Experience. Integrity. Advocacy.
Experience. Integrity. Advocacy.

Accessing Individual Health Information under HIPAA


Giving individuals the right to access and receive a copy of their health information from their doctors, hospitals, and health insurance plans is one of the basic tenets of the HIPAA Privacy Rule. However, the Office for Civil Rights (OCR) in the US Department of Health and Human Services, which oversees the enforcement of HIPAA, regularly receives complaints from patients that their requests to access and receive copies of their medical records are not being met or at least not without a great deal of hassle.

New Guidelines for Providing Access or Copies of Health Information

In response, the OCR has issued new guidelines, along with a list of questions and answers to help explain the guidelines, for how providers must respond to patient requests for health information. The words “reasonable” and “unreasonable” are repeated throughout the document, with the  intention of encouraging providers to act promptly and thoroughly to all requests.

For instance, patients do not have to give a reason for requesting their health information nor can the request be denied if a reason is given. Also, patients cannot be made to request and/or pick up records in person when both the request and the copy could be mailed or emailed. As well, the records need to be made available in a format that the patient can access. So both electronic and paper copies should be offered.

Healthcare providers generally need to respond to requests for access or copies of health information within 30 days. An additional 30 days can be taken, but only if the patient who requested the records is informed of the delay within the original 30-day timeframe. Patients must also be informed within 30 days if their request is denied for one of a small number of permissible reasons, like if the information would endanger the life or physical safety of the individual or another person or if the information is part of an ongoing research study.

In addition, some data is excluded from the patient’s right to request access and copies of health information, including the follow:

  • Data not used to make patient decisions (i.e. quality assessment or improvement records, patient safety activity records, or business planning, development, and management records).
  • Psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record.
  • Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.

However, providers cannot withhold access to health information just because it might “upset the patient.”

The guidance also sets the parameters for how much can be charged for access or copies of health information. Particularly the following costs may be passed along to the patient: labor for copying the PHI requested by the individual, whether in paper or electronic form; supplies for creating the paper copy or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media; postage, when the individual requests that the copy, or the summary or explanation, be mailed; and preparation of an explanation or summary of the PHI, if agreed to by the individual.

What You Should Do

Here are a few ideas for how to implement these guidelines into your practice.

  • Work with your staff to develop and follow processes and procedures that allow you to respond in a reasonable, thorough, and prompt manner to all requests for access or copies of patient health information.
  • Make the OCR’s “Questions and Answers About HIPAA’s Access Right” required reading for all personnel in your office.
  • Create paper forms or add an online form to your website that makes requesting documents easy for patients and staff.
  • Include your policies and procedures for health information requests in your HIPAA notifications.

But whatever you do, don’t ignore patient requests for access or copies of their health information and, in doing so, violate one of the basic HIPAA protections patient have.

For more information, review the OCR’s “Individuals’ Right under HIPAA to Access their Health Information” webpage. You can also read a recent New York Times article about the guidelines: “New Guidelines Nudge Doctors to Give Patients Access to Medical Records.”

— All rights reserved. For use or reprint in your blog, website, or publication, please contact us at cipromsmarketing@ciproms.com. Photo by Jenna via Flickr used with permission under the Creative Commons License.


Charity Singleton Craig

Charity Singleton Craig is a freelance writer and editor who provides communications and marketing services for CIPROMS. She is responsible for creating, editing, and managing all content, design, and interaction on the company website and social media channels in order to promote CIPROMS as a thought leader in healthcare billing and management.

© Copyright 2020