Patient Right to Access PHI Under HIPAA: What You Need to Know

Right to Access PHI

Under the HIPAA Privacy Rule, you have the right to inspect and obtain a copy of your Protected Health Information (PHI) maintained by a covered entity, such as a health care provider or health plan. This includes the ability to direct the entity to send a copy to you or to a third party you designate.

Your right applies to PHI maintained in paper files and in Electronic Health Records (EHRs). The “minimum necessary” standard does not limit disclosures to you; you are entitled to your own information in the scope described below. Business Associate PHI Access obligations require vendors that handle PHI for covered entities to support and not obstruct your access.

Covered entities may not impose unreasonable barriers. They cannot force you to use a portal if you request another readily producible form, and they must provide access in a timely, workable manner with only limited, cost-based fees for copies.

Designated Record Set

Your access right is to the “Designated Record Set” (DRS), which means records used to make decisions about you. This typically includes medical and billing records and other records a covered entity uses to decide on your treatment, benefits, or coverage.

What is typically included

• Clinical information in the EHR: history, exam notes, test results, imaging reports, medication lists, care plans, and discharge summaries.
• Billing and claims records, remittance information, and explanations of benefits maintained by a health plan.
• Case management, utilization review, and care coordination records used to make decisions about you.

What is typically not included

• Quality assurance, peer review, or patient safety work product not used to make decisions about you.
• Business planning, management, or analytics records (e.g., staffing models, contract negotiations).
• Duplicate or convenience copies kept solely for administrative ease.

Exceptions to Access

HIPAA recognizes narrow categories that are not subject to access, plus limited, reviewable denial situations. The two categorical exclusions are:

• Psychotherapy Notes Exception: A clinician’s separate, private psychotherapy notes used for counseling and not part of the general medical record.
• Information compiled in reasonable anticipation of, or for use in, a legal action or proceeding.

Other limited situations allow denial, often with a right to have another licensed professional review the decision. Examples include when access is reasonably likely to endanger life or physical safety, when it would reveal another person’s confidential information, certain research records during an active study if you agreed to temporarily suspend access, and certain circumstances involving inmates where access could jeopardize safety, custody, or rehabilitation.

Even when a portion is denied, you should still receive the rest of your Designated Record Set. Covered entities must explain the basis for denial and how you may seek review when applicable.

Format of Access

You may inspect records in person and/or obtain a copy. If you request a specific form and format and it is readily producible (for example, a PDF or a particular electronic format), the covered entity must provide it that way. If not, they must offer an alternative that is readily producible and mutually agreeable.

You may also request a summary or explanation of your PHI if you agree to any associated cost. You can direct the covered entity to send a copy to a third party (such as a new provider or a caregiver); that direction must clearly identify the recipient and where to send the information, and it generally must be in writing and signed by you.

Fees that may be charged

• Only reasonable, cost-based fees for copying (labor to copy, supplies like paper or a USB drive, and postage if mailed).
• No fees for searching, retrieving, or maintaining your records, and no per-page fees for electronic copies from EHRs.

Timeliness of Access

Covered entities must meet the Timely Access Requirement. They must provide access as soon as possible and no later than 30 calendar days after receiving your request. If they cannot meet that deadline, they may take one additional 30-day extension, but only if they provide you a written explanation of the delay and a firm date by which they will complete the request.

Requests for a subset of records should not delay release of other readily available portions. Entities should communicate promptly if clarification is needed to fulfill your request efficiently.

Verification of Identity

Before releasing PHI, covered entities must follow reasonable Identity Verification Procedures to confirm you (or your personal representative) made the request. Verification should be balanced: strong enough to protect privacy, but not so burdensome that it delays or denies access.

Acceptable methods include government-issued ID, matching known demographic or account information, or secure patient portal authentication. Unnecessary hurdles—such as notarization demands, in-person appearance when electronic options are feasible, or requiring proprietary forms when a valid written request exists—should be avoided.

Electronic Access

If your PHI is maintained electronically, you are entitled to an electronic copy. Where readily producible, covered entities must provide machine-readable formats (for example, PDF, text, or a common export from Electronic Health Records). If a specific format is not readily producible, they must offer another workable e-format.

You may request transmission by secure email, portal download, on encrypted media, or via other reasonable electronic methods. If you prefer unencrypted email after being advised of the risks, the entity may honor your choice and should document your preference.

When vendors hold PHI on behalf of a covered entity, Business Associate PHI Access requirements obligate them to make the information available so your request can be completed within the required timeframe.

Practical tips for patients

• State exactly what you want (dates, document types, or “all records in my Designated Record Set”).
• Specify your preferred format and delivery method in your request.
• If you need records sent to someone else, include their name and destination address or email.
• Ask for an estimate of any copy fees before delivery.

For covered entities

• Offer simple, consistent request channels (portal, email, mail, or in person) and avoid unnecessary forms.
• Document identity verification steps that are reasonable and uniformly applied.
• Standardize electronic formats and automate fulfillment from EHRs to meet deadlines.
• Train staff on exceptions, partial releases, and reviewable denials to prevent improper refusals.

Conclusion

HIPAA gives you a clear, enforceable right to access your PHI in your Designated Record Set, with narrow exceptions, a defined Timely Access Requirement, and flexibility to receive records in the format you request when readily producible. Knowing the contours—what’s included, valid exceptions, acceptable fees, and identity verification—helps you obtain your information quickly and securely, especially when your records live in modern Electronic Health Records.

FAQs

What is the designated record set under HIPAA?

The Designated Record Set is the group of records a covered entity uses to make decisions about you. It commonly includes your medical and billing records and decision-making files such as case management or utilization review notes. It excludes items like peer review files, business planning documents, and other records not used to make decisions about you.

How long do covered entities have to respond to PHI access requests?

They must act as soon as possible and no later than 30 calendar days after receiving your request. If they cannot meet that deadline, they may take one written 30-day extension that explains the reason for delay and provides a new completion date.

Can patients receive their PHI electronically?

Yes. If PHI is kept electronically, you can receive an electronic copy in the form and format you request if it is readily producible; otherwise, the entity must provide an agreed, readily producible alternative. You may also direct the entity to send an e-copy to a third party.

What types of records are excluded from patient access under HIPAA?

Two categories are categorically excluded: psychotherapy notes kept separate from the general medical record and information compiled in reasonable anticipation of a legal action. Other limited, reviewable denials may apply in circumstances such as risk of serious harm, certain research arrangements during an active study, and specific situations involving inmates, but any non-excluded portions of your record should still be provided.