The Office of Civil Rights (OCR) recently issued a new document that provides guidance on HIPAA’s right of access provision. The guidance is not new, but rather a clarification for the industry based on OCR’s enforcement and patient complaints regarding difficulties obtaining their records.

“That is a common cause of complaints to OCR – people who need them and are entitled and can’t get them will get frustrated,” said Milada Goturi, a partner in Thompson Coburn’s Health Law Practice Group. “This is one of the reasons people can become subject to investigation.”

The document offers insight into handling access, but there are some important high points in the document. Here is what you need to know about access.

Continue Reading

Ease of access 

OCR reminds providers that there are a few areas they may be tripping up patients and unwittingly making it excessively difficult for them to gain access to protected health information (PHI). One such area is verification of identity. It is the provider’s obligation to verify the identity of an individual, but the provider cannot do this in a manner that will be a barrier to getting the information. If requests have to be on a provider’s specified form, for instance, that form can request information that allows the provider to verify a person’s identity. If access is available via a portal, authentication controls are appropriate for identity verification.

An increasing number of providers offer information through portals, but OCR maintains that providers cannot require patients use a portal to gain access to PHI. “Not everyone can use it or has easy access to it,” Goturi said.

Just as portals cannot be the only means for providing access to PHI, neither can requiring patients to visit an office in person. It may be a burden for some patients—for example, if they are older or very sick or disabled—to come to the office. Records can be mailed at a patient’s request.

E-mail security

It is engrained among providers that PHI should be sent in a secure manner. This may be a reason providers are reticent to send this information via e-mail. But OCR has made it clear that PHI can be sent this way. Providers just have to make sure patients are aware the information is unsecured and it is not the providers’ fault if the information is compromised.

State laws

While HIPAA is a federal standard, Goturi said the guidelines make it clear that physicians should also look to state laws as well, particularly because some are more restrictive than HIPAA. “A provider has 30 days under HIPAA to provide access to records, but if state law said access has to be given within 10 days, state law would trump HIPAA,” she said. 


The guidance document stresses that there are very few reasons a provider can deny access of records to a patient. If providers have not updated their policy regarding patient access to records since HIPAA was enacted, now is the time to make it current.

Providers can deny patients access to certain records:

  • Psychotherapy notes used in a legal proceeding
  • Records that could jeopardize the health or safety of an inmate
  • The health information is part of a study (like a clinical trial) in process
  • The information is in Privacy Act records that are protected
  • Records were obtained, confidentially, by a family member or other person and providing access would reveal the source
  • The information is “reasonably likely” to endanger the safety of or cause harm to the requestor or their representative

If providers deny patients access to their records, they have to explain why in writing within 30 days of the request. They need to inform patients they can have the decision reviewed and explain how patients can submit a complaint to OCR.


Providers can request a cost-based fee to provide records to a patient. The fee cannot include things like searching and retrieving the information, maintaining systems, or recovering costs for storage or infrastructure. Providers can recoup labor costs for copying the information, supplies like paper or compact disks, postage and preparation of a summary of the PHI.

The guidelines also remind providers that they cannot withhold records if patients have an outstanding balance on their account.