Overview of the Right of Access
The HIPAA Privacy Rule gives individuals the right to inspect and obtain a copy of their own PHI held in a covered entity's designated record set. This right is one of the most fundamental patient rights under HIPAA and has been a significant focus of OCR enforcement activity in recent years through its Right of Access Initiative, which has resulted in dozens of enforcement actions against covered entities that failed to honor timely access requests.
What Is a Designated Record Set?
The right of access applies to PHI in a "designated record set" — a group of records maintained by or for a covered entity that includes medical records and billing records about individuals; enrollment, payment, claims adjudication, and case or medical management record systems maintained by a health plan; and other records used in whole or in part to make decisions about individuals. The right of access applies to the designated record set as a whole, not just to specific documents.
The 30-Day Response Requirement
Covered entities must act on an access request no later than 30 calendar days after receipt. If the covered entity cannot fulfill the request within 30 days, it may extend the time by no more than 30 additional days (for a total of 60 days) by providing the individual with written notice of the reason for the delay and the expected completion date. Only one extension per request is permitted. OCR has made clear through enforcement actions that 30 days means 30 days — not "as soon as convenient."
Format of Access
Covered entities must provide access in the form and format requested by the individual if readily producible in that form and format. If not readily producible in the requested format, the covered entity may provide it in a readable hard copy or such other form and format as agreed upon by the covered entity and the individual. For electronic records maintained in an EHR, covered entities must provide individuals with electronic access in a machine-readable format if requested.
Since the 21st Century Cures Act and the ONC Information Blocking Rule (effective 2021), covered entities and their EHR vendors face additional obligations around electronic access, including providing access through standardized APIs.
Fees for Access
Covered entities may charge a reasonable, cost-based fee for providing copies of PHI. The fee may include only: the labor costs for copying PHI in the requested format; the costs of supplies for creating paper copies; postage when the individual requests mailing; and preparation of an explanation or summary if the individual has agreed in advance and agreed to the fee. Covered entities may NOT charge fees for searching for or retrieving PHI, or for maintaining the system in which the PHI is stored. Many states have separate laws capping medical records fees that may be more restrictive than HIPAA.
When Access May Be Denied
Access may be denied in limited circumstances:
- Unreviewable grounds (not subject to review): Psychotherapy notes; information compiled in reasonable anticipation of civil, criminal, or administrative action; PHI subject to the Clinical Laboratory Improvements Amendments (CLIA); and PHI exempted from Privacy Act access rights.
- Reviewable grounds (subject to review by a licensed healthcare professional): A licensed healthcare professional determines that access is reasonably likely to endanger the life or physical safety of the individual or another person; the PHI references another person (other than a healthcare provider) and access is reasonably likely to cause substantial harm to that person; or the request is made by a personal representative and access is reasonably likely to cause substantial harm to the individual or another person.
When access is denied on reviewable grounds, the individual has the right to have the denial reviewed by a licensed healthcare professional designated by the covered entity who was not involved in the original denial decision.