What is the HIPAA Right of Access?


The HIPAA Privacy Rule generally provides individuals with a legal, enforceable right to see and receive copies, upon request, of the information in their medical and other health records maintained by their health care providers and health plans. This right is known as the HIPAA Right of Access.

What Records are Patients Entitled to Access?

The HIPAA Privacy Rule generally requires HIPAA-covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. PHI is defined as individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a HIPAA-covered entity, in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations.

What is the Scope of the HIPAA Right of Access?

The HIPAA Right of Access includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. 

Individuals have a HIPAA right of access to this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of:

  • The date the information was created;
  • Whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or
  • Where the PHI originated (e.g. whether with the covered entity, another provider, etc.)

What is a Designated Record Set?

Individuals have a HIPAA right of access to PHI contained in a “designated record set.” A “designated record set” is defined as a group of records maintained by or for a covered entity that comprises the:

  • Medical records and billing records about individuals maintained by or for a covered health care provider;
  • Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
  • Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. 
    • These records include records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.

What is a Record?

The definition of the word “record” in “designated record set” is fairly broad. A  “record” includes The any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity.

What are Examples of Records?

Because the word “record” is so broadly defined, numerous types of information that contain PHI that are maintained by or for covered entities, are subject to the right of access.  This information includes (but is not limited to):

  • Medical records 
  • Billing and payment records 
  • Insurance information
  • Clinical laboratory test results
  • Medical images (such as X-rays)
  • Wellness and disease management program files
  • Clinical case notes.
  • decisions about individuals. 
    • Note: “Other records” include records that are used to make decisions about any individuals, regardless of whether the records have been used to make a decision about the particular individual requesting access.

In responding to a request for access, a covered entity is not required to create new information, such as explanatory materials or analyses, that does not already exist in the designated record set.

What Information Is Excluded from the Right of Access?

Two categories of information are expressly excluded from the right of access:

  • Psychotherapy notes. Psychotherapy notes are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session. These notes are maintained separate from the rest of the patient’s medical record. 
  • Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding

Compliancy Group Simplifies HIPAA Compliance

Compliancy Group was founded to help simplify the HIPAA compliance challenge. We give health care organizations everything they need to address the full extent of the HIPAA regulations.

Our ongoing support and web-based compliance app, The Guard™, gives healthcare organizations the tools to address the law so they can get back to confidently running their business.

Find out how Compliancy Group has helped thousands of organizations like yours Achieve, Illustrate, and MaintainTM their HIPAA compliance!