The Federal Health Insurance Portability And Accountability Act (“HIPAA”) and its related Rules serve to safeguard the privacy and security of Protected Health Information (PHI). Examples of PHI include information that a doctor or health care provider places in your medical or billing records. HIPAA’s requirements apply to health care providers, health insurance plans, and health care clearinghouses, as well as to any third parties hired by these entities if the third party will have access to PHI. 

The Texas Medical Records Privacy Act (“TMRPA”) and the Texas Identity Theft Enforcement and Protection Act (“ITEPA”) also serve to safeguard the privacy and security of patient information. 

Read more about HIPAA: 

Overview Of Patient Privacy Rights 

This overview is for informational purposes only and is not legal advice. Please consult your attorney if you have specific legal questions. Texas law prohibits the Office of the Attorney General from providing legal advice, opinions, or representation to private individuals.

State and federal laws give individuals certain rights, including:

  • The right to ask to review and obtain a copy of health records from most providers (and health care plans).
    • Most providers and plans have a form a patient can use to request records.
    • Providers and plans are permitted by law to charge for the reasonable costs of copying and mailing records but may not charge a retrieval fee.
    • In limited cases, such as if the provider believes that information in the file may endanger the patient, the patient may not be able to obtain all information.
    • If the provider has an electronic health records system capable of fulfilling the request, the requested records must be provided to the patient no later than the 15th business day after the written request is submitted.
  • The right to request that health records be corrected or amended. 
    • The provider or health plan must respond to a patient’s request to correct or amend health records. If they do not agree with requested corrections, the provider or health plan must notify the patient of that decision in writing and explain why the request was denied. A patient then has the right to submit a statement or disagreement that the provider or plan must add to the medical record.
  • The right to limit the use or sharing of protected health information for marketing purposes. In general:
    • If PHI is used or disclosed to send a marketing communication through the mail, that mailing must include the name and toll-free number of the entity that sent the marketing communication, along with an explanation of the patient’s right to be removed from the sender’s mailing list. 
    • PHI cannot be used or shared for marketing communications like sales calls or advertising without the patient’s prior written authorization. Certain exceptions apply to this, including face to face communications between a provider and an individual.
  • The right to know how PHI will be used and shared. In general:
    • A provider must provide the patient with written notice of the uses and disclosures of PHI and, in the event that the PHI is improperly accessed or breached, must provide the patient with notice of that event.
    • A patient’s permission is not required if the sharing of PHI is related to treatment and care coordination, payment, health care operations, or performing certain insurance or health care maintenance organization functions, to make required reports to the police, and to protect the public health.
  • The right to be notified of a data breach if the information breached identifies an individual and relates to that individual’s physical or mental health condition, the provision of health care or payment for health care. 

File a Medical Privacy Complaint

File a complaint regarding patient privacy and medical record issues: