Right of Access Under HIPAA: What It Means, What You Can Request, and How to Exercise It

The Right of Access Under HIPAA gives you a clear, enforceable way to see, get copies of, and direct the sharing of your own Protected Health Information (PHI). It applies to any Covered Entity—such as doctors, hospitals, and health plans—that maintains information about you in a Designated Record Set.

This right is purpose-agnostic: you do not need to explain why you want your records. You can choose paper or electronic copies and request Electronic Health Records Delivery to yourself or a third party you designate.

Overview of the Right of Access

HIPAA’s right of access lets you do three core things:

• Inspect or obtain a copy of PHI about you in a Covered Entity’s Designated Record Set.
• Have PHI sent to a third party of your choice by providing a signed request (your Access Authorization for directed disclosure).
• Receive records in the form and format you request if readily producible, or in a reasonably accessible alternative.

Covered Entities may use Business Associates to help fulfill requests but remain responsible for meeting deadlines, honoring format preferences, and limiting fees to what HIPAA allows.

Components of Designated Record Sets

A Designated Record Set (DRS) is the collection of records a Covered Entity uses to make decisions about you. For providers, it typically includes:

• Medical records such as histories, progress notes, lab results, imaging, operative reports, care plans, and medication lists.
• Billing records including itemized statements, claims, and payment histories.

For health plans, it typically includes:

• Enrollment, eligibility, premium, claims adjudication, and case or medical management records.

Common items not in the DRS (and therefore not subject to access) include quality assessment or improvement records, patient safety work-product, peer review files, business planning documents, and system logs that are not used to make decisions about you.

Exceptions to Access Rights

Unreviewable exceptions

• Psychotherapy Notes Exception: process notes kept separately by a mental health professional for personal use.
• Information compiled in reasonable anticipation of, or for use in, a legal action or proceeding.
• PHI where another law specifically prohibits disclosure to the individual.

Reviewable or conditional limitations

• Access is reasonably likely to endanger the life or physical safety of you or another person, as determined by a licensed professional.
• PHI contains references to another person (not a provider) and disclosure is likely to cause substantial harm to that person.
• A personal representative requests access and granting it is likely to cause substantial harm.
• Research records that include treatment, if you agreed to temporarily suspend your access while the study is in progress.
• Records obtained under a promise of confidentiality from a non–health care provider, if access would reveal the source.
• Certain correctional-institution situations where providing copies would jeopardize safety, security, custody, or rehabilitation.

Procedures for Requesting Access

You may submit a written request to the Covered Entity. The request should clearly identify what you want, the dates or types of records, and your preferred format and delivery method (for example, secure email or portal download). If you want the records sent to someone else, include their name and address or email and sign the directive—this serves as your Access Authorization for directed delivery.

Entities must implement Identity Verification that is reasonable and not burdensome. They may ask for basic identifiers or a copy of an ID but cannot require you to appear in person, use only their portal, or provide a reason for your request. They should accept requests by mail, email, portal, or fax, consistent with security policies.

Response Time Requirements

Absent stricter state rules, a Covered Entity must act on your request no later than 30 calendar days from receipt. If they cannot meet the 30-day limit, they may take a single extension of up to 30 additional days, but they must send you a written notice within the first 30 days explaining the delay and giving a firm completion date.

The deadline applies even if some records are off site or held by a Business Associate. If only part of your request is ready, the entity should provide what is available while completing the remainder. Faster fulfillment is encouraged when records are readily accessible, especially for Electronic Health Records Delivery.

Formats for Access Provision

You are entitled to records in the form and format you request if the entity can readily produce them (for example, PDF, text, or a viewable image). If not, they must offer another readily usable format. Options include:

• Electronic Health Records Delivery via portal download, secure email, or an application that connects to the EHR’s API.
• Physical media such as paper printouts, CDs, or USB drives, if consistent with the entity’s security policies.
• Direct transmission to a third party you designate, in the format and to the destination you specify.

You may also agree to receive an explanatory summary in place of, or in addition to, full copies. Radiology images, pathology slides (copies), and similar items fall within scope and should be provided in a usable form.

Fees and Costs Associated with Access

HIPAA permits only a reasonable, cost-based fee for copies. Permissible components are limited to:

• Labor for copying (paper or electronic), including creating and transmitting the copy.
• Supplies such as paper, envelopes, CDs, or USB drives when used to fulfill your request.
• Postage, if you ask for mailed copies.
• A summary or explanation, but only if you agree to receive and pay for it.

Prohibited charges include fees for record retrieval, verification, “handling,” maintaining systems, or access through a portal. Electronic delivery often lowers costs; you can request an estimate before proceeding. When you direct ePHI in an EHR to a third party, cost-based limits still apply to your directed request.

Conditions for Denial of Access

If your request is denied in whole or in part, the entity must provide a timely written denial explaining the basis, your rights (including the right to a review where applicable), and how to complain. A licensed professional not involved in the original decision must conduct any requested review, and the entity must follow the reviewer’s outcome.

Denials cannot be based on concerns that you might be upset, on unpaid bills, or on a preference that you use the portal instead. Even when some content is denied, you are entitled to access the portions that are not subject to an exception.

Steps to Exercise the Right of Access

1. Define scope: list the dates, providers, and specific items you want from the Designated Record Set.
2. Choose format: specify paper or electronic, and the exact file type if relevant (for example, PDF or JPEG for images).
3. Decide destination: request Electronic Health Records Delivery to yourself or include a signed directive naming a third party.
4. Prepare the request: state that it is a HIPAA Right of Access request and include any Access Authorization for directed delivery.
5. Complete Identity Verification: provide reasonable identifying details; avoid sending sensitive IDs unless requested through a secure channel.
6. Submit through an accepted channel: portal, secure email, mail, or fax, and keep a copy with the submission date.
7. Track the deadline: note the 30-day response window and any single permissible extension with written notice.
8. Review fees: ask for an estimate and request electronic copies to reduce costs; decline optional summaries if not needed.
9. Inspect what you receive: confirm completeness; if something is missing, request the remainder or clarification.
10. Escalate when necessary: request a review of any denials that are reviewable, and consider filing a complaint if timelines or fee limits are not honored.

In short, the Right of Access Under HIPAA lets you obtain timely, affordable copies of your PHI from a Covered Entity’s Designated Record Set in the format you prefer, with narrow exceptions and clear remedies if problems arise.

FAQs

What types of health information can individuals access under HIPAA?

You can access PHI about you that a Covered Entity keeps in its Designated Record Set, such as medical and billing records, lab results, imaging, care plans, and health-plan claims and case management records. Materials like peer review files or business planning documents are typically outside this scope.

How long do covered entities have to respond to access requests?

They must act within 30 calendar days of receiving your request. If more time is needed, they may take one additional 30-day extension, but only with a written notice explaining the reason for delay and providing a new completion date.

Can covered entities charge fees for providing access to records?

Yes, but only a reasonable, cost-based fee covering copying labor, supplies, postage, and any summary you agree to receive. They may not charge retrieval, verification, or “handling” fees, and access through a patient portal should be free.

What exceptions allow denial of access to PHI?

Unreviewable exceptions include the Psychotherapy Notes Exception and information prepared for legal proceedings. Reviewable limitations apply when access is reasonably likely to endanger life or physical safety or cause substantial harm, when records were obtained under a promise of confidentiality that would reveal the source, during certain research holds you agreed to, or in specific correctional settings.