Right of Access: HIPAA Definition for Small Clinics

The HIPAA right of access is one of the most litigated and enforced provisions in the Privacy Rule. Since OCR launched its Right of Access Initiative in 2019, the agency has resolved dozens of cases against covered entities - including many small practices - for failing to provide records on time, charging impermissible fees, or refusing to provide records in electronic formats. Understanding the right precisely protects both your patients and your clinic.

Small-clinic example: A patient at a 5-provider family medicine clinic calls requesting all records from the past three years be sent electronically to her new doctor’s office. Your front desk staff cannot say “we only mail paper copies” if your EHR can produce electronic records. You must respond within 30 days, provide records in the requested electronic format if readily producible, and charge only actual labor costs.

What the Right of Access Covers

Under 45 CFR § 164.524(a)(1), individuals have the right to inspect and obtain a copy of their PHI in a designated record set. The designated record set is not limited to the medical chart - it is a defined regulatory concept.

Under 45 CFR § 164.501, a designated record set means a group of records maintained by or for a covered entity that includes:

• Medical records and billing records about individuals maintained by or for a covered healthcare provider
• Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan
• Other records used, in whole or in part, by or for the covered entity to make decisions about individuals

That third category is significant. If a record was used to make a clinical or administrative decision about a patient - a care coordination note, a care management flag, an intake questionnaire - it is in the designated record set and subject to the right of access.

Records that are not in the designated record set:

• Psychotherapy notes (separately maintained under 45 CFR § 164.501, not included in the medical record)
• Information compiled in reasonable anticipation of litigation (attorney work product)
• Certain research and clinical laboratory records with specific exceptions

For an understanding of what types of information constitute PHI within these records, see what is PHI.

Format Requirements

Under 45 CFR § 164.524(c)(2)(ii), if the individual requests access to ePHI that is maintained electronically, your clinic must provide access in the electronic form and format requested by the individual if it is readily producible in that form and format.

“Readily producible” is evaluated based on your clinic’s capabilities. If your EHR can export a Continuity of Care Document (CCD/CCDA), or a PDF of the chart, or a CSV of structured data, those formats are readily producible. Refusing to export records electronically when the EHR supports it is a violation.

If the specific electronic format requested is not readily producible, you must provide it in another readable electronic format. If the individual has not specified a format, your clinic may provide the ePHI in any electronic format that is acceptable to the individual.

For paper records or records that cannot be produced electronically, paper copies are acceptable.

Practical implication: When a patient asks for records by email or via a patient portal, your clinic must evaluate whether it can meet that request given its EHR and administrative capabilities. A blanket policy of providing only paper records by mail when the EHR can produce electronic files is a compliance risk.

The 30-Day Timeline

Under 45 CFR § 164.524(b)(2):

• Standard timeline: Your clinic must act on the request no later than 30 calendar days from receipt.
• Extension: If your clinic cannot act within 30 days, you may extend the deadline by no more than 30 additional days - but only if you notify the individual within the original 30-day period of the reasons for the delay and the expected response date.
• Only one extension is permitted per request.

The 30-day clock runs from the date the request is received, not from when the clinic processes or validates it. A request that arrives via email on a Monday counts from that Monday.

For records stored off-site, if retrieval is required, your clinic may take up to 60 days from the date of the request, with an additional 30-day extension available.

OCR enforcement has been strict on timelines. Delays of several months - often explained by administrative backlog - have resulted in resolution agreements requiring corrective action and in some cases civil monetary penalties.

Fee Limits

Under 45 CFR § 164.524(c)(4), your clinic may impose a fee for providing a copy of PHI, but only to cover:

• Labor for copying the PHI, whether in paper or electronic form
• Supplies for creating paper copies or electronic media (if the individual requests that the electronic copy be provided on portable media)
• Postage if the individual requests that the copy be mailed

Prohibited fees:

• Fees for searching for records
• Fees for retrieving records
• Fees for reviewing records before providing them

Per-page fees are not automatically impermissible - but they must reflect actual labor costs of copying, not a standard charge that incorporates search or retrieval. A flat fee of $0.25 per page that was established decades ago and never adjusted to reflect actual costs may overcharge if records are produced electronically with minimal copying cost.

HHS guidance indicates that when records can be sent electronically with minimal labor - for example, sending a portal download link - the labor cost is close to zero, and the fee should reflect that.

State laws may impose lower fee limits than HIPAA allows. In states where state law establishes lower maximum fees, state law controls.

Grounds for Denial

Grounds for refusing a right-of-access request are narrow under 45 CFR § 164.524(a)(2)-(3). Reviewable grounds for denial (the individual has a right to appeal) include:

• A licensed healthcare professional determines that access is reasonably likely to endanger the life or physical safety of the individual or another person
• A licensed healthcare professional determines that access is reasonably likely to cause substantial harm to a third party referenced in the record
• The request is from a personal representative and a licensed healthcare professional believes it is reasonably likely to cause substantial harm to the individual or another person

Non-reviewable grounds for denial (no appeal right):

• PHI is exempt from right of access (psychotherapy notes, litigation-prepared records, certain research records)
• The covered entity is a correctional institution and the denial is necessary to maintain the safety of other inmates or the correctional facility’s operation
• The PHI was obtained under a promise of confidentiality from someone other than a healthcare provider

What is not a valid ground for denial:

• The patient has an outstanding balance
• The clinic is in a billing dispute with the patient
• The records are needed for pending litigation
• The records are “very old” or difficult to retrieve
• The request came from a patient the clinic considers difficult

Denying access for non-regulatory reasons is a direct Privacy Rule violation and an OCR enforcement target.

OCR’s Right of Access Initiative

Since 2019, OCR has operated a specific enforcement initiative focused on the right of access. As of 2026, OCR has resolved dozens of cases resulting in corrective action and, in some cases, civil monetary penalties. Penalties in right-of-access cases have generally been modest - often $15,000 to $200,000 - because many involve first-time violations at small practices. But the corrective action obligations typically require two years of monitoring.

The most common right-of-access failures OCR has pursued:

1. Failing to provide records within 30 days (or the extended deadline)
2. Charging impermissible fees (including search and retrieval fees)
3. Refusing to provide records in electronic format when the EHR could produce them
4. Refusing to provide records to personal representatives or patient-designated third parties

For detailed enforcement case studies, see HIPAA violations examples.

Operational Recommendations for Small Clinics

1. Designate a records request coordinator. A single person responsible for receiving, logging, and responding to access requests ensures requests are not missed or delayed.

2. Log all requests with receipt dates. The 30-day clock starts on receipt, and you need to demonstrate compliance in an investigation.

3. Know your EHR’s export capabilities. Before you receive a request for electronic records, know what formats your system can produce and establish a standard process for fulfilling electronic requests.

4. Review your fee schedule. If your clinic charges per-page fees or flat fees, confirm they reflect labor costs only - no search or retrieval component.

5. Train front desk staff. Requests often come through the front desk by telephone or in person. Staff must know how to receive, log, and route access requests without inadvertently denying or delaying them.

PHIGuard supports right-of-access compliance by helping clinics track incoming access requests, manage the response timeline, and document fulfillment. Learn more at PHIGuard’s HIPAA page.