HIPAA Guidelines for Medical Records: Privacy, Access, and Compliance Explained

HIPAA Privacy Rule Overview

The HIPAA Privacy Rule sets national standards for how covered entities and their business associates handle Protected Health Information (PHI). These HIPAA guidelines for medical records define what counts as PHI, when you may use or disclose it, and the safeguards you must maintain to prevent unauthorized access or misuse.

Access under HIPAA centers on the Designated Record Set (DRS)—the medical and billing records you maintain, plus any other records you use to make decisions about individuals. Knowing exactly what lives inside your DRS is essential, because the right of access applies to that set regardless of format or storage location.

• Covered entities include health care providers, health plans, and health care clearinghouses.
• Business associates that create, receive, maintain, or transmit PHI for a covered entity must comply through business associate agreements.

Privacy Rule Safeguards

The Privacy Rule requires reasonable safeguards to protect PHI during use, disclosure, and access processes. You should implement identity verification steps, limit workforce access to the minimum necessary, and maintain policies that align with your technical and physical controls for electronic and paper records.

Understanding Right of Access

Individuals have the right to inspect or obtain a copy of PHI in your Designated Record Set and to direct you to transmit a copy to a chosen third party. You may not create unreasonable barriers—such as requiring in‑person requests or mandating portal use—when other secure options are available.

Who may request access

The individual or an authorized personal representative may request access. For minors, state and other applicable laws govern which parent or guardian is the personal representative. You should validate authority before disclosing any PHI.

Form, format, and delivery

Provide records in the form and format requested if readily producible, including electronic copies of ePHI from an electronic health record. If the individual requests unencrypted email after being advised of risks, you may honor the request using reasonable safeguards and documentation of the individual’s preference.

Directing records to third parties

At the individual’s written direction, you must send a copy to a designated third party when the request clearly identifies the recipient and delivery location. Apply the same timing standards and cost rules as you would for a direct request from the individual, subject to any limits that may apply to records outside an EHR.

Managing Exclusions from Access

Psychotherapy Notes Exclusion

Psychotherapy notes are excluded from the right of access when they are kept separate from the medical record and document or analyze the contents of counseling sessions. Routine mental health documentation—such as diagnosis, medications, and treatment plans—remains part of the Designated Record Set and is not covered by this exclusion.

Information compiled for legal proceedings

PHI compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding is excluded from access. Maintain clear labeling and separation so staff can identify these materials and avoid improper disclosures.

Reviewable denials and temporary limits

You may deny access, subject to review, if a licensed professional determines that access is reasonably likely to endanger life or physical safety, cause substantial harm to another person, or reveal a confidential source. Access can also be temporarily suspended for certain research records when the individual agreed to the suspension, and may be limited for inmates when safety, security, or rehabilitation would be jeopardized.

When you deny access, issue a timely, written denial explaining the basis, the individual’s review rights (when applicable), and how to submit a complaint or request an alternative format or summary.

Complying with Access Timeframes

Access Request Timeframe

Respond without unreasonable delay and no later than 30 calendar days after receiving the request. If you cannot provide access within 30 days, one extension of up to an additional 30 days is permitted, but you must provide a written notice before the original deadline explaining the reason for delay and the expected completion date. If state law sets a shorter deadline, follow the stricter standard.

Operational tips for timeliness

• Date-stamp requests and track milestones from intake to fulfillment.
• Standardize identity verification and format negotiations at intake to avoid rework.
• Use request portals or ticketing systems to monitor the queue and escalate nearing deadlines.
• Document any extensions and communications to maintain a defensible record.

Implementing Fees for Record Access

Cost-Based Fee

You may charge a reasonable, cost-based fee for copies that includes only: labor for copying (including extracting ePHI), supplies (e.g., paper, USB drive), postage for mailed copies, and the cost of preparing a summary or explanation if the individual agrees in advance. You may not charge fees for search, retrieval, or verification activities.

Setting your method

Choose one of three approaches: calculate actual costs for each request; rely on a posted schedule of average costs based on objective data; or use a flat fee for electronic copies when it reasonably reflects allowable costs. Per-page fees are not appropriate for electronic copies of PHI.

Transparency and payment practices

Publish your fee methodology, provide an itemized estimate upon request, and obtain consent for any summaries. Do not withhold access because of unpaid treatment bills, and offer lower-cost electronic options when feasible.

Applying Minimum Necessary Standard

The minimum necessary standard requires you to limit uses and disclosures to the least amount of PHI needed to accomplish the purpose. It applies broadly to payment and health care operations and to most routine disclosures, using role-based access and policies to guide staff.

Do not apply minimum necessary to treatment, to disclosures to the individual exercising the right of access, or when a use or disclosure is required by law. Train staff so the standard never becomes a barrier that delays or denies an individual’s access request.

Ensuring Enforcement and Compliance

Office for Civil Rights Enforcement

The Department of Health and Human Services’ Office for Civil Rights (OCR) enforces the Privacy Rule, investigates complaints, and can require corrective action or impose civil monetary penalties. OCR has prioritized right-of-access cases, making timely fulfillment and accurate fee practices essential risk areas to monitor.

Programmatic steps to stay compliant

• Maintain written policies that define your Designated Record Set, request intake, identity verification, formats, and delivery methods.
• Train staff on access workflows, Privacy Rule safeguards, and the difference between routine copies and excluded records.
• Standardize your cost-based fee methodology and publish a plain-language notice.
• Audit turnaround times, denial letters, and fulfillment accuracy; correct gaps and document remediation.
• Review contracts and processes with business associates that handle access requests on your behalf.

Conclusion

When you map your Designated Record Set, streamline intake, meet the Access Request Timeframe, and apply a transparent Cost-Based Fee, you satisfy HIPAA guidelines for medical records while building patient trust. Pair these steps with strong Privacy Rule Safeguards and ongoing monitoring to reduce risk and demonstrate compliance.

FAQs.

What rights do individuals have to access their medical records under HIPAA?

Individuals can inspect or obtain a copy of PHI in your Designated Record Set and can direct you to send a copy to a third party. They may choose the form and format if readily producible, including electronic copies of ePHI, and you must respond within HIPAA’s timing rules.

How does the minimum necessary standard protect PHI?

It limits uses and disclosures to the smallest amount of PHI needed for the task, supported by role-based access, policies, and approval processes. The standard does not apply to treatment, to disclosures to the individual exercising the right of access, or to uses and disclosures required by law.

What are the exceptions to the right of access under HIPAA?

Psychotherapy notes kept separate from the medical record and information compiled for legal proceedings are excluded. Access may also be denied, subject to review, if release would likely endanger life or physical safety, cause substantial harm to another person, reveal a confidential source, or when access has been temporarily suspended for certain research records.

When must covered entities respond to access requests?

You must respond without unreasonable delay and no later than 30 calendar days from receipt. If you need more time, you may take one 30-day extension by sending written notice before the initial deadline that explains the reason for delay and provides a new completion date; follow any stricter state deadlines.