Right to Access PHI
Plain English Translation
Individuals have the right to inspect and obtain a copy of their PHI held in a designated record set, and organizations must establish procedures to fulfill these requests in a timely manner. Access must generally be provided within 30 days of the request.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Deploy a secure patient portal through the primary Electronic Health Record (EHR) system to automate standard access requests.
- Implement a standard operating procedure and dedicated email alias for manually processing incoming medical record requests.
Required Actions (scaleup)
- Integrate robust identity verification tools to securely authenticate individuals requesting their records through online channels.
- Deploy tracking dashboards within your ticketing system to monitor the 30-day response window and automatically escalate requests nearing the regulatory deadline.
Required Actions (enterprise)
- Develop automated data extraction pipelines to seamlessly pull complete designated record sets across multiple disparate clinical and billing systems.
- Implement programmatic fee calculation algorithms to ensure absolute compliance with cost-based fee limitations across varying request sizes and delivery formats.
The HIPAA right of access allows individuals to inspect and obtain a copy of their protected health information maintained by a covered entity or its business associates, giving them control over their medical data.
Organizations must provide access to the protected health information that is maintained within a designated record set, which broadly includes medical, clinical, and billing records used to make decisions about the individual.
A designated record set is a group of records maintained by or for an organization that includes patient medical records, provider billing records, enrollment data, and other records used to make health or payment decisions about individuals.
Under the HIPAA 30 day rule, a covered entity must act on an access request no later than 30 calendar days after receipt. If unable to fulfill it within that timeframe, one 30-day extension is permitted with written notice to the individual.
Yes, individuals have the absolute right to request and receive a HIPAA electronic copy of medical records if the information is maintained electronically and is readily producible in the requested digital format.
Organizations may only charge reasonable, cost-based fees for copying records. This can only include the direct cost of labor for copying, supplies (like paper or USB drives), and postage, strictly excluding search or retrieval fees.
A HIPAA denial of access records is permitted in very limited circumstances, such as when the information contains strictly defined psychotherapy notes or when a licensed professional determines access is reasonably likely to endanger the physical safety of the individual.
No, HIPAA explicitly excludes psychotherapy notes (which are kept separate from the rest of the medical record) from the right of access, meaning organizations are not legally required to provide these specific personal notes to patients.
Organizations must implement a formal HIPAA PHI access request procedure to securely verify the requestor's identity, systematically compile records, process the request within 30 days, calculate permissible fees, and securely deliver the data.
Evidence demonstrating compliance includes formal written access policies, detailed access request logs showing prompt response times, documented fee schedules, and copies of any formal access denial letters specifying legal justifications.
PHI access requests require consistent tracking so teams can prove when the request was received, who handled it, what records were provided, and whether the 30-day response deadline was met. Tools like WatchDog Security's Compliance Center can help centralize evidence, map the access workflow to HIPAA requirements, and maintain an auditable record of request handling activities.
Organizations need a delivery process that protects PHI while still making records accessible in the requested format when readily producible. Tools like WatchDog Security's Secure File Sharing can support encrypted sharing, TOTP verification, and audit logs so teams can document secure delivery of PHI copies.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-05 | Compliance Content Team | Initial publication |

