- A provider must give you written notice of the uses and disclosures of your PHI and, in the event that your PHI is improperly accessed or breached, must provide you notice of that event.
- Your permission is not required if the sharing of your PHI is related to your treatment, payment, health care operations or performing certain insurance or health care maintenance organization functions.
- Most providers and plans have a form you can use to request your records.
- Providers and plans are permitted by law to charge for the reasonable costs of copying and mailing your records but may not charge a retrieval fee.
- In limited cases, such as if your provider believes that information in the file may endanger you, you may not be able to obtain all of your information.
- If the provider has an electronic health records system capable of fulfilling the request, your records must be provided to you no later than the 15 th business day after you submit your written request.
- Once you have made such a request, the provider or health plan must respond and if they do not agree with your requested corrections, must notify you in writing and explain why your request was denied. You have the right to submit a statement or disagreement that the provider or plan must add to your record.
- Right to limit the use or sharing of your protected health information for marketing purposes. In general:
- If your PHI is used or disclosed to send a marketing communication through the mail, that mailing must include the name and toll free number of the entity which sent you the marketing communication and an explanation of your right to have your name removed from the sender's mailing list.
- Your PHI cannot be used or shared for marketing communications like sales calls or advertising without your authorization in writing. Certain exceptions apply to this including face to face communications between a provider and an individual.
Read more about HIPAA, the HIPAA Privacy Rule and the HIPAA Security Rule on the Department of Health and Human Services' website. Read the Texas Medical Records Privacy Act.
File a Patient Privacy Complaint
If you believe your PHI has been or may have been used or disclosed in violation of HIPAA or the Texas Medical Records Privacy Act you may file a complaint with:
- the Texas agency that regulates the person or business you are complaining about; View the list of agencies and find out how to file your complaint.
- the Texas Attorney General's Consumer Protection Division; or
- the federal U.S. Dep't of Health and Human Services - Office of Civil Rights (OCR). The OCR accepts complaints electronically at its complaint portal website and also:
By mail:
Marisa Smith, Regional Manager
Office for Civil Rights - Region VI
U.S. Department of Health and Human Services
1301 Young Street, Suite 1169
Dallas, TX 75202By fax:
(202) 619-3818OCR's Customer Response Center:
(800) 368-1019The information provided here is for general informational purposes and not intended to serve as legal advice or opinion.
File a Consumer Complaint Online
If your private health information has been unlawfully shared, file a complaint with us today.
Medical Records Privacy Act
The Texas Attorney General is required by law to prepare a report of all medical privacy complaints received by the OAG and state agencies pursuant to the Texas Medical Records Privacy Act. You can read and download that report here.
Authorization to Disclose Protected Health Information
The Texas Medical Records Privacy Act requires the Attorney General to adopt a standard Authorization to Disclose Information form.
