Guide to HIPAA Patient Access: What You Must Provide and When

HIPAA patient access is a core privacy right that requires you to give individuals timely, affordable copies of their health information. This guide explains exactly what you must provide, how to process requests, the access request timeline, and when you may deny or redirect requests under federal rules.

Patient Access Rights

Under the HIPAA Privacy Rule, individuals have the right to inspect and obtain a copy of their protected health information (PHI) held in a designated record set. You must provide access in the form and format requested if readily producible and cannot create barriers that delay or discourage access.

Who may exercise this right

• The patient.
• A personal representative with authority under state law (for example, a parent of a minor where state law grants access, or a court-appointed guardian). Personal representative authority is generally treated the same as the individual’s, unless an exception applies.

Relation to the information blocking regulation

The 21st Century Cures Act information blocking regulation prohibits practices that are likely to interfere with access, exchange, or use of electronic health information. While distinct from HIPAA, it reinforces prompt, non-discriminatory access to EHI and expects you to rely on defined exceptions (such as preventing harm) when restricting access.

Designated Record Set

The designated record set (DRS) is the scope of records you must produce. It includes medical and billing records and any other records used, in whole or in part, to make decisions about the individual.

What’s typically included

• Medical charts, histories, physician notes, orders, lab and imaging reports.
• Billing records, claims, payment and coverage determinations.
• Case management, care coordination, and utilization review records used to make decisions about the person.

What’s excluded

• Psychotherapy notes exclusion: the clinician’s separate, personal notes documenting or analyzing counseling conversations.
• Information compiled in reasonable anticipation of, or for use in, a legal proceeding.
• Records not used to make decisions about the individual (for example, de-identified quality improvement files).

Request Requirements

You may require a written request, but your process must be straightforward and not burdensome. Accept requests through common channels—patient portal, email, mail, fax, or in person—and verify identity using reasonable, non-obstructive steps.

Form, format, and delivery

• Provide records in the form and format requested if readily producible (for example, PDF, CCD, or readable paper copy). If not, agree on an alternative readable format.
• If PHI is maintained electronically, offer an electronic copy. If a patient requests unencrypted email after being advised of risks, you may send it as directed.
• Document the request and your fulfillment steps to demonstrate compliance.

Authorizations vs. access requests

An individual’s own access request under HIPAA is not a HIPAA authorization. If a third party (like an attorney or insurer) is requesting records on their own behalf, a valid HIPAA authorization from the individual is required unless another legal basis applies.

Response Timeline

The access request timeline is strict. Provide access within 30 calendar days of receiving the request when records are maintained on-site. If records are not maintained on-site, you have up to 60 days. If you cannot meet the applicable deadline, you may take one extension of no more than 30 days by notifying the requester in writing with the reason and a firm date.

If state law sets a shorter deadline or stronger right, follow the more protective rule. Always provide as much of the designated record set as possible, even if portions are delayed or require segregation.

Enforcement penalties

• OCR can impose settlements or civil monetary penalties for failures to provide timely, complete access.
• Under the information blocking regulation, actors that unreasonably interfere with access to electronic health information may face separate enforcement consequences.

Fees for Access

You may charge only a reasonable, cost-based fee. This can include labor for copying (paper or electronic), supplies (for example, paper or portable media), and postage if mailed. You may charge for a summary or explanation only if the individual agrees in advance.

Common pitfalls to avoid

• No fees for searching, retrieval, verification, or maintaining systems.
• No per-page fees for electronic copies of PHI.
• Use actual costs or a well-supported average-cost schedule; flat fees for electronic copies are acceptable only if they reasonably approximate costs.

Denial of Access

Denials must be narrow, documented, and accompanied by information about review rights when applicable. Provide partial access to all non-excluded portions of the designated record set.

Permissible grounds for denial

• Psychotherapy notes and information compiled for litigation.
• When a licensed professional determines that access would reasonably endanger the life or physical safety of the individual or another person (reviewable denial).
• References to another person that would cause substantial harm, or information obtained under a promise of confidentiality (reviewable denial).
• Special contexts (for example, certain correctional facility and research scenarios) where temporary limitations may apply.

Process and information blocking considerations

• Provide a written denial that explains the basis, the right to have the denial reviewed (if applicable), and how to submit a review request.
• For electronic information, ensure any restriction also aligns with an information blocking exception (such as preventing harm or protecting privacy).

Third-Party Requests

Patients may direct you to transmit a copy of their records to a third party. Obtain a clear, signed request that identifies the recipient and where to send the information, and honor the individual’s preferred form and format if readily producible.

Directing records vs. authorizations

• Patient-directed transmission: the individual asks you to send a copy to a person or entity of their choice. Treat this as an access request and charge only reasonable, cost-based fees.
• Third party acting on its own: require a HIPAA-compliant authorization from the individual unless another legal permission applies.

Personal representatives and minors

When state law designates a personal representative, treat that person as the individual for access purposes. For minors, parental access may be limited where the minor has exclusive control over certain services or where disclosure could put the minor at risk under applicable law.

Key takeaways

• Confirm the requester’s identity and authority, clarify scope, and document delivery details.
• Apply the same timelines, form/format rules, and reasonable fees to patient-directed third-party transmissions.
• Segment and disclose what you can; use narrow denials only when justified.

FAQs.

What records must covered entities provide under HIPAA?

You must provide all PHI in the designated record set, including medical and billing records and other records used to make decisions about the individual. Exclusions include psychotherapy notes and information compiled for litigation; otherwise, provide as much as possible and segment any excluded content.

How soon must providers respond to access requests?

Generally within 30 days for records maintained on-site and within 60 days if not maintained on-site. If you cannot meet the deadline, you may take one 30-day extension with a written notice explaining the reason and the new date.

Can fees be charged for providing patient records?

Yes, but only reasonable, cost-based fees that cover copying labor, supplies, and postage if mailed. Do not charge retrieval or verification fees, and avoid per-page charges for electronic copies. A summary fee is allowed only if the individual agrees in advance.

What information can be legally denied to patients?

Psychotherapy notes, information prepared for legal proceedings, and limited cases where disclosure would endanger someone’s life or physical safety or cause substantial harm as determined by a licensed professional. Even then, provide partial access to non-excluded portions and inform the individual about review rights when applicable.