Download PDF
Effective Date: August 1, 2013 Revised: November 1, 2018

HIPAA Policies for Healthcare Providers at Covered Components: Policy 6, Individuals’ Rights under HIPAA

Responsible Office Research Compliance

This Policy 6 is part of the HIPAA Policy Manual: Privacy and Security of Protected Health Information for BU Healthcare Provider Covered Components.

6.1 Right to Notice of Privacy Practices

Forms for each of the rights described in this section are available at
Notice of Privacy Practices

Patients have the right to be informed of the uses and disclosures of their PHI that may be made by the Covered Component, and of their rights and the Covered Component’s responsibilities under HIPAA.  To this end, each Covered Component is required to have a Notice of Privacy Practices (“NPP”) approved by the BU HIPAA Privacy Officer.  Under Massachusetts law, Covered Entities must include in their NPP a notice of the Covered Component’s records retention and destruction policy for its medical records.

Posting the NPP

The NPP must be posted in an area where patients will see it.

If the services of the Covered Component are described on any website, the Covered Component shall also ensure the approved NPP is prominently posted on the Covered Component’s website.

Providing NPP to Patients

The Covered Component must provide a copy of its NPP to patients no later than the first date the Covered Component provides health services to the individual.

  1. If the first contact with the individual is electronic, notice must be furnished contemporaneously with the electronic transmission.
  2. If the first contact with the individual is via telephone, the Notice must be provided upon the first service delivery date.
  3. If it is impossible or impracticable to provide the Notice due to an emergency situation involving the individual, the Covered Component may provide the NPP as soon as reasonably practicable after the emergency situation has passed.

The Covered Component must make a good faith effort to obtain written acknowledgement from the individual of his/her receipt of the NPP.  If the Individual declines to sign the acknowledgment for any reason, the Workforce member who offered the NPP shall document that s/he offered it, and that the Individual declined to sign.  The Acknowledgment form shall be placed in the Individual’s medical record.

In addition, Covered Components must make copies of the NPP available to any Individual who requests one at any time.

6.2 Right to Access and Copy Own Health Record

Except in limited circumstances described below, individuals have the right to access, inspect and receive a copy of PHI about them in the Covered Component’s Designated Record Set.

Use of Authorization Form

A written request is not legally required in order to provide copies of the Designated Record Set, in whole or in part, to the patient to obtain his/her own information.  However, a written request on BU’s approved Authorization form allows the Covered Component to ensure that it is providing what the individual wishes to have and is doing so in a timely manner.

Approved Authorizations are found at

When complete medical records are requested, the Covered Component should refer to its Designated Record Set procedure when a request for PHI is received to ensure disclosure of all documents subject to disclosure.

Time Period to Respond and Provide Access

Requests for records for the purpose of a claim or appeal under any provision of the Social Security Act or any federal or state financial needs-based benefit program must be furnished within 30 days pursuant to Massachusetts law, without any extension of time.

All other requests should be fulfilled as soon as practicable.  If the Covered Component is not able to provide the requested records or respond to the request within 30 days, the Covered Component shall contact the BU HIPAA Privacy Officer and the BU HIPAA Privacy Officer may provide the Individual written notification of the reasons for the delay and the expected date of fulfilling the request.

Format of Records

The Covered Component shall provide the information requested in the format requested by the individual, if reasonably possible.  The BU HIPAA Security Officer is available to advise on producing PHI in an electronic format.  The Covered Component shall contact the BU HIPAA Privacy Officer in the event it is not able to accommodate the individual’s preferred format.

Inspection or Summary in Lieu of Copies

If the individual requests inspection of the records rather than a copy, the Covered Component shall arrange for a mutually convenient time and place for the individual to inspect the Designated Record Set.

The Covered Component may provide an individual with a summary or an explanation of the PHI requested, in lieu of providing access to the PHI, if the individual:

  • agrees in advance to the summary; and
  • agrees in advance to any fees imposed (if any) by the Covered Component for preparation of the summary.
Clarification of Request Permitted

The Covered Component may discuss the scope, format, and other aspects of the request for access with the individual, as necessary to facilitate the timely provision of access or copies.

