HIPAA's Patient Access Rights

By Ofer Zur, Ph.D.

HIPAA Patient Rights

Many therapists have experience in releasing records to other providers, mostly after receiving an “Authorization to Release Information” from clients. Many therapists are still hesitant or reluctant to release clients’ records to clients for a variety of reasons, even though most clients are legally entitled to review their records. When the patient requests a copy of their record (i.e., patient access), different laws and ethical guidelines apply. Any error – withholding or not releasing records in a timely manner when release is required or releasing records when not permitted or ill-advised – can subject the provider to a licensing complaint, HIPAA complaint, sanctions, or civil lawsuits.

HIPAA created three ‘new’ access rights for patients:

  1. To view their records (in a timely manner)
  2. To request changes to their records
  3. To know who else has seen the records

These rights are relatively new in the history of healthcare and subject to much confusion. In order to avoid ethical or legal sanctions, therapists should be aware of whether patients must be given a copy of the records or when the records can be withheld. It is important to make sure that you comply, not only with HIPAA, but also with State law.


Our New 3 CE Credit Course:
HIPAA’s Patient Access Rights: What Patients &Providers Need to Know


Here is a basic recap (incomplete) of patients’ access rights to their records:
  • Confidentiality has always been an ethical requirement for health care providers.
  • In the past, doctors ‘owned’ the records in every sense of the word. This is no longer true.
  • In the 1970s, changing societal expectations created the patients’ rights movement, resulting in numerous federal and state statutes and court opinions.
  • Unlike the common belief among health care practitioners in general and mental health practitioners in particular, studies of patients given access to their records have shown many benefits and little to no harm resulting from reading the records.
  • There are numerous substantial and potentially negative consequences resulting from withholding records from patients.
  • HIPAA upped the ante by creating a new nationwide minimum standard for patient access rights.
  • HIPAA, with its focus on clients’ autonomy, requires that patients must be given a copy of their records if requested, with very few exceptions.
  • Records CAN be withheld from patients, IF:
    • The records are not PHI;
    • Release poses a risk to the life or physical safety of someone;
    • Release poses a risk of substantial harm to someone mentioned in the records;
    • Release poses a risk of substantial harm to someone and the personal representative is seeking access.
  • HIPAA permits fees for supplies, postage, and the labor for copying. No other fees are permitted.
  • Note that HIPAA Privacy Rule exempts Psychotherapy notes from this requirement. (Many therapists do not keep pschotherapy notes, just keep the standard required records.)


Additional Notes:
  • Verify your own state’s law in regard to responding to clients’ requests to view their records.
  • While you may not be considered a “Covered Entity” by HIPAA, if you have never submitted electronic billings to insurance companies, HIPAA has gradually become the standard of care.



Online resources regarding patients’ right to review their records:

Sign up for topical updates and invitations to participate with Dr. Zur