HIPAA addresses patient access to medical records through the HIPAA Privacy Rule right of access, which requires HIPAA Covered Entities to provide individuals with timely access to protected health information in a designated record set, in the form and format requested when readily producible, with limited grounds for denial, required review rights for certain denials, and permitted cost based fees for copies.
The access right applies to protected health information maintained by a Covered Entity in a designated record set, which generally includes medical and billing records and other records used to make decisions about individuals. A Covered Entity must verify the identity and authority of the requester, including personal representatives, and must have processes to receive, track, and fulfill requests within the required timeframe. Access may be provided by inspection, by a copy, or by transmitting a copy directly to a designated person or entity when the request meets HIPAA Privacy Rule requirements. When a requested form and format is not readily producible, the Covered Entity must offer an alternative form and format that is readily producible or provide a readable hard copy as agreed.
The HIPAA Privacy Rule permits limited denials of access and requires procedural protections that depend on the denial basis. Certain denials require an opportunity for a licensed healthcare professional to review the denial decision, and the Covered Entity must provide a written denial that meets content requirements and describes any review rights and complaint options. A Covered Entity may not impose unreasonable measures that delay or burden access, such as requiring unnecessary forms, refusing to send records in an electronic format that is readily producible, or conditioning access on payment of amounts unrelated to the requested copy.
A Covered Entity may charge a fee that is limited to the permitted components of a cost based fee for providing a copy, and the fee method must align with HIPAA Privacy Rule requirements for labor, supplies, and postage when applicable. Access workflows should align with the HIPAA Minimum Necessary Rule limitations, which do not apply to disclosures to the individual, while still applying appropriate identity verification and secure delivery controls. When access is provided through electronic systems that create, receive, maintain, or transmit electronic protected health information, the HIPAA Security Rule applies to the systems and processes used to protect confidentiality, integrity, and availability during access fulfillment.