Patient Access to Medical Records - A Refresher

Articles / Publications

Reprinted with Permission from the Birmingham Medical News

Healthcare providers are constantly receiving requests for copies of patient medical records. Some requests come by way of the patient exercising his/her right to access his/her medical records, some come by way of patient authorization, and some come by way of another method (e.g., request from another treating provider). The Office of Civil Rights ("OCR"), the federal entity overseeing HIPAA compliance, has recently made patient requests for records a priority in terms of enforcement and guidance. For example, OCR published extensive guidance on a patient's right to access records, the form and format for responding to such requests, and the fees that can be charged for a response to such request. Thus, now is a good time for a refresher on a patient's right to access records and a healthcare provider's obligations in responding.

Form of Request
Under HIPAA, a patient has the right to access his/her medical information--with a few exceptions, (e.g., psychotherapy notes). A patient wanting to exercise his/her right to access their medical records can do so in two ways: (1) the patient can request that copies of the records be sent to the patient directly (or inspected by the patient); or (2) the patient can request in writing that his/her records be sent to a designated third-party (this designation must be signed by the patient and clearly identify the designated person and where to send the records).

Timeframe for Response
When the patient exercises his/her right to copy medical records, the records must be provided to the patient within 30 days of the request. If the request is denied, the denial notice must be sent within the 30-day period. If the 30-day period cannot be achieved, the patient must be notified of the delay within the initial 30-day period and the provider will be allowed an additional 30 days in which to respond to the request. Only one 30-day extension is permitted.

Download the full article, "Patient Access to Medical Records - A Refresher" written by Kelli Carpenter Fleming.

Jump to Page

Contact Us

About Burr & Forman Cybersecurity & Data Privacy Law

Burr & Forman's experienced team helps clients navigate the complex cybersecurity and data privacy landscape with strategies designed to assess current risks, develop a corrective action plan, implement best practices, and provide immediate and appropriate responses to a cybersecurity breach.

We use cookies to improve your website experience, provide additional security, and remember you when you return to the website. This website does not respond to "Do Not Track" signals. By clicking "Accept," you agree to our use of cookies. To learn more about how we use cookies, please see our Privacy Policy.

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.