A plain-English guide to HIPAA, informed consent, emergency care rights, how to access your records, and what to do when your rights are violated.
The Health Insurance Portability and Accountability Act (HIPAA) gives you powerful control over your health information. Most people have heard of HIPAA but don't know what it actually lets them do.
You have the right to inspect and obtain a copy of your medical records and other health information at any time. Providers must provide access within 30 days of your request (with one possible 30-day extension). You can ask for electronic records in a format you can actually use.
If you believe your health information contains an error, you have the right to request an amendment. The provider can deny the request only if the record was not created by them, or if it is accurate and complete. Even if denied, you can add a statement of disagreement to your file that becomes part of your record.
You can request an accounting of disclosures — a list of who your provider has shared your health information with (other than for treatment, payment, and routine operations). Providers must track and provide this list going back 6 years. This is how you find out if your records were shared inappropriately.
You can ask your provider to restrict who they share certain information with. For example, you can request that information about a specific treatment not be shared with your health plan if you paid for it out of pocket in full. Providers must agree to restrictions on sharing with your health plan if you pay privately.
You can ask your provider to contact you in a specific way — for example, by email only, or at a specific phone number. You might want this if you're concerned about other household members seeing your mail or overhearing voicemail. They must accommodate reasonable requests.
HIPAA only applies to covered entities: healthcare providers, health plans, and healthcare clearinghouses. It does not apply to your employer (asking about symptoms), apps, life insurance companies, or businesses that aren't in healthcare. It also doesn't stop providers from sharing records with other providers treating you.
Every healthcare provider must give you a written Notice of Privacy Practices when you first see them. This document explains exactly how your information will be used and who it can be shared with. Ask for it if you didn't receive one — they're required to provide it on request. It must also be posted prominently in their office and on their website.
HIPAA complaints must be filed with HHS Office for Civil Rights within 180 days of when you knew (or should have known) about the violation. Some states have longer windows — but don't wait. See Section 6 for how to file.
Informed consent is one of the most fundamental rights in medicine. No provider can perform a procedure or begin a treatment without your voluntary, informed agreement. Here's what that really means.
For consent to be valid, your provider must explain: the diagnosis, the proposed treatment and what it involves, the expected benefits, the material risks and side effects, alternatives (including doing nothing), and what happens if you refuse. This must be in a language you understand.
You have the absolute right to refuse any medical treatment, even life-saving treatment, as long as you are a competent adult who understands the consequences. This is true even if your family disagrees. Sign an Against Medical Advice (AMA) form if asked — this protects both you and the provider.
You can change your mind and withdraw consent at any point — before a procedure begins, and sometimes even during (if stopping is medically safe). Tell the provider verbally and in writing if possible. You do not need to justify your decision to anyone.
If you're at a teaching hospital, you have the right to refuse being examined by medical students or residents. If you're asked to participate in research or clinical trials, this requires separate, detailed informed consent — and you can withdraw at any time without affecting your regular care.
In most states, you have specific rights around psychiatric treatment and medications. Providers generally cannot force psychiatric medication on competent patients. If you're hospitalized involuntarily, you usually still retain the right to refuse medication (a court hearing may be required to override this).
Emergency doctrine allows treatment without consent when you are unconscious or incapacitated and immediate action is needed to save your life. If you want to direct care in emergencies, create an advance directive (living will) and designate a healthcare proxy while you are able.
Never feel rushed to sign a consent form. You have the right to take time to read it, ask questions, and consult with a trusted person. If a form contains something you don't agree to, you can cross it out before signing. Ask for a copy of everything you sign — you're entitled to keep one.
Before agreeing to any significant procedure or treatment, get clear answers to these questions:
Write the answers down or ask to record the conversation. You can't give informed consent without informed answers.
The Emergency Medical Treatment and Labor Act (EMTALA) guarantees your right to emergency care regardless of your ability to pay, insurance status, or citizenship. No hospital with an emergency department can turn you away.
Any hospital that receives Medicare funding (nearly all U.S. hospitals) must provide a medical screening exam to anyone who comes to the emergency department with an emergency medical condition, regardless of ability to pay. If an emergency condition exists, they must stabilize you before transferring or discharging you.
