3.3 Patient Rights and Right of Access

The Right of Access

Under 45 CFR 164.524, individuals have the right to inspect and obtain a copy of PHI in a designated record set — the records a provider uses to make decisions about the individual (clinical records, billing records, and similar). The covered entity must act on the request within 30 calendar days. One 30-day extension is allowed if, within the first 30 days, the entity gives the individual a written statement of the reason for delay and the new completion date. Only one extension is permitted.

If the individual requests an electronic copy of ePHI, the entity must provide it in the form and format requested if readily producible, or in a readable electronic form by agreement. Patients may also direct that a copy be transmitted to a third party (the HITECH access right), provided the direction is written, signed, and clearly identifies the recipient and destination.

The right of access reaches the designated record set but excludes a few categories: psychotherapy notes, information compiled in anticipation of litigation, and certain lab data restricted by other law. An entity may deny access in narrow, reviewable situations — for example, when a licensed professional determines access is reasonably likely to endanger the life or safety of the individual or another person; the individual then has a right to have the denial reviewed by a second licensed professional not involved in the original decision.

Most access requests, however, must simply be fulfilled — denials are the exception, not the norm, and improper denial is an OCR enforcement trigger.

Access Fees and Format

HIPAA permits only a reasonable, cost-based fee for copies. Allowable charges are limited to: labor for copying (creating and transmitting paper or electronic copies), supplies (paper, toner, CD or USB if requested), postage, and the cost of preparing a requested summary or explanation if the individual agreed to it (and the fee) in advance. Fees may not include search-and-retrieval, verification, documentation, or general overhead. State law may set lower caps; the lower amount applies. 50** for electronic copies of ePHI as one permissible method, or calculate actual costs.

OCR's Right of Access Initiative has settled dozens of enforcement cases against entities that responded late, overcharged, or ignored requests entirely — making access timelines and fee limits a high-yield RHIT topic. Note that third-party directives initiated by the patient are treated as access requests, while requests originating from the third party require a HIPAA authorization and are not subject to the access fee limits.

Amendment, Restrictions, and Representatives

The right to amend lets a patient ask the entity to correct PHI they believe is inaccurate or incomplete. The entity may deny an amendment when the information was not created by it, is not part of the designated record set, or is accurate and complete — but it must permit the patient to file a statement of disagreement, which is then included with future disclosures.

The right to request restrictions lets a patient ask the entity to limit uses/disclosures for TPO. The entity is not required to agree, except it must grant a restriction on disclosure to a health plan when the service was paid in full out of pocket by the patient. Confidential communications let a patient ask to be contacted at an alternate address or phone; reasonable requests must be accommodated.

A personal representative — someone with legal authority to make health decisions (parent of a minor, court-appointed guardian, holder of a healthcare power of attorney, or executor of a deceased patient's estate) — generally must be treated as having the same access rights as the individual with respect to relevant PHI. Access for minors follows state law on who controls the record: a parent is usually the minor's representative, except where the minor lawfully consented to their own care, a court is involved, or the parent agreed to a confidential relationship between the minor and provider.

Entities may decline to treat someone as a personal representative if there is a reasonable belief of abuse, neglect, or endangerment by that person, or that doing so could harm the individual. A worked RHIT scenario: a non-custodial parent requests a teen's reproductive-health records the teen consented to alone — the entity must apply state law, not automatically grant access. 2. The right to confidential communications is also broader for health plans, which must accommodate a request when the individual states that disclosure could endanger them — a protection commonly used in domestic-violence situations.

Taken together, these rights make the patient an active participant in controlling their own PHI, and HIM departments operationalize them through clear request forms, tracking logs, and trained access staff.