Dialysis Records Privacy: Your Rights Under HIPAA and Who Can Access Your Information

HIPAA Privacy Rule Overview

Dialysis records privacy sits within the HIPAA Privacy Rule, which protects your Protected Health Information (PHI). PHI includes any information that identifies you and relates to your health, care, or payment for care at dialysis facilities, nephrology clinics, or hospitals.

Under HIPAA, covered entities (like your dialysis center) and their business associates (such as EHR vendors or billing services) must follow strict medical record safeguards. They may use or disclose PHI for treatment, payment, and healthcare operations, while applying the minimum necessary standard for most non-treatment uses to maintain health information privacy compliance.

You have core rights: to access and obtain copies of your records, request corrections, ask for restrictions or confidential communications, and receive an accounting of certain disclosures. These rights apply to the information your provider uses to make decisions about you during kidney care.

Dialysis records often include treatment run sheets, flowsheets, lab results (e.g., Kt/V, adequacy measures), care plans, medication lists, access-site notes, imaging reports, and billing records—each part of your privacy landscape.

Right to Access Dialysis Records

What you can obtain

You may inspect or get copies of all PHI about you that your dialysis provider keeps in its designated record set. That typically covers clinical and billing records used to make decisions about your care and payment.

• Clinical content: treatment logs, monthly labs, medication orders, progress notes, care plans, and vascular-access documentation.
• Administrative/billing content: claims, remittance details, and payment histories connected to your dialysis services.

How to make a request and expected timelines

Submit a written request to the dialysis center’s medical records department or privacy officer. Identify what you want, the dates of service, and your preferred format (portal download, secure email, paper, or CD/USB if offered).

Providers must act promptly and generally within 30 days of receiving your request. If they need more time, they may take one additional 30-day extension with written notice explaining the delay and a new due date. When readily producible, you can get records in the form and format you request, including electronic copies.

Directing records to a third party

You may ask the provider to send an electronic copy of your records from its EHR to a third party you designate. Your request must be in writing, signed, and clearly identify the recipient and destination to ensure accurate and secure delivery.

Understanding the Designated Record Set

What’s included

The designated record set is the collection of records a dialysis provider uses to make decisions about you. It usually includes medical and billing records such as treatment flowsheets, physician and nurse notes, orders, dialysis adequacy metrics, care plans, medication and allergy lists, lab reports, imaging, and billing claims relevant to your care.

What’s excluded (Psychotherapy Notes Exclusion and more)

Not every document a provider holds is part of the designated record set. Common exclusions include:

• Psychotherapy notes (Psychotherapy Notes Exclusion), which are kept separate by mental health professionals.
• Peer review/quality improvement files, business planning or administrative records, and raw data sets not used to make decisions about you.
• Information compiled for legal proceedings or other materials the law specifically shields from access.

Safeguarding Patient Records

Administrative, technical, and physical protections

Dialysis providers must implement layered medical record safeguards to protect PHI and support health information privacy compliance. Common measures include policies, staff training, role-based access, audit logs, encryption, secure messaging, and secure device/media handling.

• Administrative: privacy and security policies, workforce training, risk assessments, and business associate agreements.
• Technical: unique user IDs, multi-factor authentication, access controls, encryption in transit/at rest, and activity monitoring.
• Physical: secure file rooms, locked workstations, clean-desk rules, visitor controls, and proper disposal (e.g., shredding or secure media destruction).

How you can help protect your PHI

• Use strong, unique passwords for patient portals and update them regularly.
• Verify recipient details before requesting email or fax transmission of records.
• Review audit or download notices from portals and report any unfamiliar activity.

Role of Personal Representatives

Who qualifies

A Personal Representative is someone legally authorized to act on your behalf in healthcare decisions—such as a parent or legal guardian of a minor, a court-appointed guardian, or a person holding a healthcare power of attorney. A valid personal representative generally has the same access rights you do.

Proof and important limitations

Providers may require documentation (e.g., guardianship papers, power-of-attorney, or court orders) and will verify identity before granting access. Special rules apply when minors can legally consent to certain care or when disclosing information could put someone at risk of harm (e.g., abuse or neglect). In those cases, access may be limited consistent with HIPAA and applicable state law.

Charges and Fees for Accessing Records

What fees are allowed

HIPAA permits reasonable cost charges for providing copies. Allowed fees are limited to labor for copying (including creating electronic copies), supplies (such as paper or a CD/USB), and postage if you request mailing. If you agree in advance, you may also request and pay for a written summary or explanation of your records.

What fees are not allowed

Providers may not charge fees for searching for, retrieving, or otherwise handling your request beyond copying-related costs. Per-page fees are not permitted for electronic copies. Charges must be reasonable, cost-based, and explained upon request.

How to minimize costs

• Request electronic delivery (portal download or secure email) when possible.
• Narrow the date range or specify particular documents you need most.
• Ask whether a flat fee is available for electronic copies and request an estimate up front.

Requesting Corrections to Dialysis Records

How to request an amendment

If something in your records is incomplete or inaccurate, you can request a correction (amendment) to the information in the designated record set. Submit a written request describing the specific entry, what is wrong, and the evidence supporting your change (e.g., lab report, medication list, or outside provider letter).

Deadlines and outcomes

Your provider generally must act within 60 days (with one possible 30-day extension if they send you a written notice explaining the delay). If approved, the provider will amend the record and, when appropriate, notify others who rely on it. If denied—for example, because the record is accurate, not part of the designated record set, or was created by another provider—you may submit a statement of disagreement that becomes part of your record.

Practical tips

• Target facts (dates, doses, allergies) rather than clinical judgment, and attach supporting documentation.
• Ask the provider to send the amendment or your statement of disagreement to specific third parties who recently received the inaccurate information.
• Keep copies of your requests, confirmations, and any responses for your files.

Conclusion

Understanding what’s in your dialysis records, who can access them, and how to exercise your HIPAA rights empowers you to manage your care. Use the access, amendment, and personal representative tools effectively, and request electronic formats to reduce delays and costs while protecting your privacy.

FAQs.

Who can access my dialysis records under HIPAA?

You, your authorized Personal Representative, and your dialysis provider’s workforce may access your PHI for treatment, payment, and healthcare operations. Business associates (such as EHR or billing vendors) can access it only to perform contracted services under safeguards. Other disclosures require your authorization or must fit a narrow legal exception.

What are my rights to view and copy dialysis records?

You have the right to inspect and obtain copies of PHI in your provider’s designated record set. You can choose the form and format if readily producible (including electronic), receive records within established HIPAA timeframes, and ask the provider to send an electronic copy from its EHR to a third party you designate in a proper written request.

Can someone else act as my personal representative for my dialysis records?

Yes. A person with legal authority—such as a parent/guardian for a minor, a court-appointed guardian, or someone with a valid healthcare power of attorney—may act as your Personal Representative and generally has the same access rights you do. The provider will require documentation and may limit access in special circumstances allowed by law.

Are there any costs associated with obtaining my dialysis records?

Providers may charge reasonable cost charges limited to copying-related labor, supplies, and postage (if mailed). They cannot charge for searching or retrieving records, and per-page fees do not apply to electronic copies. You can often reduce or avoid costs by requesting electronic delivery or narrowing the scope of your request.