Every ED patient must receive a medical screening exam (MSE) to determine whether an emergency medical condition (EMC) exists. This cannot be delayed to ask about payment, insurance, or immigration status. Asking about payment before completing the MSE is an EMTALA violation.
If an emergency medical condition is found, the hospital must stabilize you before transferring you to another facility. A transfer can only happen if you request it, a physician certifies the benefits of transfer outweigh the risks, or the receiving hospital has agreed to accept you and has the capacity to treat you.
EMTALA has specific protections for pregnant patients in active labor. A hospital cannot transfer or discharge a woman in active labor unless the transfer is at the patient's request, the physician certifies the benefits outweigh risks, or the delivery poses no threat to the woman or unborn child. "Active labor" includes contractions.
EMTALA defines an EMC as a condition that without immediate medical attention could reasonably result in placing your health in serious jeopardy, serious impairment of bodily functions, or serious dysfunction of a body organ. This is a broad standard intentionally — courts have interpreted it to include severe pain, psychiatric emergencies, and substance withdrawal.
Red flags that may indicate an EMTALA violation:
What to do: If you believe EMTALA was violated, report it to the Centers for Medicare & Medicaid Services (CMS) at 1-800-638-0742, or file a complaint online at cms.gov. The hospital can face up to $119,942 per violation in civil monetary penalties.
EMTALA ensures you receive emergency care regardless of ability to pay. It is about the obligation to treat.
The No Surprises Act (2022) addresses what you're billed after emergency care. It protects you from surprise bills from out-of-network providers when you receive emergency care or when you receive non-emergency services at an in-network facility from an out-of-network provider without notice and consent.
Together, these laws mean: the hospital must treat you in an emergency, and they cannot hit you with an out-of-network bill for that emergency care. If you receive a surprise bill that violates the No Surprises Act, dispute it using the federal process at cms.gov/nosurprises.
Your medical records belong to the provider, but the information in them belongs to you. Under HIPAA's Right of Access rule, getting your records is simpler — and cheaper — than most people think.
days maximum wait for your records (one 30-day extension allowed with notice)
for electronic records sent to you via email, patient portal, or electronic media
records retention requirement under HIPAA (states may require longer)
to file a complaint with HHS OCR if your request is denied or ignored
Providers may charge a reasonable, cost-based fee for records — but only for:
They cannot charge for:
Many states have additional fee caps. California, for example, caps fees at 25 cents per page for paper copies. If you're charged an excessive fee, file a complaint with your State Department of Health or HHS OCR.
Pro tip: If you need records to share with another provider or for an appeal, request that they be sent directly to that provider — this is often free under HIPAA's treatment exception.
There are very limited circumstances where a provider may deny access:
Illegitimate denials include:
If you receive a denial, ask for the reason in writing. If the denial is not on the legitimate list above, file a complaint with HHS OCR.
Federal law prohibits discrimination in healthcare on the basis of race, color, national origin, sex, age, and disability. You have the right to be treated equally — and to receive care you can actually understand.
Section 1557 of the Affordable Care Act prohibits discrimination in health programs receiving federal financial assistance. This covers nearly all hospitals, clinics, insurers, and health plans. It prohibits discrimination based on race, color, national origin, sex (including pregnancy, gender identity, and sexual orientation), age, and disability.
Healthcare providers are places of public accommodation under the ADA. They must provide reasonable accommodations for patients with disabilities — including accessible facilities, alternative communication formats (Braille, large print, audio), and auxiliary aids like sign language interpreters. Denying care because of a disability is illegal.
If English is not your primary language, you have the right to a qualified interpreter at no cost under Title VI of the Civil Rights Act and ACA Section 1557. This applies to spoken interpretation and written translation of vital documents. Providers cannot require you to bring your own interpreter or use a minor child as interpreter for clinical discussions.
Discrimination in healthcare based on race or color violates Title VI of the Civil Rights Act, Section 1557, and many state laws. This includes both overt discrimination and implicit bias that leads to worse care — such as undertreating pain in Black patients, or dismissing symptoms without adequate evaluation. You have the right to equitable, evidence-based care.
Under Section 1557, discrimination based on sex includes discrimination based on pregnancy, sex stereotyping, gender identity, and sexual orientation. Healthcare providers cannot refuse to treat you, provide lesser care, or treat you with disrespect because of your gender identity or sexual orientation. This extends to insurance coverage decisions.
