Learn about your rights to the privacy and security of your health information.

The Office of the Attorney General understands that your medical and health information is deeply personal and that a failure to protect it potentially exposes you to medical identity theft.  The federal Health Insurance Portability and Accountability (HIPAA) law and the Texas Medical Records Privacy Act (TMRPA) serve to help you protect your personal health information (PHI).

Under HIPAA and TMRPA, you have the following patient privacy rights:

  • Right to know how your PHI will be used and shared In general:
    • A provider must give you written notice of the uses and disclosures of your PHI and, in the event that your PHI is improperly accessed or breached, must provide you notice of that event.
    • Your permission is not required if the sharing of your PHI is related to your treatment, payment, health care operations or performing certain insurance or health care maintenance organization functions.
  • Right to ask to review and obtain a copy of health records from most providers (and health care plans). Be aware:
    • Most providers and plans have a form you can use to request your records.
    • Providers and plans are permitted by law to charge for the reasonable costs of copying and mailing your records but may not charge a retrieval fee.
    • In limited cases, such as if your provider believes that information in the file may endanger you, you may not be able to obtain all of your information.
    • If the provider has an electronic health records system capable of fulfilling the request, your records must be provided to you no later than the 15th business day after you submit your written request.
  • Right to request that your health records be corrected or amended. Be aware:
    • Once you have made such a request, the provider or health plan must respond and if they do not agree with your requested corrections, must notify you in writing and explain why your request was denied. You have the right to submit a statement or disagreement that the provider or plan must add to your record.
  • Right to limit the use or sharing of your protected health information for marketing purposes. In general:
    • If your PHI is used or disclosed to send a marketing communication through the mail, that mailing must include the name and toll free number of the entity which sent you the marketing communication and an explanation of your right to have your name removed from the sender's mailing list.   
    • Your PHI cannot be used or shared for marketing communications like sales calls or advertising without your authorization in writing. Certain exceptions apply to this including face to face communications between a provider and an individual.

Read more about HIPAA, the HIPAA Privacy Rule and the HIPAA Security Rule on the Department of Health and Human Services' website. Read the Texas Medical Records Privacy Act.

File a Patient Privacy Complaint

If you believe your PHI has been or may have been used or disclosed in violation of HIPAA or the Texas Medical Records Privacy Act you may file a complaint with:

By mail:
Marisa Smith, Regional Manager
Office for Civil Rights - Region VI
U.S. Department of Health and Human Services
1301 Young Street, Suite 1169
Dallas, TX 75202

By fax:
(202) 619-3818

OCR's Customer Response Center:
(800) 368-1019

The information provided here is for general informational purposes and not intended to serve as legal advice or opinion.