Medical Records Access: Patient Rights Under HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes federal baseline rights for patients to inspect, obtain copies of, and request amendments to their protected health information (PHI). This page covers the scope of those rights, the procedural mechanics that govern how covered entities must respond, the most common access scenarios patients encounter, and the boundaries that separate enforceable HIPAA rights from situations governed by other legal frameworks. Understanding these distinctions is foundational to patient rights and responsibilities in the US healthcare system.
Definition and scope
HIPAA's patient access right is codified at 45 CFR § 164.524 (the Privacy Rule), administered by the Office for Civil Rights (OCR) within the US Department of Health and Human Services (HHS). The rule grants individuals the right to access PHI held in a "designated record set" — a defined category that includes medical and billing records used to make decisions about the individual.
What counts as a designated record set:
1. Medical records and billing records maintained by or for a covered healthcare provider
2. Enrollment, payment, claims adjudication, and case management records held by a health plan
3. Any other record used in whole or in part to make decisions about individuals
Covered entities subject to § 164.524 include healthcare providers who transmit health information electronically, health plans, and healthcare clearinghouses. Business associates are not directly subject to the access right — patients direct requests to the covered entity.
The Privacy Rule does not apply to entities outside its definitional scope. Employers holding occupational health records, life insurers, and many wellness apps are not HIPAA-covered entities, meaning access to those records falls under state law or contract, not federal HIPAA rights (HHS, Summary of the HIPAA Privacy Rule).
How it works
HHS OCR published a Final Rule in 2021 (effective April 5, 2021; compliance dates phased through 2022) under the 21st Century Cures Act framework that strengthened and clarified the access process, including fee limits and response timelines originally set in the 2013 Omnibus Rule.
Standard access process — discrete steps:
- Submit a written request to the covered entity's designated privacy officer or records department. Covered entities may require a specific form but cannot impose requirements that create barriers to access.
- Identity verification is permitted; entities may require reasonable proof of identity. However, they cannot deny access because a patient refuses to state a reason.
- Response deadline: The covered entity must act within 30 calendar days of receiving the request. A single 30-day extension is permitted if the entity notifies the patient in writing before the initial deadline expires (45 CFR § 164.524(b)(2)).
- Format: Patients have the right to receive records in the format they request — including electronic format — if the entity maintains the records electronically.
- Fees: Covered entities may charge only a "reasonable, cost-based fee" covering labor for copying, supplies, and postage. HHS guidance (2016 Individuals' Right under HIPAA to Access their Health Information) discourages flat fees and prohibits fees for retrieval or handling.
- Denial: Entities may deny access in specific enumerated circumstances. Reviewable denials (e.g., a licensed professional's determination that access would cause harm) must be reviewed by a second licensed professional upon request.
Electronic access — the information blocking rule:
The Office of the National Coordinator for Health Information Technology (ONC) administers the 21st Century Cures Act information blocking rule (45 CFR Part 171), which prohibits certified health IT developers, health information networks, and healthcare providers from unreasonably interfering with patient access to electronic health information. Penalties for information blocking by providers can reach $1,000,000 per violation under the Civil Monetary Penalties Law, as noted by ONC's information blocking overview.
Common scenarios
Scenario A — Personal access by the patient:
The most straightforward category. An adult patient requests their own records from a hospital or physician practice. HIPAA requires response within 30 days, fees capped to cost, and delivery in the requested format. The patient does not need to explain the reason for the request.
Scenario B — Access by a personal representative:
A legally authorized representative — such as a parent of a minor, a court-appointed guardian, or a healthcare proxy — has the same HIPAA access rights as the individual (45 CFR § 164.502(g)). For healthcare proxy and power of attorney holders, the scope of authority is determined by applicable state law. Entities may decline to treat a person as a personal representative if there is reasonable belief it could endanger the individual.
Scenario C — Third-party directed access:
Patients may direct a covered entity to transmit records directly to a third party (another provider, an attorney, or a personal health record application). This right is distinct from a general authorization and is governed by § 164.524(c)(3)(ii). The entity must comply as long as the request is in writing, signed, and clearly identifies the designated recipient.
Scenario D — Mental health and psychotherapy notes:
Psychotherapy notes — defined narrowly as a mental health professional's private session notes kept separate from the medical record — are specifically excluded from the access right under 45 CFR § 164.524(a)(1)(i). General mental health treatment records held in the designated record set remain accessible. The mental health patient rights framework covers additional protections layered by state law.
Decision boundaries
HIPAA's access right has defined outer limits. Understanding where federal HIPAA rights end and other frameworks begin is critical for accurate navigation of disputes and filing a healthcare complaint.
| Situation | Applicable framework |
|---|---|
| PHI held by a HIPAA-covered entity | 45 CFR § 164.524 (HIPAA Privacy Rule) |
| Electronic health information blocking | 45 CFR Part 171 (ONC Information Blocking Rule) |
| Employment/occupational health records | State law; ADA; OSHA standards |
| Substance use disorder treatment records | 42 CFR Part 2 (SAMHSA regulations) |
| Mental health records in states with stricter law | State statute supersedes HIPAA floor |
| Records held by non-covered entities (apps, wearables) | FTC Act; state consumer protection law |
| Minors' records — emancipated or mature minor | State law determines access rights |
HIPAA vs. state law:
HIPAA establishes a federal floor. State laws that afford patients greater access rights or stronger privacy protections are not preempted — they apply concurrently. As of the 2021 rulemaking, HHS has consistently held that state laws granting broader rights survive federal preemption analysis (HHS, Preemption of State Law).
Enforcement:
Complaints about access violations are filed with HHS OCR (www.hhs.gov/hipaa/filing-a-complaint). OCR may investigate, require corrective action, or impose civil monetary penalties. The penalty tiers range from $100 to $50,000 per violation, with an annual cap of $1,500,000 per violation category, as structured under 42 U.S.C. § 1320d-5. Willful neglect not corrected carries mandatory penalties.
Patients seeking guidance on formal dispute processes, including how HIPAA intersects with informed consent documentation and medical error and patient safety advocacy, should consult the relevant federal agency materials directly.
References
- 45 CFR § 164.524 — Access of Individuals to Protected Health Information (eCFR)
- HHS Office for Civil Rights — Individuals' Right under HIPAA to Access their Health Information
- HHS — Summary of the HIPAA Privacy Rule
- [HHS — Preemption of State Law under HIPAA](https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/preem