How to Deny a Medical Records Request: HIPAA-Compliant Reasons, Steps, and Sample Letter

When you must deny access to records, your response has to be precise, fair, and compliant. This guide explains how to deny a medical records request under HIPAA, from valid grounds and decision steps to crafting a clear notice and using a sample denial letter.

You will learn the HIPAA-approved reasons for refusal, how to communicate the decision, and how to honor the requestor’s Right to Access Review when the Substantial Harm Criterion applies.

Grounds for Denial of Medical Records Access

Items categorically excluded from access

• Psychotherapy Notes Exclusion: Psychotherapy notes kept separate from the medical record are not accessible to the individual.
• Legal Proceedings Documents: Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding is excluded.

Unreviewable grounds for denial

• Inmate safety or security would be jeopardized by providing a copy while the individual is in a correctional institution.
• Research with suspended access: If the individual agreed to a temporary suspension of access when consenting to research that includes treatment and the study is still in progress.
• Access otherwise prohibited by other applicable law (for example, certain CLIA-exempt research records not used for diagnosis or treatment).

Reviewable grounds for denial (Substantial Harm Criterion)

• A licensed health care professional determines access is reasonably likely to endanger the life or physical safety of the individual or another person.
• The record references another person (not a health care provider) and access is reasonably likely to cause substantial harm to that person.
• The request is made by a personal representative and access is reasonably likely to cause substantial harm to the individual or another person.

What are not valid reasons

• Unpaid bills, fear of embarrassment, or concern that the patient might disagree with your clinical judgment.
• General policy barriers (for example, “we never release X”) that conflict with the right of access to the designated record set.

Determining Valid Denial Reasons

Step 1: Confirm scope and identity

Verify the requestor’s identity and authority, then confirm the request targets the designated record set (medical and billing records and other records used to make decisions about the individual). Clarify dates, locations, and formats to avoid unnecessary denials.

Step 2: Map the request to HIPAA categories

• Does the requested content fall under the Psychotherapy Notes Exclusion or Legal Proceedings Documents? If yes, denial is appropriate.
• Do unreviewable grounds apply (for example, inmate safety or access suspended during active research)? If yes, deny without review rights.
• Does the Substantial Harm Criterion apply? If a licensed professional makes that determination, the individual gains Right to Access Review.

Step 3: Consider partial access and alternatives

If only part of the record meets a denial ground, provide the rest. Offer a summary or explanation if requested and agreed to by the individual. If you do not maintain the records but know who does, identify that entity to the requestor.

Step 4: Document the decision

Record your analysis, the specific HIPAA basis, the professional determination (if applicable), and the date. This supports Covered Entity Obligations for accountability and consistent handling.

Drafting a Written Denial Notice

Denial Notification Requirements

• Clear basis for denial citing the applicable HIPAA ground.
• Whether the denial is whole or partial and which portions are being provided.
• Notice of Right to Access Review, when applicable, and how to request it.
• How to file a complaint with your organization’s privacy office and with the U.S. Department of Health and Human Services’ Office for Civil Rights.
• Name or title and phone number of a contact person who can assist the individual.
• If you do not maintain the PHI but know who does, the name or address of the entity believed to maintain it.

Tone, clarity, and timelines

Use plain language, avoid jargon, and explain what the individual still can access. Provide the written denial within HIPAA’s 30-day response window (or within the extended period if you invoked a one-time 30-day extension with written notice).

Notifying the Requestor of Review Rights

When review rights apply

Review rights apply only when denial is based on the Substantial Harm Criterion. The individual may request a review by a licensed health care professional not involved in the original decision.

How to structure the review process

• Explain how to submit a review request (to whom, where, and by what means).
• Assign an independent reviewer who was not part of the initial denial.
• Ensure the reviewer makes a determination promptly and document it.
• Follow the reviewer’s decision—if the reviewer overturns the denial, provide access without delay.

Keep communication transparent. Let the individual know expected timeframes, what evidence will be considered, and how the outcome will be communicated.

Using a Sample Denial Letter

Fill-in template you can adapt

Date: [Month Day, Year]
To: [Individual’s Name and Address]

Re: Request for Access to Medical Records Dated [Request Date]

Dear [Name],

We reviewed your request to access your medical records dated [Request Date]. After careful consideration, we are denying access [in whole / in part] for the following HIPAA-permitted reason(s):

• Basis for denial: [e.g., Psychotherapy Notes Exclusion / Information compiled for Legal Proceedings Documents / Determination of substantial risk of harm to you or another person].
• Records affected: [Describe which portions are denied and which, if any, are available].

If the denial is based on the Substantial Harm Criterion, you have the Right to Access Review. To request a review, please send a written request to:
[Reviewer/Privacy Officer Name], [Title]
[Mailing Address / Secure Email / Fax]
[Phone Number]

A licensed health care professional not involved in the original decision will review your request promptly. We will follow the reviewer’s decision.

If we do not maintain the requested records but believe they are maintained by another entity, that entity is: [Name/Address, if known].

You may also file a complaint with our Privacy Office or with the U.S. Department of Health and Human Services, Office for Civil Rights. Filing a complaint will not affect your care.

Contact:
[Privacy Officer or Contact Name], [Title]
[Phone Number]

Sincerely,
[Authorized Signer]
[Title]
[Covered Entity Name]

Before sending, verify dates, the specific HIPAA ground, what portions you can release, and the correct contact information. Keep a copy of the letter and all supporting documentation for your records.

Ensuring HIPAA Compliance

Operational safeguards and training

• Standardize intake, evaluation, and response timelines to meet Covered Entity Obligations.
• Train staff to recognize valid grounds, apply the Substantial Harm Criterion correctly, and trigger Right to Access Review when required.
• Use checklists to ensure Denial Notification Requirements are met in every letter.

Documentation and quality assurance

• Maintain logs of requests, decisions, review outcomes, and fulfillment dates.
• Audit partial denials to confirm remaining portions were provided promptly and in the requested format when readily producible.
• Escalate complex cases to privacy/legal leaders and align procedures with current federal and applicable state laws.

Fee and fairness considerations

Do not condition access on payment of unrelated bills. Reasonable, cost-based fees apply to copies you provide, not to evaluating a request or preparing a denial. Always aim for the least restrictive response, providing what you can.

FAQs.

What are valid reasons to deny a medical records request?

Valid reasons include the Psychotherapy Notes Exclusion, information prepared for Legal Proceedings Documents, unreviewable scenarios like inmate security or research with suspended access, and reviewable denials under the Substantial Harm Criterion made by a licensed professional.

How long do you have to respond to a denial request?

You must respond to the access request within 30 calendar days of receipt. If you deny, the written denial must be issued within that same timeframe. You may take one 30-day extension if you send a written notice explaining the delay and the new date.

Can denial decisions be appealed?

Yes, but only for denials based on the Substantial Harm Criterion. The individual has a Right to Access Review by a licensed health care professional not involved in the initial decision, and you must follow the reviewer’s determination.

What information must be included in a denial letter?

State the specific HIPAA basis for denial, identify what portions (if any) will still be provided, explain review rights and how to exercise them, describe complaint options, provide a contact person’s name or title and phone number, and if another entity maintains the records, identify that entity.