WikiFrameworksHIPAARight to Access PHI

Right to Access PHI

Plain English Translation

Individuals have the right to inspect and obtain a copy of their PHI held in a designated record set, and organizations must establish procedures to fulfill these requests in a timely manner. Access must generally be provided within 30 days of the request.

Executive Takeaway

Organizations must provide individuals with timely, cost-based access to inspect or obtain copies of their protected health information maintained in a designated record set.

ImpactHigh
ComplexityMedium

Why This Matters

  • Failing to provide timely access is a primary driver of HIPAA-related consumer complaints and targeted regulatory enforcement actions.
  • Denying access unlawfully or charging excessive, non-compliant fees violates patient rights and triggers significant financial penalties.
  • Prompt and transparent handling of medical record requests improves overall patient trust and reduces the likelihood of costly legal disputes.

What “Good” Looks Like

  • Implementation of automated patient portals allowing individuals direct, secure digital access to their designated record sets.
  • A centralized, easily auditable workflow tracking all PHI access requests from initial receipt to final fulfillment within the 30-day limit; tools like WatchDog Security's Compliance Center can help organize evidence and monitor control gaps.
  • Clear, documented fee structures strictly limited to the reasonable, cost-based expenses permitted by the Privacy Rule, with supporting documentation retained for audit review.

Put HIPAA compliance + 19 others on autopilot

Starting at $99/admin/mo — includes all frameworks, evidence automation, and AI-powered gap analysis.

Start Free Trial No credit card required

The HIPAA right of access allows individuals to inspect and obtain a copy of their protected health information maintained by a covered entity or its business associates, giving them control over their medical data.

Organizations must provide access to the protected health information that is maintained within a designated record set, which broadly includes medical, clinical, and billing records used to make decisions about the individual.

A designated record set is a group of records maintained by or for an organization that includes patient medical records, provider billing records, enrollment data, and other records used to make health or payment decisions about individuals.

Under the HIPAA 30 day rule, a covered entity must act on an access request no later than 30 calendar days after receipt. If unable to fulfill it within that timeframe, one 30-day extension is permitted with written notice to the individual.

Yes, individuals have the absolute right to request and receive a HIPAA electronic copy of medical records if the information is maintained electronically and is readily producible in the requested digital format.

Organizations may only charge reasonable, cost-based fees for copying records. This can only include the direct cost of labor for copying, supplies (like paper or USB drives), and postage, strictly excluding search or retrieval fees.

A HIPAA denial of access records is permitted in very limited circumstances, such as when the information contains strictly defined psychotherapy notes or when a licensed professional determines access is reasonably likely to endanger the physical safety of the individual.

No, HIPAA explicitly excludes psychotherapy notes (which are kept separate from the rest of the medical record) from the right of access, meaning organizations are not legally required to provide these specific personal notes to patients.

Organizations must implement a formal HIPAA PHI access request procedure to securely verify the requestor's identity, systematically compile records, process the request within 30 days, calculate permissible fees, and securely deliver the data.

Evidence demonstrating compliance includes formal written access policies, detailed access request logs showing prompt response times, documented fee schedules, and copies of any formal access denial letters specifying legal justifications.

PHI access requests require consistent tracking so teams can prove when the request was received, who handled it, what records were provided, and whether the 30-day response deadline was met. Tools like WatchDog Security's Compliance Center can help centralize evidence, map the access workflow to HIPAA requirements, and maintain an auditable record of request handling activities.

Organizations need a delivery process that protects PHI while still making records accessible in the requested format when readily producible. Tools like WatchDog Security's Secure File Sharing can support encrypted sharing, TOTP verification, and audit logs so teams can document secure delivery of PHI copies.

HIPAA 164.500 Privacy Rule

"The organization has established procedures to allow individuals to inspect and obtain a copy of their protected health information in a designated record set."

VersionDateAuthorDescription
1.0.02026-05-05Compliance Content TeamInitial publication