HIPAA Patient Rights: What Therapists Must Know About Access Requests
If you only learn one corner of HIPAA deeply, make it this one. The Right of Access — a patient's right to get a copy of their own records — has been the single most-enforced area of HIPAA by the Office for Civil Rights in recent years.
Starting with its "Right of Access Initiative," OCR has produced dozens of settlements, and an unusually large share of them targeted small practices and solo or near-solo providers. The pattern is almost always the same: a patient asks for their records, the provider drags their feet or refuses, the patient complains, and a routine request becomes a federal settlement.
The good news is that the rules are clear and very learnable. Here is everything a therapist needs to handle access requests correctly.
What the Right of Access Actually Says
Under §164.524, patients have the right to inspect and obtain a copy of the protected health information your practice maintains about them. This includes their clinical records, billing records, and most of what sits in your designated record set.
A few things make this right broader than therapists expect:
- The patient does not have to explain why they want the records.
- "I think it might upset them" is not a valid reason to refuse.
- The patient can ask for records in the form and format they prefer, including electronic, if you can readily produce it that way.
- The patient can direct you to send a copy to a third party they designate, in writing.
In other words, the default is access. Denial is the narrow exception, not the rule.
The 30-Day Deadline (and the One Extension)
This is the number that gets practices in trouble. You must act on a request within 30 calendar days of receiving it.
"Act on" means either providing the records or, in limited cases, providing a written denial. Thirty days is the maximum, not a target — OCR encourages providers to respond as soon as they reasonably can.
If you genuinely cannot meet the deadline, you may take one 30-day extension, for a total of up to 60 days. To use it, you must, within the original 30 days:
- Notify the patient in writing of the delay
- Explain the reason for the delay
- Give a date by which you will complete the request
You only get one extension. There is no second one, and you cannot use the extension as a routine stalling tactic. Many of OCR's settlements involved providers who simply blew past 30 days with no written extension and no records delivered.
A note on timelines in 2026
Federal modernisation efforts have been pushing toward shorter access timelines and stronger electronic-access expectations. The direction of travel is clearly toward faster, more digital responses, not slower ones. Until any shorter deadline is finalised and effective, the safe, enforceable rule remains 30 days plus one 30-day extension — but you should build habits around responding quickly, because the trend is only tightening. Always check your state law too, since many states already require faster turnarounds than HIPAA.
What You Can Charge
You are allowed to charge a fee for copies, but only a reasonable, cost-based fee. This is heavily restricted, and overcharging has itself triggered enforcement.
A permissible fee may include only:
- The cost of labour for copying the information, whether paper or electronic
- The cost of supplies, such as paper or a USB drive, if the patient asks for one
- Postage, if the patient asks for the records to be mailed
- The cost of preparing an explanation or summary, but only if the patient agreed to that in advance
What you may not charge for:
- The cost of searching for or retrieving the records
- Your overhead, staff verification time, or general administrative costs
- A flat "per-page" rate that exceeds your actual costs
You also cannot withhold records because the patient owes you money for treatment. An unpaid therapy bill is not a lawful reason to deny access to records. That is a billing matter, handled separately.
When You Can Deny Access — and How Limited That Is
Denials fall into two buckets, and most therapists rarely have grounds for either.
Unreviewable denials (rare)
A small set of denials cannot be appealed — for example, when the information is psychotherapy notes (more on that below), or was compiled for use in a legal proceeding, or where granting access is prohibited by certain other laws. These are narrow and specific.
Reviewable denials (also rare)
The most-cited reviewable ground is that a licensed healthcare professional has determined, in their professional judgment, that access is reasonably likely to endanger the life or physical safety of the patient or another person. This is a genuinely high bar. It is not "the patient might be upset" or "this could be hard to read." It is about a real, articulable safety risk.
If you issue a reviewable denial, the patient has the right to have it reviewed by another licensed professional who was not involved in the original decision. You must tell the patient about this right.
In practice: assume you cannot deny. Treat denial as something you would only do with documented professional reasoning and probably after consulting a colleague or attorney.
The Psychotherapy Notes Exception
This is the part therapists most need to understand, and it is frequently misapplied.
Psychotherapy notes are NOT subject to the Right of Access. A patient cannot demand a copy of your psychotherapy notes under §164.524.
But the definition is strict. Psychotherapy notes are notes recorded by a mental health professional documenting or analysing the contents of a counselling session, kept separate from the rest of the record. They specifically exclude:
- Medication prescription and monitoring
- Counselling session start and stop times
- The modalities and frequencies of treatment
- Results of clinical tests
- Diagnoses, functional status, treatment plan, symptoms, prognosis, and progress
That excluded list is essentially your standard clinical record — and all of it is subject to the right of access.
The practical takeaway: the protection only applies if you actually keep your process notes physically and logically separate from the main record. If your private reflections are mixed into your progress notes, they lose the exception and become accessible. If you rely on this protection, keep psychotherapy notes in a genuinely separate file.
Template Language You Can Use
Having ready-made language removes the friction that causes missed deadlines. Here is short, plain wording you can adapt.
To acknowledge a request
"Thank you for your request, received on [date]. This confirms that I have received your request for a copy of your records. I will provide them to you by [date within 30 days]. If you have a preferred format, such as electronic copy or paper, please let me know and I will accommodate it if I am able to."
To invoke the one extension (within the first 30 days)
"I am writing regarding your records request received on [date]. I need additional time to complete it. Under HIPAA I am notifying you that I will provide the records by [date no later than 60 days from the request]. The reason for the delay is [brief, honest reason]."
To confirm a cost-based fee in advance
"There is a fee of [amount] to cover the cost of [labour for copying / supplies / postage]. This is a cost-based fee as permitted under HIPAA. Please confirm you would like to proceed and I will prepare the records."
Keep a copy of every acknowledgment, every fee notice, and a log of the request date and the date you fulfilled it. That paper trail is exactly what OCR asks for when a complaint lands.
A Simple Workflow That Keeps You Safe
- Log the date the moment a request arrives — your clock starts then
- Verify the requester's identity, but do not let verification become a stalling excuse
- Confirm what they want and in what format
- Calendar the 30-day deadline immediately, with a reminder a week early
- Decide whether the request touches genuinely separate psychotherapy notes
- Provide the records, or — only with real grounds — a written denial that explains review rights
- File copies of everything
Most access complaints are not malicious. They come from patients who waited, heard nothing, and felt ignored. A prompt acknowledgment and an on-time delivery prevents almost all of them.
Take the next step
Not sure where your practice stands? Yundra's free HIPAA risk assessment takes 25 minutes and gives you a clear compliance score with specific gaps identified. No credit card required.