45 CFR 164.524 Explained: Your HIPAA Right of Access to Medical Records

Right of Access to Protected Health Information

Under 45 CFR 164.524, you have the right to inspect and obtain a copy of your protected health information (PHI) maintained by a covered entity in a Designated Record Set. This typically includes medical and billing records, enrollment and payment information, and other records a provider or health plan uses to make decisions about you.

You may receive copies in the form and format you request if readily producible. When records are maintained as Electronic Health Records, you can obtain an electronic copy and, where feasible, choose a secure electronic method (for example, patient portal download or encrypted email). If your preferred format is not readily producible, the covered entity must offer an alternative that is agreeable to you.

You may request access for yourself or, where permitted, direct the covered entity to transmit a copy to a person or entity you designate. Access may include the opportunity to inspect records on-site and to obtain copies of specific items, the entire Designated Record Set, or a summary you agree to receive.

What is included in a Designated Record Set

• Medical and billing records and images used to make decisions about you.
• Claims, case management, and utilization review files held by health plans.
• Other records that inform clinical, coverage, or payment decisions about you.

What is not included

• Records not used to make decisions about you (for example, quality assurance files, business planning documents).
• Items excluded by regulation, including the Psychotherapy Notes Exemption and information prepared for legal proceedings.

Exceptions to Access Rights

Your right of access is broad but not absolute. HIPAA permits specific exceptions to protect safety, privacy, and certain professional processes.

• Psychotherapy Notes Exemption: Notes documenting or analyzing a counseling session kept separately from the medical record are excluded from access.
• Legal preparation: Information compiled in reasonable anticipation of, or for use in, a legal proceeding is excluded.
• Research-related temporary suspension: If you agreed, access may be temporarily suspended while a clinical research study is in progress.
• Correctional settings: For inmates, access may be limited if providing a copy would jeopardize safety, security, custody, or rehabilitation.
• Confidential sources: Information obtained from someone other than a health care provider under a promise of confidentiality may be withheld if access would likely reveal the source.
• Records outside the Designated Record Set: Business records not used to make decisions about you are not subject to access.

Grounds for Denial of Access

Denials fall into two categories: those that allow a review and those that do not. Covered entities should provide as much of the requested information as permissible, even when denying access to a portion.

Denials without a right to review

• Requests for psychotherapy notes (Psychotherapy Notes Exemption).
• Information compiled for or in anticipation of litigation.
• Temporary research suspensions you agreed to at enrollment.
• Certain correctional-institution limitations necessary for safety or security.
• Confidential-source information where disclosure would reveal the source.

Denials with a right to review

• A licensed professional determines that access is reasonably likely to endanger your life or physical safety or that of another person.
• Access is reasonably likely to cause substantial harm to someone referenced in the information (other than a health care provider).
• A personal representative’s request is reasonably likely to cause you substantial harm.

When part of a record qualifies for denial, the covered entity must provide access to any other information requested that is not subject to a denial and, when feasible, segregate or redact the limited portions that are restricted.

Review Process for Denials

For reviewable denials, HIPAA requires a Professional Judgment Review by a licensed health care professional who was not involved in the original decision. The covered entity must:

• Issue a timely, written denial that explains the basis for the decision, how you may request a review, and how to file a complaint.
• Designate an independent reviewer to reassess the decision promptly.
• Honor the reviewer’s determination and provide access to the extent directed.
• Offer alternatives when appropriate, such as allowing an authorized representative to receive the information or providing a summary you agree to receive.
• Document the denial and review outcome as part of its compliance records.

Implementation Requirements for Covered Entities

Covered Entity Obligations center on removing barriers, responding promptly, and delivering information in usable formats while safeguarding privacy.

• Policies and procedures: Maintain written processes for receiving, verifying, fulfilling, denying, and documenting access requests, including standardized templates for extensions and denials.
• Workforce training: Train staff to recognize access requests, explain options, and apply the rule consistently.
• Verification and representation: Reasonably verify identity and authority of requesters, including personal representatives.
• Form and format: Support electronic delivery from Electronic Health Records and offer alternate formats when the requested format is not readily producible.
• No unreasonable measures: Do not impose obstacles (for example, requiring in-person pick-up when electronic delivery is available or insisting on proprietary forms if a valid written request exists).
• Documentation and retention: Keep access-related documentation and policies as required by HIPAA record-retention rules.
• Fee practices: Publish or make available information about permissible, Cost-Based Fee components and provide estimates upon request.

Access Request Timeliness

A covered entity must act on your request no later than 30 calendar days after receipt. If it cannot meet this deadline, it may take a one-time Access Request Extension of up to an additional 30 days. To use the extension, the entity must send you a written notice within the initial 30-day window explaining the reason for delay and stating a specific completion date.

“Acting on” a request means fulfilling it, partially fulfilling it with an explanation, denying it in writing (with review rights if applicable), or informing you that the information is not held by the entity and, if known, where to direct your request. When state law sets a shorter deadline, the shorter timeline applies.

Fee Structures for Access Provision

HIPAA permits only a reasonable, Cost-Based Fee for providing access. Fees may include:

• Labor for copying PHI (paper or electronic), including time spent creating and sending an electronic copy.
• Supplies for creating the copy (for example, paper, envelopes, or portable media).
• Postage or delivery when you request mailing.
• Optional summary or explanation if you agree in advance to receive it and to any associated fee.

Fees may not include charges for retrieving, searching for, verifying, or otherwise maintaining systems that store your PHI. Per-page fees are not appropriate for electronic copies from Electronic Health Records. You may ask for a fee estimate in advance, and a covered entity may require prepayment of the permissible amount before providing copies for that specific request.

Summary

45 CFR 164.524 gives you a clear, enforceable path to access your PHI in a Designated Record Set, with defined timelines, limited exceptions, and guardrails like Professional Judgment Review and Cost-Based Fee rules. Understanding these standards helps you obtain timely, usable copies—often electronically—while ensuring covered entities meet their HIPAA obligations.

FAQs

What PHI can individuals access under 45 CFR 164.524?

You can access PHI in a Designated Record Set, including medical and billing records and other information used to make decisions about you. This can be provided in paper or electronic form, including copies from Electronic Health Records when available.

When can access to medical records be denied?

Access can be denied in narrow circumstances, such as psychotherapy notes, information prepared for legal proceedings, research-related temporary suspensions you agreed to, certain correctional-institution limitations, and confidential-source information. Denials based on safety or substantial-harm concerns may be subject to Professional Judgment Review.

How long do covered entities have to respond to access requests?

They must act within 30 days of receiving your request. If they cannot do so, they may take a one-time Access Request Extension of up to 30 additional days, but they must send you a written notice explaining the reason and the new completion date.

Can covered entities charge fees for providing access?

Yes, but only a reasonable, Cost-Based Fee covering limited items: labor for copying, supplies, postage, and any agreed-upon summary or explanation. Charges for retrieval, verification, or general administrative overhead are not permitted, and per-page fees are not appropriate for electronic copies.