Q&A: Allowing patients access to their medical records

Q: Is it a HIPAA violation if a provider refuses to allow patients to see their record?

A: The HIPAA Privacy Rule gives individuals or their personal representatives the right to access their protected health information and obtain copies of those records, in compliance with the Privacy Rule and state laws. Access may be denied in a few limited circumstances, generally those in which the provider believes access would cause harm to the individual or another person.

Individuals have the right to access records in the designated record set. For providers, the designated record set includes medical records and billing records. For health plans, it includes enrollment, payment, claims adjudication, and case or medical management records.

Individuals do not have the right to access the following information:

• Psychotherapy notes
• Information compiled for legal proceedings
• Laboratory results specified as prohibited by the Clinical Laboratory Improvements Act
• Information held by certain research laboratories

For more information, refer to 45 CFR §164.524.

Editor’s note: Question answered by Mary Brandt, a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Heidi Samuelson at hsamuelson@hcpro.com.