Charges for copies
  1. No fee may be charged to a patient who requests his/her record for the purpose of supporting a claim or appeal under any provision of the Social Security Act or any federal or state financial needs-based benefit program.
  2. Covered Components will document in their procedures whether it will charge for other copies. Any charges must comply with the following:

Electronic copies:   Covered Components may charge a flat fee of $6.  If a Covered Component receives a request for electronic copy of a record which will entail an unusual amount of work, the HIPAA Contact shall contact the BU HIPAA Security Officer for guidance;

Paper copies:  Covered Components may not charge a flat fee for paper copies. Any charges must be reasonable and based on the labor and supply costs of copying.

When Requests for PHI May be Denied

Grounds for Denial:

The Covered Component may deny an individual access to PHI in certain limited situations. Before denying access or copies, the Covered Component shall notify the BU HIPAA Privacy Officer, who will assist in ensuring the Covered Component fulfills its obligations under HIPAA, including written notification to the individual of the Covered Component’s decision.

Unreviewable Ground for Denial  The Covered Component may deny an individual access, in whole or in part, without providing the individual an opportunity for review, in the following circumstances:

  • Records requested are not in the Designated Record Set (e.g., Psychotherapy Notes);
  • The individual is an inmate, care was provided in the penal institution, and the information requested could jeopardize the health, safety, security custody or rehabilitation of the inmate or others;
  • The individual has consented to participate in a clinical research project and the requested information is restricted during the course of the research; and
  • Information requested was obtained from someone other than a healthcare provider under a promise of confidentiality (for example, if the healthcare provider documented in the record concerns and information provided by a family member of the individual after a promise of confidentiality).

Reviewable Grounds for Denial:

Denials of access based on reasons listed below are subject to review by a licensed healthcare professional who was not involved in the original decision to deny access, upon the written request of the individual. Reviewable grounds for denial include:

  • Denials made by a licensed health care professional who has determined that the access requested is likely to endanger the life or physical safety of the individual or others;
  • PHI that makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the patient’s access to that information is reasonably likely to cause substantial harm to such other person; or
  • Denial of a request for access made by the individual’s personal representative when a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person.
Procedure when Request Is Denied

The Covered Component and BU HIPAA Privacy Officer shall notify the individual in writing of the denial, including:

  • An explanation/reason for the denial; and
  • A statement of the individual’s rights and instructions on:
    • How to request a review by a licensed health care professional (if applicable);
    • Filing a complaint with the Covered Component’ HIPAA Contact; and
    • Filing a complaint with the United States Secretary of Health and Human Services.

In the case of denials subject to review, if an individual submits a written request for a review, the Covered Component shall:

  • Designate a licensed health care professional who did not participate in the original decision to deny access as the reviewing official.
  • Ensure review by the reviewing professional within a reasonable period of time.
  • Promptly provide written notice to the individual of the determination of the reviewing professional, and take other action as required.

6.3 Right to Request Amendment

Patients have the right to request in writing that PHI in a Covered Component’s Designated Record Set be amended. Note the patient does not have an unqualified right to amend, but has a right to request, and the Covered Component must consider the request as described below.

Procedure for Individual to Request Amendment

An individual who desires an amendment must provide the Covered Component a written statement identifying the portions of the record s/he considers inaccurate or incomplete, and the substitute or additional information s/he wishes to be added to the record. The individual may use BU’s approved form (see or may provide a substantially similar written request.

Covered Component’s Response to Request

Upon receiving a Request to Amend, the Covered Component’s HIPAA Contact shall review it. If the request is to correct demographic information or any information that originally came from the individual and which the individual says was recorded inaccurately, the HIPAA Contact, in his/her judgment, may make the correction. Examples include correcting spellings, ethnicity, date of birth and similar matters.

Any requests to amend information entered in the record by a treating health care provider (e.g., diagnosis; prognosis; history of condition; etc.) shall be forwarded to that provider and to the BU HIPAA Privacy Officer.  The treating healthcare provider who made the entry will determine whether to allow the amendment.  The request to amend may be denied if the original record is accurate.

