Patient Rights in Medical Settings

Federal law, accreditation standards, and state statutes collectively define a framework of enforceable entitlements that govern how patients are treated across clinical environments — from hospital inpatient units to outpatient clinics, telehealth platforms, and long-term care facilities. These rights cover informed consent, access to medical records, freedom from discrimination, and the right to make decisions about one's own care. Understanding the structure of these protections matters because violations can result in federal penalties, loss of Medicare and Medicaid certification, and civil liability for covered entities.

Definition and scope

Patient rights are legally and ethically binding entitlements held by individuals receiving health care services. In the United States, the primary federal frameworks governing these rights include the Patient Self-Determination Act of 1990 (42 U.S.C. § 1395cc(f)), the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule codified at 45 CFR Parts 160 and 164, and the Americans with Disabilities Act of 1990 (ADA, 42 U.S.C. § 12101 et seq.). The Centers for Medicare & Medicaid Services (CMS) conditions of participation, found at 42 CFR § 482.13, establish a baseline patient rights standard that hospitals must meet to receive Medicare or Medicaid reimbursement.

The scope of patient rights spans five broad categories:

1. Informational rights — the right to receive clear, accurate information about diagnosis, treatment options, and prognosis in a language the patient understands.
2. Decisional rights — the right to consent to or refuse treatment, including the right to execute advance directives under the Patient Self-Determination Act.
3. Privacy and confidentiality rights — the right to control disclosure of protected health information (PHI), as defined by HIPAA's Privacy Rule.
4. Non-discrimination rights — the right to receive care without regard to race, color, national origin, sex, age, or disability under Section 1557 of the Affordable Care Act (45 CFR Part 92) and Title VI of the Civil Rights Act of 1964.
5. Grievance and complaint rights — the right to file complaints with covered entities, The Joint Commission (TJC), or directly with HHS Office for Civil Rights without retaliation.

For a broader look at how quality oversight intersects with patient protections, see Medical Service Accreditation and Quality Standards and the overview of US Medical Services Regulatory Bodies.

How it works

Patient rights operate through a layered enforcement architecture involving federal agencies, accreditation bodies, and state law.

Federal enforcement layer: The HHS Office for Civil Rights (OCR) enforces HIPAA privacy rights and Section 1557 non-discrimination provisions. The OCR received 34,077 HIPAA complaints in fiscal year 2022 (HHS Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance). CMS enforces conditions of participation and can initiate termination of a facility's Medicare or Medicaid agreement for violations of 42 CFR § 482.13.

Accreditation layer: The Joint Commission, which accredits approximately 22,000 health care organizations in the United States (The Joint Commission, Facts About The Joint Commission), requires accredited facilities to maintain a documented patient rights policy under its Rights and Responsibilities of the Individual (RI) standards.

State law layer: State hospital licensing laws and state-specific patient bill of rights statutes supplement federal floors. State-level rights may exceed federal minimums — for example, 12 states have enacted statutes providing explicit rights to interpreter services beyond what federal law requires under Executive Order 13166.

The operational sequence for asserting a patient right typically proceeds through three phases:

1. Notice — Covered entities must provide patients with a written Notice of Privacy Practices (NPP) at the first point of service contact, as required by 45 CFR § 164.520.
2. Request and response — A patient submits a formal request (e.g., for record access or amendment) and the covered entity has 30 days to respond, with a single 30-day extension permitted under 45 CFR § 164.524.
3. Escalation — If the entity denies the request or the patient believes a right has been violated, complaints may be filed with the HHS OCR within 180 days of the alleged violation.

Privacy rights specifically are detailed further at Health Information Privacy and HIPAA.

Common scenarios

Informed consent: Before elective surgical procedures, providers must present patients with a description of the procedure, material risks, alternative options, and the right to refuse — a standard codified in 42 CFR § 482.13(b). Informed consent requirements differ between elective and emergency settings; in emergencies, the emergency exception to consent (also called "implied consent") permits treatment when a patient is incapacitated and faces a life-threatening condition.

Advance directives: Under the Patient Self-Determination Act, Medicare- and Medicaid-participating hospitals, skilled nursing facilities, and home health agencies must ask patients on admission whether they have an advance directive (living will or durable power of attorney for health care) and must document the response in the medical record.

Record access: Patients have the right to inspect and obtain a copy of their designated record set within 30 days of a request. Since April 2021, the 21st Century Cures Act Final Rule — enforced by the Office of the National Coordinator for Health IT (ONC) — prohibits information blocking and requires that most clinical notes be available to patients at no cost through certified electronic health record technology.

Non-discrimination in specialty and mental health settings: Section 1557 applies to any health program receiving federal financial assistance. Mental health providers accepting Medicaid must comply with the ADA and Section 504 of the Rehabilitation Act. For more on mental health service access, see Mental Health Services in the US.

Decision boundaries

Understanding where patient rights apply — and where they reach limits — requires distinguishing between right-holders, covered entities, and applicable statutory scope.

Who holds these rights: Any individual receiving health care services in the US holds federal baseline rights regardless of insurance status, immigration status, or ability to pay. Minors' rights are modified by state law: in most states, parents or legal guardians hold decisional authority, but minors may independently consent to treatment for substance use disorders, sexually transmitted infections, and mental health services under state-specific statutes. For context on service settings for younger patients, see Pediatric Medical Services.

Covered entities vs. non-covered entities: HIPAA applies only to covered entities (health plans, health care clearinghouses, and health care providers who transmit health information electronically) and their business associates. A direct-pay-only provider who does not transmit electronic health information is not a HIPAA-covered entity, though state law may still impose privacy obligations.

Consent vs. assent: Informed consent (a legally binding decision) differs from assent (a patient's affirmative agreement, used for incapacitated adults or pediatric patients). A legally authorized representative may provide consent, but clinical ethics committees may be consulted when surrogates and clinical teams disagree — a process governed by institutional policy rather than federal statute.

Emergency exception boundaries: The emergency exception to informed consent under 42 CFR § 482.13(e) permits treatment without prior consent only when: (1) the patient is incapacitated, (2) a life-threatening emergency exists, and (3) a surrogate decision-maker cannot be reached in time. This exception does not apply to non-emergent treatment decisions made during an inpatient stay when the patient regains capacity.

Grievance timelines: Under CMS Conditions of Participation at 42 CFR § 482.13(a)(2), hospitals must have a formal grievance process and must provide a written response to patient grievances. The 180-day complaint filing window with HHS OCR is a hard deadline; complaints filed after that window are generally dismissed unless extraordinary circumstances apply.

References

• U.S. Department of Health and Human Services — HIPAA for Professionals
• HHS Office for Civil Rights — Section 1557 of the Affordable Care Act
• Centers for Medicare & Medicaid Services — 42 CFR § 482.13 (Conditions of Participation: Patient Rights)
• HHS Annual Report to Congress on HIPAA Compliance, FY 2022
• The Joint Commission — Facts About The Joint Commission
• [