Upholding Patient Rights Under HIPAA: Access, Amendment, and Deletion of PHI


The Health Insurance Portability and Accountability Act (HIPAA) is not just about safeguarding patient data; it’s also about upholding patient rights regarding their health information. One of the fundamental aspects of HIPAA is empowering patients with the right to access, amend, and even delete their Protected Health Information (PHI). This article explores how healthcare providers can facilitate these rights, ensuring compliance with HIPAA and reinforcing the trust and transparency essential in healthcare.

Facilitating Patient Access to PHI

Under HIPAA, patients have the right to access their health records. This means healthcare providers must provide patients with access to their PHI in a timely and convenient manner.

  1. Streamlined Access Procedures: Implement clear, efficient procedures for patients to request access to their health records. This could include online portals, written requests, or in-person inquiries [1].
  2. Timely Response to Requests: HIPAA requires that requests for access be fulfilled within 30 days (with a possible 30-day extension under certain circumstances) [2].
  3. Reasonable Cost: If any fees are charged for accessing records, they must be reasonable and cost-based.

Enabling Amendment of PHI

Patients have the right to request amendments to their health records if they believe the information is incorrect or incomplete.

  1. Amendment Request Process: Establish a process for patients to request amendments to their PHI. This should include a review process to determine whether the amendment is warranted.
  2. Notification of Amendments: If an amendment is made, inform the patient and, where applicable, others who have the incorrect or incomplete information.

Facilitating the Deletion of PHI

While HIPAA does not generally provide the right to have PHI deleted, there are certain circumstances under which a patient can request the deletion of their information.

  1. Understand Deletion Circumstances: Be aware of the specific situations under HIPAA where deletion requests may be applicable, such as in the case of unauthorized acquisition, access, use, or disclosure of PHI [3].
  2. Deletion Procedures: If a deletion request is valid, have procedures in place to securely and effectively remove the PHI from your records.


Facilitating patient rights under HIPAA is a critical aspect of healthcare practice. By ensuring patients have access to, can amend, and, in certain cases, delete their PHI, healthcare providers not only comply with legal requirements but also empower patients in their healthcare journey. Upholding these rights is fundamental to building a healthcare environment based on trust, respect, and patient-centered care.


  1. U.S. Department of Health & Human Services. (n.d.). Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html
  2. U.S. Department of Health & Human Services. (n.d.). Your Rights Under HIPAA. https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html
  3. U.S. Department of Health & Human Services. (n.d.). Breach Notification Rule. https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html