The decision to grant or deny a request to amend should be made within 60 days of the request.  If after 30 days the Covered Component has not been able to make a decision, it should contact the BU HIPAA Privacy Officer.

When the Covered Component Grants the Request to Amend

Within 60 days of receipt of the written request to amend, the Covered Component shall notify the individual that it has accepted the request, and shall make the change requested to the medical record, as follows:

Paper Record: Amendments will be made by drawing a single line through the original entry in such a way that the original entry remains legible. Where the entry has been changed the word “amendment” should be clearly printed at the incorrect entry, the correct information shall be entered, and the Covered Component staff person making the change should initial and date the correction.

Electronic Record: The Covered Component may make electronic corrections in such a way as to make it clear that an entry is being corrected, noting the person making the correction and the date of correction.

In addition to notifying the individual and making the change, the Covered Component should determine whether the information subject to the amendment has been disclosed to anyone outside of the Covered Component who may have had reason to rely on the amended information, and if so, shall forward the amended entry to those recipients.

When the Covered Component Denies the Request to Amend

Before denying a request to amend, the Covered Component must consult with the BU HIPAA Privacy Officer.  The request to amend may be denied when the information to be amended:

  • is not part of The Covered Component’s Designated Record Set;
  • is accurate and/or complete; or
  • was not created by The Covered Component (unless the individual can provide reasonable evidence that the originator of the PHI is no longer available to act on the amendment request, in which case, the Covered Component may include the individual’s statement of Amendment in its record).

The Covered Component must notify the individual of its decision, in plain language, including the following:

  • the reason for denial;
  • the individual’s right to submit a statement disagreeing with the denial and how the individual may file such statement;
  • the individual’s right to ask that the original amendment request and denial be attached to any future disclosures of the information; and
  • how to file a complaint with the Covered Component and/or the Secretary of Health and Human Services about the denial.

The completed Request for Amendment in Medical Record Form, the Covered Component’s Response and any statement of disagreement will be filed in the individual’s record.

6.4 Right to an Accounting of Disclosures

Patients have the right under HIPAA to request an Accounting of disclosures of their health information, and Covered Components have the obligation to fulfill such requests by following the procedures in this Policy.

Covered Components should contact the HIPAA Privacy Officer if any Request for Accounting is received.

What is in an Accounting?

The Accounting includes disclosures made without the individual’s Authorization within the 6-year period prior to the date of the request, or such shorter period as the Individual may request.

Example of disclosures included in an Accounting:

  • Disclosures made for public health reporting;
  • Disclosures made to government entities or law enforcement; and
  • Disclosure for Research purposes;
    • If the research involves 50 or more individuals, the Accounting may provide only the following information:
      • Name of the research protocol;
      • Description of research activity;
      • Type of PHI disclosed;
      • Period of time during which disclosure was made; and
      • Contact information for the research sponsor and the researcher who received the information.

The following are excluded from an Accounting:

  • Disclosures for treatment, payment or health care operations;
  • Disclosures made to the individual (or authorized personal representative of the individual) who is the subject of the PHI;
  • Disclosures made pursuant to a valid Authorization.
  • “Incidental” disclosures, i.e., an unintended disclosure during the course of a permitted use or disclosure;
  • Disclosures made to family members and friends involved in the individual’s care.
  • Disclosures made for national security or intelligence purposes;
  • Disclosures to correctional institutions, or custodial law enforcement officials;
  • Disclosures made more than 6 years before the request for Accounting; and
  • Disclosures made as part of a Limited Data Set in accordance with a Data Use Agreement when used solely to disclose a subset of information for research, public health or health care operations.
How the Individual Makes a Request for an Accounting

Requests for an Accounting of disclosures of PHI must be made in writing to the Covered Component.  The Individual may use the “Request for an Accounting of Disclosures” form or may provide substantially the same information in another writing. The Covered Component should consult with the BU HIPAA Privacy Officer on any request for Accounting.

