Limited offer: Get 80% off your first year. Auto-applied at checkout.See pricing Promotion details unavailable.

Awareness article

Patient Record Requests Under HIPAA

HIPAA's right of access gives patients the right to obtain copies of their medical and billing records. This article explains the response timeline, format requirements, fee limits, and most common compliance failures.

Short answer

Patients have the right under HIPAA to access and obtain copies of their health records within 30 days of a request. The right of access is one of OCR's most actively enforced provisions - clinics that miss deadlines, charge improper fees, or deny legitimate requests face enforcement action.

The HIPAA right of access is one of the Privacy Rule’s most enforced provisions. Since 2019, OCR has run an active enforcement initiative targeting right of access violations and has settled dozens of cases against covered entities of all sizes, including small practices.

What Patients Have the Right to Access

Under 45 CFR § 164.524, patients have the right to inspect and obtain copies of their protected health information in a designated record set.

The designated record set includes:

  • The medical record: clinical notes, lab results, imaging reports, treatment plans, medication records, progress notes
  • The billing record: claims submitted, payments received, balances, EOBs, insurance information
  • Any other records used to make decisions about the individual’s care or payment for care

What is excluded from the designated record set:

  • Psychotherapy notes kept separately from the medical record (these are specifically excluded under 45 CFR § 164.524(a)(1))
  • Information compiled in anticipation of or for use in litigation
  • Quality improvement or peer review records that are separately maintained and not used for individual care decisions

The right of access applies to PHI the clinic maintains. A patient cannot use this right to compel the clinic to obtain records from another provider.

The 30-Day Response Timeline

After receiving a request, the clinic must:

  • Provide access (or a denial with explanation) within 30 calendar days
  • If records are stored off-site and cannot be retrieved within 30 days, one 30-day extension is allowed, but the clinic must notify the patient in writing within the original 30-day window that an extension is needed and why

The clock starts when the clinic receives the request - not when it processes it, verifies identity, or gets around to it. A response sent on Day 35 without a timely extension notice is a violation even if the records are eventually provided.

Format Requirements

Patients can request records in a specific format. The clinic must:

  • Provide records in the requested format if it can readily produce records in that format
  • If the clinic cannot produce records in the requested format, it must provide the records in a readable format and explain why the requested format is unavailable

Electronic records: If the PHI is maintained electronically and the patient requests an electronic copy, the clinic must provide it in an electronic format. It may ask the patient to specify a preferred format (PDF, direct portal download, USB drive, email) but cannot force the patient to accept paper when electronic is readily available.

Paper records: If the patient requests paper copies, the clinic may fulfill the request with paper, even if electronic copies are also available.

Sending paper copies to a patient who specifically requested a CD or portal download does not satisfy the request.

Fee Limits

Clinics may charge patients a reasonable, cost-based fee for records copies. What that means:

Allowed:

  • Labor for copying (per-page labor for paper; staff time to create an electronic file)
  • Supplies for paper copies
  • Postage if mailed
  • Preparation of a summary, if the patient requested a summary

Not allowed:

  • Search fees (the time to locate the record in the system)
  • Retrieval fees (overhead for looking up the account)
  • Verification fees (confirming the patient’s identity before processing the request)
  • Any fee that functions as a barrier to access

Many states have fee caps stricter than HIPAA’s federal standard. New York, for example, has a statutory fee schedule for medical records that overrides the cost-based calculation for some record types. Check your state’s law before setting your fee schedule.

When the Clinic Can Deny Access

The right of access is strong but not unlimited. Clinics may deny access in limited circumstances:

Grounds for DenialReviewable?
Information is likely to endanger the life or safety of the patient or another person (clinical determination)Yes. Patient can request a review by a licensed professional.
Information was compiled in anticipation of litigationNo
Information references another person and access would cause harm to that personYes. Reviewable.
Information is excluded from the designated record set (psychotherapy notes, quality improvement records)No. Not subject to access.

Denying access because the clinic doesn’t want to deal with the request, or because the patient owes a balance, is not a permissible basis for denial. OCR has settled cases specifically against clinics that conditioned records release on payment of past-due bills.

Documentation Requirements

Each records request and response should be documented:

  • Date request received
  • Form of request (written, email, in-person)
  • Patient or authorized representative identity verification method
  • Requested format
  • Date records provided (or denial issued)
  • Format records were provided in
  • Any fee charged and the basis for it

This documentation is how the clinic shows it met the 30-day deadline - without it, there is no evidence the request was processed at all.

The OCR Enforcement Pattern

OCR’s right of access enforcement initiative has targeted clinics of all sizes. Common findings in settled cases:

  • Failure to respond within 30 days (or within the extended 30-day period)
  • Requiring patients to appear in person to pick up records when they requested electronic delivery
  • Charging fees that included retrieval or search costs
  • Conditioning records release on payment of outstanding balances
  • Requiring a specific authorization form when the patient submitted a valid written request

Civil money penalties in these cases have ranged from a few thousand dollars to tens of thousands, depending on the number of violations and prior history.

Build a consistent, documented process for receiving and responding to records requests. Every front desk staff member needs to know it - because the requests come to them, not to the Privacy Officer.

For a complete definition of the patient’s right of access and how it applies in practice, see right of access. Patients also have a related right to amend their records and a right to an accounting of disclosures.

PHIGuard commercial baseline

PHIGuard uses flat per-clinic pricing rather than per-user fees. A Business Associate Agreement is included on every public plan. The primary trial path is a 30-day free trial with no credit card required. See current PHIGuard pricing for plan names, monthly list prices, annual totals, and current limited offer details.

HIPAA Basics

Core definitions, rules, and operating concepts small clinics need before they can evaluate vendors or workflows.

What Is a Business Associate Agreement Under HIPAA?

Business associate agreement (BAA) explained: what it is, when HIPAA requires it, required contract elements under 45 CFR §164.504(e), and OCR penalty risk.

Accounting of Disclosures: HIPAA Definition for Small Clinics

Patients have a right to an accounting of PHI disclosures for purposes other than TPO for six years. 45 CFR § 164.528. Learn what must be tracked and reported.

Sources

FAQ

Questions related to this topic

Can we require patients to use a specific records request form?

You may offer a form as a convenience, but you cannot require it. A patient's written request in any format - an email, a letter, a note handed to the front desk - is a valid records request. If you receive a verbal request, you may ask the patient to submit it in writing, but you cannot indefinitely delay responding on that basis.

Can we charge a fee for copies of records?

Yes, within limits. Fees must be cost-based - covering only labor to copy the records, supplies (for paper copies), postage, and preparation of a summary if the patient requests a summary instead of the full record. Clinics cannot charge for search, retrieval, or administrative overhead. Many states have additional fee limits that are stricter than HIPAA's federal standard.

What if the patient requests records to be sent to a third party?

This is permitted. Patients can direct the clinic to send records to another provider, an attorney, or another third party. The clinic must honor this direction. The receiving third party does not need to be another healthcare provider.

Are psychotherapy notes included in the right of access?

No. Psychotherapy notes - notes that a mental health professional keeps separately from the main medical record that document or analyze private conversations during counseling sessions - are not part of the designated record set and are excluded from the right of access.

Operational assurance

Move from policy documents to a working compliance program.

PHIGuard turns these workflows into repeatable tasks, audit evidence, and role-based processes for small clinics.

BAA included Legal baseline available on every plan.
Audit history Compliance actions stay reviewable later.
No card upfront Start evaluation before billing setup.
Start free trial

No credit card required. Add billing details later if you want service to continue after the trial.