Patient Rights and Protections Under US Law

Federal and state law together create a framework of enforceable rights that apply every time a person enters a hospital, clinic, or insurer's claims queue. These protections govern what information patients must receive, how their medical data is handled, what insurers can and cannot do, and what recourse exists when something goes wrong. The stakes are real: violations can trigger federal penalties, civil litigation, and mandatory corrective action plans.

Definition and scope

A patient right, in the legal sense, is not a courtesy — it is a codified entitlement backed by enforcement mechanisms. The broadest federal baseline comes from the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which establishes nationwide standards for privacy and security of protected health information. HIPAA's Privacy Rule gives patients the right to inspect and obtain copies of their medical records, request amendments, and receive an accounting of disclosures.

Layered on top of that is the Patient Protection and Affordable Care Act (ACA), which added a distinct set of insurance-market protections: prohibitions on lifetime and annual benefit limits, requirements that insurers cover dependents up to age 26, protections against coverage denial based on pre-existing conditions, and guaranteed coverage of preventive care and screenings without cost-sharing.

The scope is wide. HIPAA applies to covered entities — hospitals, physician practices, health plans, and their business associates — that collectively handle the records of hundreds of millions of Americans. The ACA's insurance protections apply to most individual and group health plans sold through the regulated market.

How it works

Enforcement runs through multiple channels, which is one of the more interesting design features of the system. HIPAA violations are investigated by the HHS Office for Civil Rights (OCR), which can impose civil monetary penalties ranging from $100 to $50,000 per violation, with an annual cap of $1.9 million per violation category (HHS, 45 CFR §164.408). Willful neglect that is not corrected carries the highest tier.

Insurance-market rights under the ACA are enforced partly by the Centers for Medicare & Medicaid Services (CMS) and partly by state insurance commissioners, depending on whether a state has assumed "primary enforcement" authority. For Medicare beneficiaries specifically, the Medicare Beneficiary Ombudsman handles complaints about access, billing, and appeals.

The appeals process itself is a distinct and legally required mechanism. When an insurer denies a claim or prior authorization request, federal rules under the ACA mandate:

  1. An initial internal appeal reviewed within 30 days (non-urgent) or 72 hours (urgent care situations)
  2. A second-level internal review if the first is unsuccessful
  3. An independent external review by an accredited organization, required for all non-grandfathered plans
  4. State-level appeal processes that may offer additional remedies depending on jurisdiction

Patients interacting with the healthcare costs and billing system have a parallel set of rights under the No Surprises Act (Public Law 116-260), which took effect in 2022 and limits balance billing for out-of-network emergency care and certain non-emergency services at in-network facilities.

Common scenarios

The gap between a right existing on paper and a patient knowing how to exercise it is where most real-world friction lives. Three scenarios illustrate how these protections actually operate.

Medical records access. Under HIPAA, a covered entity must provide access to records within 30 days of a written request, with a one-time 30-day extension allowed. Fees for electronic copies are limited to the reasonable cost of labor for producing the record — not the per-page fees that some facilities historically charged for paper. Denial of access is appealable to HHS OCR.

Surprise billing. A patient receives emergency surgery at an in-network hospital, then receives a bill from an out-of-network anesthesiologist who was called in during the procedure. Under the No Surprises Act, that bill is limited to what the patient's in-network cost-sharing would have been. The provider and insurer must negotiate the remaining amount through a federal arbitration process.

Discrimination in coverage. Section 1557 of the ACA (42 U.S.C. §18116) prohibits discrimination in health programs receiving federal financial assistance on the basis of race, color, national origin, sex, age, or disability. This provision applies to most hospitals and clinics that accept Medicare or Medicaid — which is to say, nearly all of them.

Decision boundaries

Not all patient protections apply equally in all contexts. Understanding where the lines fall matters.

HIPAA vs. non-covered entities. A hospital's electronic health record system is subject to HIPAA. A fitness app that collects health data is generally not, unless it operates as a business associate of a covered entity. The FTC has moved to address this gap through enforcement actions under the FTC Health Breach Notification Rule, but the regulatory coverage is thinner.

Grandfathered vs. non-grandfathered plans. Plans that existed before March 23, 2010 and have not undergone significant changes may be exempt from several ACA protections, including the external appeals requirement and certain preventive-care mandates. The distinction matters when evaluating what rights apply to a specific employer-sponsored plan.

Federal floor vs. state ceiling. Federal law sets a minimum. States can and do add protections beyond the federal baseline — California's Confidentiality of Medical Information Act (CMIA) is one example, extending privacy protections to entities outside HIPAA's reach. Patients in states with stronger laws hold more rights than the federal floor alone would provide.

The full picture of how these rights interact with medical records and health data rights is more layered than any single statute suggests. The National Healthcare Authority homepage provides a broader orientation to where these protections fit within the US healthcare system as a whole.

References