Time to Respond

The Covered Component must respond by providing the Individual an Accounting in writing within 60 days of the request.  If after 30 days, it appears the Accounting may take longer, the BU HIPAA Privacy Officer may notify the individual in writing of the reason for the delay, and/or may extend time to provide the Accounting of disclosure by additional 30 days.

Information about Each Disclosure in Accounting

The following elements must be included for each disclosure listed on the Accounting of Disclosure:

  1. Date of disclosure;
  2. Receiving party, and address, if known;
  3. Description of PHI disclosed;
  4. A brief statement of the purpose of the disclosure;
  5. If multiple disclosures were made to the same entity for the same purpose, the Covered Component must identify the number of times the disclosure was made and the date of the last such disclosure; and
  6. Disclosures made by the Covered Component’ Business Associates, if made for purposes other than treatment, payment or health care operations (e.g., if a Business Associate responded to a subpoena for PHI of the Individual).

Accounting for disclosures made for research involving 50 or more individuals

When disclosures are made for research involving 50 or more individuals, the Accounting of Disclosures may be limited to providing to the individual the following information:

  • The name of the research protocol or other research activity;
  • A description of protocol or activity including purpose of research and criteria for selecting particular records;
  • A brief description of the type of PHI that was disclosed;
  • The date or time period during which disclosures occurred including date of last such disclosure;
  • Information about the entity that sponsored the research and about the researcher to whom the information was disclosed; and
  • A statement that the PHI may or may not have been disclosed for a particular protocol or other research activity.
Tracking Disclosures for Accounting Purposes

In order to be prepared to fulfill a request for Accounting, the Covered Component must track all disclosures of an individual’s PHI in the Designated Record Set that may be required in an Accounting.

Charge for Providing an Accounting of Disclosures

The Covered Component may not charge an individual requesting an Accounting of Disclosures for the first Accounting in a 12-month period. The Covered Component may charge a reasonable fee for subsequent requests in the same 12-month period.

Each Covered Component shall document its procedure on fees for an Accounting.

Denial Due to Special Circumstances

The Covered Component must temporarily suspend an individual’s right to receive an Accounting of disclosures to a health oversight agency or law enforcement official if such agency or official provides the Covered Component with a written statement that providing such an Accounting to the individual would impede the agency’s or official’s activities and specifying the time for which such suspension is required.

If the agency or official makes such a request orally, the Covered Component must document the statement including the name of the agency and official making the statement and must temporarily suspend the individual’s right to an Accounting of any disclosures made to such agency in accordance with the statement. Temporary suspensions may be allowed for a period not to exceed thirty (30) days from the date of an oral request; if the agency or official submits a written request for a suspension for a period longer than 30 days, the Covered Component shall comply.

6.5 Right to Request Restriction

Types of Restrictions Available

Patients have the right to request a restriction on uses and disclosure of their PHI. Typical requests include asking the Covered Component to not share any information, or a certain type of information, with a family member or friend of the Individual, which should be granted in most circumstances. The Covered Component should endeavor to accommodate all reasonable requests but should not agree to a restriction if it is not feasible to comply with it.

All requests for restriction shall be forwarded to the Covered Component’s HIPAA Contact, who must consult the BU HIPAA Privacy Officer before denying. The Covered Component should inform the Individual in writing of its decision.

An Individual may make a request for a restriction either in writing or orally. If an oral request is made, the Covered Component should document the request in the medical record.  A form is available for requesting the restriction, but its use is optional.  The Individual does not need to explain the reason for the request.

HIPAA recognizes that Individuals may wish to obtain specific health care services without informing their health care insurers. To that end, the following restriction must be accepted and implemented by the Covered Component:

  • A request that the Covered Component not send specific information to the Individual’s health care insurer, if the Individual has paid for the service in full without recourse to that insurance.

