HIPAA Patient Right to Access PHI: What You’re Entitled To, How to Request It, and Response Deadlines

Right to Access Protected Health Information

Your HIPAA Patient Right to Access PHI gives you the ability to see, obtain, and use copies of your health information held by covered entities, such as doctors, hospitals, and health plans. This Protected Health Information Access right supports transparency, continuity of care, and informed decision-making.

You may inspect your records in person or receive a copy. You can ask that your information be sent to you, to your personal representative, or—when applicable—to a third party you designate. Covered entities must act on your request and cannot place unreasonable barriers in your way.

Identifying Designated Record Sets

Designated Record Set Definition

Your right of access applies to information in a “designated record set” (DRS)—the records a covered entity uses to make decisions about you. This typically includes medical and billing records at a provider, and enrollment, claims, payment, case management, or appeals records at a health plan.

Common DRS examples include clinical notes, test results, imaging reports, problem lists, medication histories, care plans, and billing statements. Information not used to make decisions about you—such as business planning files, quality improvement worksheets, or peer review notes—usually falls outside the DRS.

Key Exclusions

• Psychotherapy notes kept separate from the medical record.
• Information compiled for, or in reasonable anticipation of, legal proceedings.
• Certain limited categories specified by regulation or other law.

Submitting a Request for PHI Access

How to Make the Request

You do not need to cite HIPAA or use legal language. Provide a clear, written request that specifies exactly what you want, the date range, and the preferred form and format (for example, PDF via secure email, portal download, or paper). This aligns with HIPAA Access Request Procedures and speeds processing.

Identity Verification and Reasonable Measures

Covered entities may verify your identity, but they cannot require burdensome steps—such as in‑person visits when a remote option is reasonable. They should offer convenient channels (portal, email, mail, or fax) and provide assistance if you need help narrowing scope or choosing a format.

Directing Records to Others

You can ask that an electronic copy of PHI maintained in an electronic health record be sent to a designated third party. Include the third party’s name and address (or email) and sign the directive. This is distinct from a general HIPAA authorization and streamlines Third-Party PHI Disclosure Requests.

Covered Entity Response Timeframes

Covered entities must act on your request no later than 30 calendar days after receipt. “Act on” means providing access, issuing a written denial (with reasons and appeal/review rights, if applicable), or sending a written notice explaining a delay.

If they cannot meet the initial 30-day period, they may take one extension of up to 30 additional days. The written extension notice must explain the reason for the delay and the date by which they will complete the request. In limited cases where records are not maintained on-site, a 60-day timeframe may apply.

If a state law sets a shorter deadline, the covered entity must follow the more protective rule. Many organizations adopt internal targets (for example, 15 days) to ensure timely response and reduce compliance risk.

Access Form and Format Requirements

Your Preferred Form and Format

Covered entities must provide PHI in the form and format you request if it is readily producible that way. Examples include an electronic copy (PDF, CCD, or machine-readable file) via secure portal, encrypted email, CD, or USB, or a paper copy by mail or pickup.

Electronic Delivery and Security

If your chosen electronic method is not readily producible, the entity should propose an alternative you can accept. You may request unencrypted email after being advised of associated risks. The entity should document your preference and proceed accordingly.

Summaries and Explanations

You may request a summary or explanation of your PHI. The entity must obtain your agreement, including any cost disclosure, before preparing it. This can be useful when you want a concise narrative rather than a full record pull.

Handling Denials of Access

Common Grounds for Denial

• Exclusions: psychotherapy notes and information compiled for legal proceedings.
• Inmate safety or security concerns in correctional settings.
• Research-related temporary suspension when you previously agreed to it.
• Records obtained from a confidential source under a promise of confidentiality.

Reviewable Denials

Some denials require a second-level review by a licensed professional not involved in the original decision. Examples include when access is reasonably likely to endanger the life or physical safety of you or another person, or when a personal representative’s access is likely to cause substantial harm.

What a Denial Must Include

The denial letter must state the basis for denial, whether you have a right to review, how to exercise that right, and how to complain to the covered entity or to the regulator. Even with a partial denial, you must be given access to any non‑denied portions of the DRS.

Fees and Third-Party PHI Requests

Cost-Based Copy Fees

Entities may charge only reasonable, cost-based fees for copies. Allowable components include labor for copying (and creating an electronic copy), supplies (paper, CD, USB), postage when mailed, and any agreed-upon cost to prepare a summary. They may not charge fees for retrieval, verification, maintaining systems, or other overhead.

Per-page fees are not permitted for electronic copies of PHI. For paper copies, per-page charges may be used only if they reflect actual allowable costs. Many states cap copy fees; covered entities must follow the rule most protective of you.

Third-Party PHI Disclosure Requests

When you direct an electronic copy of your PHI maintained in an EHR to a third party, the same cost-based limits apply. If a third party requests your records for its own purposes, the request typically must be supported by your HIPAA authorization, and different fee rules may apply under that process.

Conclusion

Your HIPAA Patient Right to Access PHI ensures you can see and obtain the information used to make decisions about you. Make a clear, targeted request, specify your preferred format, and expect a prompt response under defined timeframes. If issues arise, you have pathways to appeal denials and to challenge improper fees.

FAQs

What types of PHI can patients access?

You can access information in the designated record set, such as medical and billing records at providers and enrollment, claims, payment, and case management records at health plans. Psychotherapy notes kept separate and information prepared for legal proceedings are excluded.

How long do covered entities have to respond to access requests?

They must act within 30 calendar days of receiving your request. If they cannot meet that deadline, they may take one additional 30-day extension with written notice explaining the reason and the date they will fulfill the request. Limited off‑site scenarios may allow up to 60 days.

Can patients request PHI in electronic format?

Yes. If the PHI is readily producible in the electronic form and format you request, the covered entity must provide it that way. You can also direct an electronic copy of PHI maintained in an EHR to a third party you choose.

When can access to PHI be denied under HIPAA?

Access can be denied for excluded categories (for example, psychotherapy notes or information prepared for legal proceedings) and in limited safety or confidentiality scenarios. Some denials must be reviewed by another licensed professional, and you must still receive any non‑denied portions of your records.