Is Looking Up Your Own Medical Record a HIPAA Violation? Explained

HIPAA Privacy Rule Overview

The HIPAA Privacy Rule sets national standards for how covered entities and their business associates use and disclose protected health information (PHI). It governs providers, health plans, and clearinghouses—not patients. When you, as a patient, look up your information through approved channels, it is not a HIPAA violation.

If you work for a covered entity, accessing your own chart through the electronic health record (EHR) outside the patient access process can violate organizational policy and constitute an impermissible use under HIPAA. Employees should use the patient portal or submit a formal request like any other patient. This article explains your Individual Access Rights, key exceptions, Reasonable Copying Fees, the role of State Medical Record Laws, and practical steps for Written Access Requests.

Rights to Access Personal Medical Records

Under the HIPAA Privacy Rule, you have the right to inspect or obtain a copy of PHI in your designated record set, which typically includes medical and billing records used to make decisions about you. These Individual Access Rights apply regardless of whether records are on paper or electronic.

You can choose the form and format (for example, electronic PDF or paper) if the provider can readily produce it. Providers must respond within 30 calendar days of receiving your request, with one permitted 30-day extension when they provide a written reason for the delay. The “minimum necessary” rule does not limit what you may receive about yourself.

You may also direct a provider to send a copy to someone you designate (for example, a caregiver or another provider). Many organizations offer secure portals that let you view, download, and transmit parts of your record online.

Exceptions to Access Rights

Unreviewable denials

• Psychotherapy Notes Exception: You do not have a right of access to psychotherapy notes kept separately by a mental health professional. These are distinct from general mental health records such as diagnoses, medications, or treatment plans.
• Information compiled for, or in reasonable anticipation of, a legal action or proceeding.

Reviewable denials (you may request an independent review)

• Access is reasonably likely to endanger the life or physical safety of you or another person, as determined by a licensed professional.
• Access would reveal another person’s PHI and is reasonably likely to cause substantial harm; providers may offer redaction where feasible.
• Information obtained under a promise of confidentiality that would likely reveal the source.
• During certain research, if you agreed in advance to suspend access while the study is ongoing; access is restored after the study ends.
• For inmates, copies may be restricted if providing them would jeopardize health, safety, security, custody, or rehabilitation; inspection can be allowed consistent with security needs.

If access is denied, you must receive a written denial explaining the basis, your review rights (when applicable), and how to submit a complaint or appeal.

Reasonable Fees for Record Access

Providers may charge Reasonable Copying Fees that reflect only the cost of: labor for copying (not searching or retrieval), supplies (paper, toner, USB), postage, and preparing a summary or explanation if you request it. For electronic copies of records maintained electronically, per‑page fees are not appropriate.

Covered entities can calculate fees by actual cost, an average cost schedule, or a flat fee for certain electronic copies delivered electronically (many use a flat fee not exceeding $6.50 as a compliant option). They should disclose their fee method on request and may require prepayment of the copy fee, but cannot condition treatment on paying for copies.

Inspecting records on-site is generally free; fees apply to providing copies or summaries. Fees for third‑party requests made outside HIPAA’s patient access process may follow different rules; ask how the provider will calculate them.

Impact of State Laws

HIPAA sets a federal floor. State Medical Record Laws that are more protective of privacy or that give you greater or faster access are not preempted and will control. Examples include shorter response deadlines, lower fee caps, special rules for minors, or additional mental health protections.

When state law allows higher fees or longer timelines than HIPAA, HIPAA’s stricter standard prevails. Because details vary widely, providers should map their policies to both HIPAA and applicable state requirements.

Procedures for Requesting Records

Step‑by‑step Written Access Requests

• Identify the holder: contact the provider’s Health Information Management (HIM) or Release of Information (ROI) department, or use the patient portal.
• Describe what you want: specify date ranges, document types, and whether you want inspection, a copy, or both. State your preferred form and format (for example, “electronic PDF via secure email”).
• Designate recipient: if you want records sent to a third party, provide the person’s name and address or email.
• Verify identity: include your full name, DOB, contact information, and any required ID. Sign and date the request.
• Track deadlines: note the submission date; expect action within 30 days. If delayed, you should receive a written explanation and the extension date.
• Handle fees: ask for an itemized estimate of Reasonable Copying Fees before the records are released.
• Appeal denials: for reviewable denials, request a review by a licensed professional not involved in the original decision. You may also submit a complaint to the provider’s privacy officer or the federal regulator.

If you are employed by the provider, do not open your own chart in the EHR for personal use. Use the portal or the ROI process to avoid policy and HIPAA violations.

Best Practices for Healthcare Providers

• Adopt and enforce a clear policy: workforce members must access their own PHI only through the portal or the ROI workflow—not through role‑based EHR privileges.
• Train staff regularly on Individual Access Rights, the Psychotherapy Notes Exception, response timelines, and when denial review is required.
• Implement role‑based access controls, “break‑glass” workflows, and routine audit log reviews to detect unauthorized access.
• Offer multiple access channels (portal, mail, secure email, in‑person) and honor requested form/format when readily producible. Remember: the minimum necessary standard does not apply to disclosures to the individual.
• Publish and use a cost‑based fee schedule for copies; avoid retrieval fees and per‑page charges for electronic records; provide itemized estimates on request.
• Track right‑of‑access metrics (turnaround time, denials, complaints) and reconcile policies with State Medical Record Laws to meet the most protective standard.
• Document denials thoroughly, including review rights and how individuals can escalate concerns.

Conclusion

Accessing your own information through approved channels is not a HIPAA violation. HIPAA grants broad access rights, narrows them with defined exceptions, and permits only Reasonable Copying Fees. Follow clear Written Access Requests and, where applicable, stricter state rules to ensure timely, compliant access for every patient.

FAQs

Can I view my medical records online?

Often, yes. Many providers offer secure patient portals where you can view test results, visit notes, medications, and billing information. If a portal is unavailable or incomplete, you can request an electronic copy in your preferred format through the HIPAA access process.

Are there any parts of my medical record I cannot access?

Yes. You do not have a right of access to psychotherapy notes kept separately (the Psychotherapy Notes Exception) or to information prepared for legal proceedings. Access may also be denied or limited in specific situations—such as safety risks, confidential source protection, certain research agreements, or correctional security concerns.

Can a provider charge for providing my records?

Yes, but only Reasonable Copying Fees tied to the actual cost of copying, supplies, postage, and any requested summary. Searching or retrieval fees are not permitted. For electronic copies, per‑page fees are not appropriate, and some providers use a compliant flat fee option for e‑delivery.

How do state laws affect HIPAA access rights?

State Medical Record Laws that give you faster access, lower fees, or stronger privacy protections take precedence over HIPAA’s floor. When state law is less protective or conflicts with HIPAA, HIPAA prevails. Always consider both sets of rules; providers should follow the standard that most favors the patient.