HIPAA Patient Right of Access: A Small-Practice Walkthrough
5 min read · Last reviewed May 22, 2026
Why this measure is over-represented in OCR enforcement
The OCR Right of Access Initiative has produced dozens of small-practice settlements through 2024, more than any other single Privacy Rule provision. The settlements are published on the OCR press release log. They share a pattern: a patient asks for their records, the practice does not provide them within 30 days, the patient files a complaint, OCR investigates, the practice settles.
The amounts are smaller than mega-breach settlements (typically five figures), but the corrective action plans run two to three years and the case-by-case volume is large.
What the rule actually says
45 CFR 164.524 gives individuals the right of access to inspect and obtain a copy of PHI about them in the designated record set maintained by the covered entity, with limited exceptions. The key operational rules:
- Form of access: the individual chooses the form and format if it is readily producible. Electronic copies of electronic records are the default.
- Timing: must act on the request within 30 days. One 30-day extension is permitted, with written notice of the reason and the new deadline.
- Fees: only a reasonable, cost-based fee for labor of copying, supplies, postage, and (if requested) summary preparation. See 164.524(c)(4)(4)).
- Denials: limited and specified at 164.524(a)(2) and (a)(3)(2)). Most denials trigger a right to review.
- Direction to third parties: under the original rule and the 2020 Ciox decision, the practice must honor a patient's signed request to send their PHI to a third party in the format and manner the patient specifies, subject to the limits the court set.
The fee question
The fee for a patient's request to access their own records is the area where small practices most often get into trouble. The HHS Right to Access guidance lists the only allowable charges:
- Labor for copying (electronic or paper)
- Supplies (paper, USB drive, CD) if requested in that format
- Postage if mailed
- Labor for summary preparation if requested in lieu of full records
Not allowable:
- Retrieval fees from a third-party storage vendor
- Fees for searching the record
- Fees for handling the request
- Per-page state-allowed copying fees that exceed cost-based reasonable amounts
- Fees based on the value of the records or the requester's identity
A practice that charges a state-permitted statutory fee that exceeds the federal cost-based reasonable standard is in conflict with HIPAA. The federal rule applies.
The 30 days starts when
The 30-day clock starts on the date the practice receives the request. Internal routing delays do not pause the clock. The clock continues to run while a designated record-set search proceeds.
If the practice needs more time, it must notify the patient in writing within the initial 30 days, give a reason, and set a new deadline no more than 30 additional days out. There is no second extension.
Designated record set scope
Section 164.501 defines designated record set as the medical records and billing records about individuals maintained by or for a covered health care provider, plus enrollment and similar records held by a health plan, plus records used by the entity to make decisions about individuals.
In practice for a small medical or dental practice the designated record set includes:
- The EHR chart
- Imaging and diagnostic results
- Lab results
- Patient correspondence in the file
- Billing records
- Encounter notes
- Care plans, referrals, prescriptions
It does not include the practice's internal quality improvement notes or psychotherapy notes (which have their own carve-out at 164.501 and 164.508(a)(2)(2))).
Common gaps OCR has cited
The published Right of Access settlements share recurring elements:
- Multiple requests submitted in writing, no response within 30 days
- Practice's records of the request lost or incomplete
- Records eventually provided only after OCR opened an investigation
- Fees exceeding cost-based reasonable
- Refusal to provide records in electronic format when readily producible
- Refusal to send records to a third party at the patient's signed direction (post-Ciox the rule on third-party direction is narrower, but a practice still must allow individuals to access their own records and direct them within the permitted scope)
A defensible intake process
A small practice with a working access program has, at minimum:
- A documented intake procedure (in the policy stack)
- A standard request form (the practice can offer one but cannot require its exclusive use)
- A log capturing date received, requester, scope, response actions, response date
- A fee schedule consistent with the HHS guidance
- A workflow that surfaces requests due in 10 days, 5 days, and 1 day
- A trained front-desk team that recognizes a written request when it comes in
- A response template
- Documentation retained for six years per 164.530(j))
The substance vs. the form
Recurring confusion: practices think a patient must use a HIPAA-specific authorization form to access their own records. They do not. The Privacy Rule recognizes any written request from the patient as a valid access request. The practice can offer a form but cannot make it a precondition.
Restraint about claims
The Right of Access is a single Privacy Rule provision among many. Compliance is one moving part of the broader program. No vendor tool replaces a trained workflow at the front desk and a logged response procedure.
How D3rx fits
D3rx SRA Binder Studio includes an access-request workflow template, a fee-schedule reference tied to the HHS guidance, and a log structure that supports the six-year retention. It is a point-in-time administrative documentation aid; the practice remains responsible for the actual handling of each request.
Next steps
See where your practice currently stands with the free 5-question readiness check, or review the full workflow and pricing on the main SRA page.
Where do you stand on your SRA today?
Five quick questions, no signup. You'll see which Security Rule sections your practice already has covered and which ones still need work.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, the Code of Federal Regulations, and NIST.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- OCR press release loghttps://www.hhs.gov/hipaa/newsroom/index.html
- 45 CFR 164.524https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524
- 164.524(c)(4)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524#p-164.524(c
- 164.524(a)(2) and (a)(3)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524#p-164.524(a
- 2020 Ciox decisionhttps://www.hhs.gov/about/news/2020/01/28/individuals-right-of-access-to-health-records.html
- Right to Access guidancehttps://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html
- 164.501https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.501
- 164.508(a)(2)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.508#p-164.508(a
- 164.530(j)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(j
Sources verified as of May 22, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
HIPAA Policies and Procedures: What a Small Practice Actually Needs
5 min readFoundationsHIPAA Security Rule vs Privacy Rule: A Plain-English Map
5 min readAudits and EnforcementWhat to Do If You Get an OCR Audit Letter
5 min readAudits and EnforcementThe HIPAA Breach Notification Rule, Explained
6 min readRelated across the archive
- SRAThe HIPAA Breach Notification Rule, ExplainedThe four-factor risk assessment at 45 CFR 164.402, the 60-day individual notice clock at 164.404, the HHS/media notice paths, and the small-practice annual report under 164.408(c).
- SRAHIPAA Policies and Procedures: What a Small Practice Actually NeedsWhat 45 CFR 164.316 and 164.530(i) require for HIPAA policies and procedures, the minimum set a small practice should maintain, and how to keep them current without bloat.
- SRAHIPAA Security Rule vs Privacy Rule: A Plain-English MapWhat the Security Rule at 45 CFR Part 164 Subpart C does, what the Privacy Rule at Subpart E does, where they overlap, and which rule the SRA actually answers to.
- SRAWhat to Do If You Get an OCR Audit LetterA step-by-step response framework for a small practice that receives an OCR HIPAA audit or investigation letter, drawn from OCR's audit protocol and published Resolution Agreements.
- RegulationHIPAA Right of Access (45 CFR 164.524)Individuals have a right to inspect and obtain copies of their PHI in a designated record set, in the form and format requested when readily producible, within 30 days.
- RegulationHIPAA Privacy Rule Administrative Requirements (45 CFR 164.530)Designated privacy official, workforce training, safeguards, complaint process, sanctions, mitigation, anti-retaliation, anti-waiver, documentation, and policies and procedures.
- ComplianceAnnual HIPAA Training Curriculum (What to Cover + How to Document)A 2026 annual HIPAA training curriculum for small healthcare practices — eight required modules under 45 CFR 164.530(b) and 45 CFR 164.308(a)(5), with documentation templates.
- GlossaryPatient Right of AccessThe HIPAA right of an individual to inspect and obtain a copy of their PHI in a designated record set.