HIPAA Right to Access PHI: What You Can Request and How to Get It

Right to Access PHI

You have a clear right under the HIPAA Privacy Rule to inspect and receive copies of your protected health information (PHI) held by covered entities, such as health care providers and health plans. This right applies whether your records are on paper or in electronic systems.

The right covers the “designated record set,” including medical and billing records, laboratory and imaging reports, medication lists, care plans, claims and enrollment files, and other clinical documentation used to make decisions about you. You may ask to inspect records on-site, obtain a copy, or receive a summary if you agree to any summary fee in advance.

You do not need a patient authorization to access your own PHI. A covered entity cannot deny you because of unpaid bills or because your records are stored off‑site or with a vendor.

• What you can request: complete charts for specific dates, labs, images and reports, visit notes, vaccination records, care summaries, and billing statements.
• What you cannot require: creating new documents or special analyses beyond copying what already exists.

Requesting Access

You can submit an access request through a patient portal, by email or mail, by fax, or in person. Many organizations offer a form, but HIPAA allows you to use your own written request so long as it provides the needed details and does not create unreasonable barriers.

Include the essentials to avoid delays: your full name and date of birth, the specific records and date range, the form and format you want, where and how to deliver them, and your signature and date. Keep a copy of your request and note the date submitted.

Do not confuse an access request with a patient authorization. Authorization forms are typically used for discretionary disclosures; your right to access stands on its own and should be honored without extra conditions when you request your own PHI.

• Be specific about dates of service and locations of care.
• State your preferred delivery method (for example, unencrypted email after risk acknowledgement, mail, portal download, or pick‑up).
• Ask for an itemized fee estimate in advance, if any.

Format of Access

You may choose the form and format of your records if they are readily producible that way. If your provider uses electronic health records, you can receive an electronic copy. If the requested format is not readily producible, you and the provider should agree on a readable alternative.

Common options include secure portal download, encrypted or unencrypted email (after being advised of risk), PDF or text files, and mailed paper copies. If you request physical media such as a CD or USB drive and it is readily producible, the provider should accommodate or offer a comparable option.

If you ask for unencrypted email, the provider must first warn you of potential risks. After you acknowledge those risks, the provider should send the records in that manner.

Transmission to Third Parties

You may direct a provider to transmit an electronic copy of your PHI from an electronic health record to a third party you designate. Your request must be signed and in writing and must clearly identify the recipient and where to send the information.

Include the recipient’s name or organization, the email or mailing address, the specific records and date range, and your signature and date. This right to direct transmission is different from a patient authorization; when your request meets HIPAA’s access requirements, it should be processed under the access pathway.

If you ask a provider to send records that are not in an electronic health record, many organizations will still honor your request; some may instead ask for a patient authorization. Clarify which pathway they will use and any fee implications before proceeding.

Verification of Identity

Covered entities must perform access request verification using reasonable procedures that confirm identity without creating barriers. The goal is to protect your privacy while ensuring timely access.

Acceptable methods include verifying government‑issued ID, confirming known demographic details, calling a known phone number, or relying on patient portal authentication. Requiring notarization or in‑person appearance when other reliable methods are available is generally unreasonable.

• Do: use portal login, provide a copy of ID, or confirm known information.
• Don’t: accept processes that cause undue delay when simpler verification works.

Exceptions to Access

HIPAA recognizes narrow exclusions. The psychotherapy notes exclusion applies to a mental health professional’s separate psychotherapy notes; it does not include general progress notes, diagnoses, medications, or treatment plans in your medical record. Information compiled for use in civil, criminal, or administrative proceedings is also excluded.

Access may be denied in limited, reviewable situations—for example, if a licensed professional determines access is reasonably likely to endanger life or physical safety, or if revealing another person’s identity would cause substantial harm. Some records may be temporarily unavailable during active research if you previously agreed to suspend access until the study ends.

If you are denied in a reviewable situation, you can request a second, independent review by a licensed professional not involved in the original decision. You are also entitled to a written denial explaining the basis, your rights to review, and how to submit a complaint.

Timeliness of Response

HIPAA compliance deadlines require providers and health plans to act on your request within 30 calendar days. If they cannot meet that deadline, they may take one 30‑day extension, but only if they send you a written notice before the first 30 days expire explaining the reason and the date by which they will complete the request.

Some state laws set shorter timelines. Providers must follow the rule that is more protective of you. The clock generally starts when the covered entity receives your request in a manner it accepts, not when a third‑party vendor later downloads it.

Acting on a request means fulfilling it, issuing a proper denial, or sending a valid extension letter. Delays cannot be used to pressure payment of unrelated bills or because records are stored off‑site.

Fees for Access

Any fee must be reasonable and cost‑based, limited to labor for copying (including creating an electronic copy), supplies like paper or media, postage if mailed, and preparing a summary if you specifically agree to receive one. Providers cannot charge for searching, retrieving, storing, or maintaining systems.

Per‑page fees are not allowed for electronic copies from electronic health records. Flat fees for electronic copies are permitted when they reasonably reflect actual costs. You can ask for an itemized breakdown and a fee estimate before the provider proceeds.

If a request is processed under a patient authorization instead of the HIPAA access pathway, different fee rules may apply. When you want the cost protections of the access right, clearly state that you are making a HIPAA access request for your own records and, if applicable, directing transmission to a named third party.

• To reduce costs: request electronic delivery, narrow the date range, and decline extras you do not need.
• Ask for portal download when available; it is often the fastest and least expensive route.

Conclusion

Your HIPAA Right to Access PHI gives you practical control over your health information. By making a clear request, choosing the format you prefer, understanding verification and exceptions, tracking HIPAA compliance deadlines, and confirming fees in advance, you can obtain the protected health information you need without unnecessary delay or cost.

FAQs

What types of PHI can I access under HIPAA?

You can access PHI in the designated record set, including medical and billing records, lab and imaging reports, medication lists, care summaries, claims and enrollment files, and most provider notes. Psychotherapy notes kept separate and information prepared for legal proceedings are excluded.

How do I submit a request to access my PHI?

Send a written request via portal, email, mail, fax, or in person. Specify what you want, the date range, your preferred form and format, and how to deliver it. Sign and date the request, and keep a copy. You do not need a patient authorization to access your own records.

What formats can PHI be provided in?

Covered entities must provide the form and format you request if readily producible—for example, portal download, PDF, text file, encrypted or unencrypted email (after risk acknowledgement), or mailed paper copies. If your provider uses electronic health records, you can receive an electronic copy.

Are there any exceptions to accessing my PHI?

Yes. The psychotherapy notes exclusion applies to separate psychotherapy notes, and information compiled for legal proceedings is not accessible. Access may also be denied in limited, reviewable situations, such as when a licensed professional determines access is likely to endanger life or physical safety.