How to Handle Patient Record Requests Under HIPAA: A Step-by-Step Compliance Guide

Verify Requestor Identity and Authority

Start by confirming who is asking for access to Protected Health Information and what authority they have. Identify whether the request comes from the patient, a personal representative, a third party named by the patient, or an entity relying on another legal basis (for example, a court order).

• Patient: Verify identity using reliable proof (government photo ID in person; portal login, knowledge-based questions, or a verified signature for remote requests).
• Personal representative: Collect documents showing authority under applicable law (e.g., health care power of attorney, guardianship, or executor/administrator for a decedent’s estate). Verify identity of the representative as well.
• Third party: Require a valid HIPAA Authorization signed by the patient or a clear, signed directive from the patient instructing you to send records to a named recipient and address.
• Legal process: For subpoenas, court orders, or other legal demands, confirm scope and sufficiency before any disclosure.

Apply the minimum necessary standard to most disclosures, but remember it does not apply when the patient—or their authorized personal representative—exercises the right of access. Keep a record of how identity and authority were verified as part of your record release procedures.

Determine Designated Record Set

Decide what information falls within the Designated Record Set (DRS)—the medical and billing records and other records you use to make decisions about the individual. This includes data maintained by your business associates on your behalf.

• Common inclusions: electronic health record data, clinical notes (excluding psychotherapy notes), test results, medication histories, problem lists, care plans, billing statements, and claim records used to make decisions about the patient.
• Common exclusions: psychotherapy notes; information compiled for use in civil, criminal, or administrative proceedings; quality improvement files; peer review records; compliance investigations; and business planning documents not used to make decisions about the individual.

Locate all systems containing DRS components—EHR, imaging, lab systems, billing platforms, and archived media—to ensure a complete response.

Review Request Details

Confirm exactly what the request covers before acting. Clarify the date range, types of records, and whether the patient seeks inspection, copies, or a summary. Verify the preferred delivery method and format (electronic versus paper) and whether a third-party recipient is specified.

• Validate the form: If using a HIPAA Authorization, ensure all required elements and statements are present and legible.
• Scope control: If the request is broad, offer to narrow it to the Designated Record Set items needed, reducing cost and turnaround.
• Sensitive categories: Some information (e.g., substance use disorder treatment records protected by federal law, or state-sensitive data like HIV, genetic testing, reproductive health, or mental health records) may require additional consents or segmentation before release.
• Risk discussion: If the patient wants unencrypted email, explain the risk and document the patient’s preference.

Provide an itemized fee estimate, if applicable, and explain the record release procedures you will follow, reinforcing patient privacy rights throughout the process.

Respond Within Required Timeframe

Track the access request timeframe from the date you receive it. Act on the request no later than 30 calendar days. If you cannot meet the deadline, you may take one 30-day extension by sending a written notice before the initial period ends explaining the reason and the firm date you will complete the request.

• Date-stamp receipt, set internal reminders, and monitor progress across departments and business associates.
• Do not delay fulfillment while collecting unrelated balances. You may require prepayment of a reasonable, cost-based copy fee, but you cannot condition access on payment of medical bills for care.
• If only part of the request is ready, provide partial access without waiting for the full production, unless the patient prefers a single delivery.

When a request is misdirected (for example, to the wrong facility), promptly route it to the correct location or advise the requestor where to send it.

Provide Records in Requested Format

Provide copies in the form and format requested if readily producible. If your systems can generate a PDF or standard electronic format, honor that preference. If not readily producible, offer an alternative that is mutually acceptable.

• Electronic delivery: Secure portal, encrypted email, or other secure transfer. If a patient insists on unencrypted email after being warned of risks, document their choice and proceed.
• Third-party delivery: Send the records directly to the named recipient identified by the patient’s signed request or HIPAA Authorization.
• Summaries: You may provide a summary or explanation if the patient agrees in advance to this approach and any related fees.
• Fees: Limit charges to a reasonable, cost-based fee for labor to copy, supplies (e.g., paper, USB), and postage. Do not charge retrieval or access fees unrelated to copying and delivery.

Ensure the production is complete, legible, and includes all Designated Record Set components requested, with pagination or file labeling that supports easy navigation by the recipient.

Document Request Process

Create a complete audit trail for every request. Good documentation shortens investigations, supports compliance, and improves patient experience.

• Log details: date received, patient identifiers, requestor identity/authority, scope, systems searched, and delivery preferences.
• Track actions: who processed the request, dates of internal approvals, communications, and handoffs to business associates.
• Keep artifacts: copies of the request, HIPAA Authorization or patient directive, identity verification, fee calculation, invoices, receipts, the records released, and any extension or denial letters.
• Retention: Preserve your request logs and related documentation for at least six years, consistent with HIPAA recordkeeping requirements.

Use standardized record release procedures and checklists so staff can follow the same steps every time.

Handle Denials Appropriately

Deny access only when allowed by HIPAA and applicable law, and limit the denial to the specific information that qualifies. Whenever feasible, provide any portions that can be segregated and released.

• Mandatory exclusions: psychotherapy notes and information compiled for use in legal proceedings are not accessible under HIPAA’s right of access.
• Other permitted denials: research records while participation is ongoing if the individual agreed to temporary suspension of access; certain correctional institution circumstances; and situations where a licensed professional determines access is reasonably likely to endanger life or physical safety.
• Personal representative limits: you may deny a representative’s request when, in professional judgment, it is not in the best interests of a minor or an individual who may be subject to abuse, neglect, or endangerment.

Provide a timely, written denial stating the basis for denial, how the individual may request a review (for reviewable grounds), and how to submit a complaint. Explain the complaint filing process with your privacy office and the option to file with the U.S. Department of Health and Human Services Office for Civil Rights. Keep a copy of the denial and your rationale.

When you follow these steps—verifying authority, focusing on the Designated Record Set, clarifying scope, meeting the access request timeframe, delivering in the requested format, documenting thoroughly, and using narrow, well-explained denials—you protect patient privacy rights and maintain durable HIPAA compliance.

FAQs

What identifies an authorized requestor under HIPAA?

An authorized requestor is the patient, a verified personal representative with lawful authority, or a third party named by the patient through a valid HIPAA Authorization or a signed directive instructing you to send records to a specific recipient. Requests based on subpoenas or court orders must be reviewed for scope and sufficiency before any disclosure.

How long do providers have to respond to record requests?

Providers must act on a request within 30 calendar days of receipt. If more time is truly necessary, one 30-day extension is allowed by sending written notice before the initial deadline that explains the reason for delay and provides a definite completion date. If state law imposes a shorter deadline, meet the shorter timeframe.

What records can be lawfully denied for access?

You may deny access to psychotherapy notes and to information compiled for use in legal proceedings. You may also deny in limited cases such as certain correctional settings, ongoing research when the individual agreed to temporary suspension of access, or when a licensed professional determines access would endanger life or physical safety. Records outside the Designated Record Set (e.g., peer review or quality improvement files) are not subject to the right of access.

How should providers document patient record requests?

Maintain a request log capturing receipt date, patient identifiers, requestor identity and authority, scope, systems searched, delivery method, and deadlines. Keep copies of the request, HIPAA Authorization or patient directive, identity verification, fee calculations, records released, and any extension or denial letters. Retain these materials for at least six years as part of your compliance file.