Let's Break it Down: Right of Access


Under the HIPAA Privacy Rule, covered entities are to provide individuals with access to their protected health information (PHI) upon request. This requested information is typically defined within what is known as a “designated record set” (DRS), which includes information maintained by a covered entity. Unless a very good, limited reason exists for excluding a piece of information, it is most likely considered part of the DRS. At a minimum, it typically includes:

  • For health plans:
    • Information regarding enrollment, payment, claims adjudication, and case or medical management record systems
  • For covered entities (healthcare providers):
    • Medical and billing records maintained by or for the provider, lab results, imaging

What is excluded from the DRS?

  • Psychotherapy notes
    • These are considered personal notes of a therapist that typically are not required or useful for treatment, payment, or health care operations purposes
  • Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding


  • The covered entity must act on a request for access quickly but no later than 30 days after receipt of the request
    • If this cannot be met, they may have one extension with a written statement of the reasons for the delay and the date to complete action on the request
  • Verification is required
    • The Privacy Rule generally leaves the type and manner of verification to the discretion of the covered entity (oral, written, etc.), provided the verification processes does not create delays in providing access (i.e., in-person, web portal, or physical mail proof)
  • Access must be provided to the individual in the form and format requested
    • If the format is not available, a readable hard copy or such other form as agreed upon must be provided
  • Any requests for access to be provided to another person must be clear, written, and signed

  • Covered entities may impose a reasonable, cost-based fee
    • This only includes costs directly related to copy labor, supplies, postage, or preparation (if agreed upon by requesting individual) of summaries


Specific circumstances allow a covered entity to deny a request for access. These are categorized as either reviewable or unreviewable.

Unreviewable grounds for denial:
  • The request is for psychotherapy notes, or information compiled in reasonable anticipation of, or for use in, a legal proceeding
  • covered entity that is a correctional institution (or a provider acting under the direction of a correctional institution) may deny an inmate's request to obtain protected health information if it would threaten the health, safety, security, custody, or rehabilitation of the individual or of other inmates, or the safety of others at or related to the correctional institution
  • PHI part of research or treatment studies may be temporarily suspended for the course of the study (if the individual agreed to the denial of access when consenting to participate in study with understanding that access will be reinstated upon research completion)
  • PHI contained in Privacy Act protected records (i.e., records maintained by a government agency) may be denied, if the denial of access under the Privacy Act would meet the requirements of that law
  • PHI obtained from someone other than a provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information
Reviewable grounds for denial:
    • Requested access is reasonably likely to endanger the life or physical safety of the individual or another person (this does not include psychological harm or emotional distress)

    • The access requested is reasonably likely to cause substantial harm to a person (other than a health care provider) referenced in the PHI


Individuals may also request PHI through a HIPAA authorization form. This differs from the HIPAA right of access:

  • Unlike the exercise of one’s right under HIPAA to access PHI, when a covered entity receives a valid HIPAA authorization form, HIPAA permits, but does not require, the covered entity to disclose PHI1

  • HIPAA authorizations require certain “core elements” not required in a HIPAA right of access request to be valid

  • A description of the information to be used or disclosed that identifies the information in a specific and meaningful manner (i.e., HHS has made clear that requests for “all PHI” are not specific enough, but one’s “entire medical record” is2)


There are several nuances within the context of Right of Access. Our goal is to help you understand the most important aspects in an easily digestible format, while we remain focused on combing through the details. Regulatory changes are constant, and we want our clients to be apprised and well-positioned to both succeed and stay compliant.

We are fortunate to have a strong legal team and access to other experts, including the former Acting Deputy Director for HIPAA at the Department of Health and Human Services, Office for Civil Rights. If your team needs clarification on any specifics related to the release of medical records and how it relates to designated records sets and access rights, please contact us at hello@healthmark-group.com or reach out to your Client Success Manager.

1. https://www.hhs.gov/hipaa/for-professionals/faq/2041/why-depend-on-the-individuals-right/index.html
2.  https://www.hhs.gov/hipaa/for-professionals/faq/471/may-a-covered-entity-use-or-disclose-a-patients-entire-medical-record-based-on-the-patients-authorized-signature/index.html)

Back to Blog

Related Articles

The No Surprises Act: What you Need to Know

Update (3/1/2022): The enforcement of the NSA is pending ongoing legislation and potentially...

The OCR's Notorious Wall of Shame

Avoiding HIPAA Breaches and the “Wall of Shame”

CRIS Certification – Why It’s Important for Record Management