The Age Discrimination Act of 1975 prohibits age-based discrimination in health programs receiving federal funding. This means providers cannot withhold treatments solely because of your age, make assumptions about the quality of life worth preserving, or provide different quality care to older patients. ACA Section 1557 reinforces these protections.
If you need a language interpreter, request one before your appointment. The provider must arrange it at no charge. If they refuse, offer a family member instead, or say their staff can "get by," this may violate your federal rights. You can file a complaint with HHS Office for Civil Rights.
When your rights are violated, there are multiple pathways to accountability. These agencies are free to use, and providers take regulatory complaints seriously — especially when they risk losing Medicare/Medicaid funding.
The HHS Office for Civil Rights handles complaints about:
How to file:
Complaints can be filed anonymously. OCR will notify the organization and investigate. Penalties for HIPAA violations can reach $1.9 million per violation category per year for willful neglect.
Your state medical board licenses and disciplines physicians. File a complaint with the medical board when:
How to find your state medical board: Search "[your state] medical board complaint" or visit the Federation of State Medical Boards at fsmb.org/licensure for a directory of all state boards.
The board can issue warnings, require remedial education, suspend, or revoke a physician's license. These complaints become part of the public record and can affect the physician's future employment.
Your state's Department of Insurance regulates health insurance companies. File a complaint when:
How to find your state insurance commissioner: Search "[your state] Department of Insurance complaint" or visit the National Association of Insurance Commissioners at naic.org for links to every state's commissioner.
State insurance commissioners can fine insurers, require claims to be paid, and revoke operating licenses. Filing a complaint also creates a regulatory record that strengthens any future legal action.
CMS handles complaints about hospitals and providers who violate federal law, including:
How to file:
For suspected Medicare fraud, you can also contact the OIG Hotline: 1-800-HHS-TIPS (1-800-447-8477).
The Joint Commission accredits and certifies healthcare organizations. They investigate serious quality and safety complaints about accredited hospitals, including:
How to file: Visit jointcommission.org/resources/patients-and-consumers/report-a-patient-safety-event to submit a concern online. This is separate from regulatory complaints but can prompt inspections that lead to corrective action.
Note: The Joint Commission does not conduct independent investigations — they review your concern and decide whether to include it in their next scheduled or unannounced survey of the facility.
You don't have to choose one agency. File with HHS OCR, your state medical board, and your state insurance commissioner simultaneously. Each agency has different jurisdiction and different powers. Multiple complaints signal seriousness and create multiple accountability pathways. Keep copies of every complaint submission and all correspondence.
Free resources from official government agencies and nonprofit patient advocates. Bookmark these — they're your direct lines to help.
File HIPAA complaints, discrimination complaints, and language access violations. The primary federal enforcer of patient privacy rights.
EMTALA complaints, Medicare and Medicaid concerns, hospital safety and quality standards, No Surprises Act disputes.
Plain-language explanations of your rights under the ACA, including appeals, preventive care, and coverage protections.
For disability discrimination in healthcare settings, ADA accommodations, and accessibility complaints.
Report suspected Medicare or Medicaid fraud, waste, or abuse. Confidential. Whistleblower protections apply.
Free case management for patients with chronic, life-threatening conditions dealing with insurance denials, billing disputes, and access to care. Staffed by professional case managers.
Free, unbiased counseling for Medicare beneficiaries and their families. Trained counselors help with Medicare rights, appeals, and billing issues in every state.
Policy arm of the Patient Advocate Foundation. Provides patient rights education, tracks state and federal legislation affecting patients.
Directory of all 70 state medical and osteopathic boards. Use to find your state's board and look up physician disciplinary actions and license status.
Directory of all state insurance commissioners. Use to find your state's complaint portal and check insurer complaint history.
Every state has its own Department of Health, Department of Insurance, and medical board with enforcement powers that often exceed federal minimums. Search "[your state] patient rights" or "[your state] health insurance complaint" to find agencies specific to where you live. Some states have dedicated patient rights advocates within the state government who can intervene directly with providers and insurers on your behalf — free of charge.
Knowing your rights is the first step. Use our letter builder to act on them — for HIPAA requests, complaints, or anything else the healthcare system throws at you.