessible formats (large print, audio)
4

Create Response Workflows

Build internal processes for handling patient rights requests so staff know exactly what to do when a request comes in.

  • Designate a privacy officer to handle access/amendment requests
  • Set calendar reminders for the 30-day response deadline
  • Create standard response templates for approvals and denials
  • Log all requests and responses for compliance documentation
5

Review and Update Annually

Patient rights requirements change with new regulations, state laws, and facility policies. An annual review prevents drift.

  • Review after any HIPAA rule changes (like the 2026 updates)
  • Audit a sample of access/amendment requests for compliance
  • Update staff training materials to reflect changes
  • Re-post updated documents in all required locations

Printable Patient Rights Summary

Post this summary in waiting rooms and include it in new-patient packets. It combines HIPAA-mandated rights with AHA best practices in plain language patients can understand.

Your Rights as a Patient

As a patient at our facility, you are entitled to the following rights under federal and state law.

1

Right to Access Your Records

You may request a copy of your medical and billing records. We will respond within 30 days.

2

Right to Request Amendments

If you believe information in your record is incorrect or incomplete, you may request a correction in writing.

3

Right to an Accounting of Disclosures

You may request a list of instances where we shared your health information outside of treatment, payment, or operations.

4

Right to Request Restrictions

You may ask us to limit how we use or share your health information. We must agree if you pay out-of-pocket in full.

5

Right to Confidential Communications

You may ask us to contact you in a specific way or at a specific location to protect your privacy.

6

Right to a Notice of Privacy Practices

You will receive a written notice explaining how your health information is used, shared, and protected.

7

Right to File a Complaint

If you believe your rights have been violated, you may file a complaint with our Privacy Officer or the U.S. Department of Health and Human Services.

8

Right to Receive Care

You have the right to considerate, respectful care regardless of race, religion, gender, disability, or ability to pay.

9

Right to Informed Consent

You have the right to understand and approve any treatment plan before it begins, including risks, benefits, and alternatives.

10

Right to Refuse Treatment

You may refuse any recommended treatment or plan of care, and you will be informed of the medical consequences.

Questions or concerns? Contact our Privacy Officer at [Your Phone] or [Your Email]. You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at www.hhs.gov/ocr/complaints.

How to File a Patient Rights Complaint

Patients who believe their rights have been violated have multiple avenues for recourse. Practices should make this process transparent — it builds trust and reduces the chance of escalation. Include complaint procedures in your Notice of Privacy Practices.

1

Contact the facility's Privacy Officer

Every HIPAA-covered entity must designate a Privacy Officer. Start by filing an internal complaint — many issues are resolved at this level.

2

File a complaint with HHS Office for Civil Rights (OCR)

If the issue is not resolved internally, file a federal complaint within 180 days of the violation. OCR investigates all complaints.

3

Contact your state health department

Many states have their own patient rights enforcement agencies. State attorneys general can also investigate HIPAA violations.

4

Consider a private attorney

While HIPAA itself does not allow private lawsuits, state laws often do. An attorney can advise on negligence, breach of contract, or state privacy claims.

HHS Office for Civil Rights Contact

OCR Complaint Portal:www.hhs.gov/ocr/complaints
OCR Hotline:1-800-368-1019
OCR Email:ocrmail@hhs.gov

Retaliation is prohibited

HIPAA explicitly prohibits covered entities from retaliating against patients who exercise their rights or file complaints. This includes refusing care, reducing quality of service, or intimidating the patient. Document your authorization processes to maintain a clear compliance trail.

Quick Reference: Patient Rights at a Glance

HIPAA rights (federal law)

Access, amendment, accounting of disclosures, restrictions, confidential communications, NPP. Enforced by OCR with penalties up to $2.19M (2026).

AHA rights (voluntary guidelines)

Informed consent, non-discrimination, participation in care decisions, confidentiality. Required by Joint Commission for accredited hospitals.

State rights (varies by jurisdiction)

Billing transparency, interpreter services, pain management, emergency care access. Multi-state practices must follow the strictest standard.

Run compliance checklist Build your NPP Create intake form

Related Tools & Guides

HIPAA Compliance Checklist

Step-by-step checklist covering Privacy, Security, and Breach rules.

Notice of Privacy Practices

Generate a compliant NPP that explains patient rights clearly.

Who Does HIPAA Apply To?

Understand which organizations must comply with HIPAA.

HIPAA Release Form

Create an authorization form for patients to release their PHI.

Patient Intake Form Builder

Build a compliant intake form that collects rights acknowledgment.