The following uses and disclosures may not be restricted:

  • All information must be available to provide treatment to the individual for emergency treatment purposes; if the Covered Component provides restricted information to another healthcare provider for emergency treatment purposes, the Covered Component shall request that the health care provider not further disclose the information;
  • Uses and disclosures for which an Authorization or opportunity to agree or object is not required; such as in the cases of national security, public health activities, law enforcement, victims of abuse, neglect or domestic violence and research (see Policy 4 Non-Routine Uses and Disclosures of PHI without Authorization, Section 4.1: Non-Routine Disclosures of PHI Permitted or Required by Law without Patient Authorization); and
  • Disclosures required by the Secretary of the Department of Health and Human Services to investigate or determine compliance with HIPAA.
Terminating a Restriction

The Covered Component may terminate a restriction in the following circumstances:

  • If the Individual requests and agrees to the termination in writing;
  • If the Individual agrees to the termination orally and the oral agreement is documented; or
  • If the Covered Component informs the Individual that it is terminating its agreement to a restriction, except that such termination is only effective with respect to PHI created or received after the Covered Component notifies the Individual of the termination.

The Covered Component may not terminate a restriction on disclosing information to the individual’s insurance company when the individual has paid for the services in full.

6.6 Right to Request Confidential and Alternate Modes of Communications

Individuals have the right to request that Covered Components communicate with them by an alternative means (e.g., written, electronic or oral) or at an alternative location (e.g., work, school or home). Requests should be submitted by the Individual in writing. A form is available for this purpose.  The Individual is not required to provide a reason for the request.

Examples of alternate communication requests:

  • Patient receives all dental care at GSDM Dental Center and bills are routinely sent to his home.
  • Patient requests cosmetic services and requests that communications and billing on those services be sent to a PO Box.
Non-Secure Email/Text Requests

The Covered Component Workforce must use only the secure email system when communicating electronically with patients, and may not initiate, suggest or recommend non-secure email or text communications involving PHI.

However, if a patient requests communication via non-secure email or text message, the Covered Component shall do the following:

  • Ensure the patient understands there is an option for secure email communication;
  • If the patient still requests non-secure email or text message communication, the Covered Component must document the request by having the patient sign a Request for Non-Secure Email/Text Communication form or otherwise documentation his/her understanding that non-secure email or text may be intercepted. An email from the patient stating this is acceptable.

If a Workforce member receives a non-secure email or text from a patient, s/he should respond by sending a new message (DO NOT REPLY to avoid re-publishing any identifiable health information sent by the patient in the initial message):

Thank you for contacting me. [Covered Component] has a policy of not communicating with patients via regular email or text because they are not considered secure, and communications may be intercepted. We use DataMotion, an encrypted email program, to communicate securely.  Please reply to tell me your preference:

  • to continue this correspondence via DataMotion or
  • to continue using non-secure email or text despite the possibility of interception.
Accepting/Denying Other Requests

The Covered Component must consider any request to receive communications by an alternative means and make reasonable attempts to accommodate the request.  However, the Covered Component should not agree to any request it cannot reasonably implement.  Before denying any such request, the Covered Component’s HIPAA Contact must consult with the BU HIPAA Privacy Officer.

Upon acceptance/denial of such a request, The Covered Component will inform the Individual of its decision.  If any Business Associate of the Covered Component may communicate with the Individual requesting a restriction, the Covered Component must inform that Business Associate.

6.7 Right to Complain

Covered Components must provide a process for their patients to make complaints if they believe their information privacy or security rights have been violated. The Covered Component may not retaliate against any patient who makes such a complaint.


BU EthicsPoint

Anyone, including patients, staff and others, wishing to make a confidential report about a possible privacy breach may do so at BU’s confidential hotline, EthicsPoint.  Alternatively, a report may be made by telephone at 866-294-8451.

Resolution of Complaint

The BU HIPAA Privacy Officer and HIPAA Contact will endeavor to satisfy the patient’s concerns.  If the BU HIPAA Privacy Officer finds no violation, s/he will notify the Individual in writing.

If the BU HIPAA Privacy Officer finds merit in the complaint after consultation with the Covered Component HIPAA Contact, s/he will notify the Individual of the findings and a proposed resolution to address harm, if any, to the Complainant.  If investigation of the Complaint indicates a Workforce member has violated or contributed to a violation of these policies or of the law, disciplinary action will occur under Policy 7 Breaches, Section 7.5: Enforcement and Sanctions).