Skip to main content


Breaking Down the New Rules on Patient Access to Medical Records

Oct 22, 2021 07:00AM ● By Med Magazine

By COPIC’s Patient Safety and Risk Management Department

In the era of open access, patient portals, and new information blocking rules, patients now have the ability to demand documentation of their visits with medical providers. Besides just wanting to review their records, patients sometimes make these requests for issues such as workers’ compensation, divorce and custody controversies, life or disability insurance application reviews, and ongoing legal proceedings. In each situation, sensitive information and potentially adverse comments in the record may result in unfavorable consequences for the patient.

Under HIPAA’s Right of Access, patients have the right to review (free of charge) and receive a copy (for a reasonable, cost-based fee) of their medical and billing records and any other records that are used to make decisions about a patient.

A patient’s right to access his or her electronic medical information was further expanded with the Information Blocking Rule under the 21st Century Cures Act (“Cures Act”) that went into effect April 5, 2021. Upon request, patients and other permitted requestors may now request “immediate” access to a large segment of their medical records and can demand that the information be downloaded to an app of their choosing. Additionally, under the Information Blocking Rule, providing access to other treating physicians (for treatment purposes) must also be provided without undue delay. 

For example, under the Information Blocking Rule, providers should be aware that the Office of the National Coordinator (ONC) has made it clear that lab and test results must be immediately provided, upon request, once those results are available to the facility or practice. It is no longer permitted to delay access until after the physician or other provider has had a chance to review the results. The

ONC has also made clear that access to other treating physicians to requested medical records must be provided, without delay and without requiring a HIPAA authorization form.

A list of the most common records that a provider is not required to produce (i.e., patients do not have a right of access) includes:

  • Quality assurance or professional review materials;

  • Psychotherapy notes;

  • Information prepared in anticipation of a civil, administrative, or criminal action;

  • Clinical Laboratory Improvement Amendments (CLIA) records that are exempt or prohibited from disclosure;

  • A medical record which, if released, would likely cause substantial harm to the patient or another person (in the professional judgment of the provider made on a case-by-case basis);

  • Research study records, but only if the patient agreed during the consent process and only while the clinical trial is in progress (patients must be informed that their right to access will be reinstated following the conclusion of the clinical trial);

  • Information obtained from someone other than a health care provider, such as a family member or close friend, under a promise of confidentiality.

A common myth is that you cannot provide copies of another provider’s records that are contained in your records. This is not true. A HIPAA FAQ1 specifically states that a provider can produce such records and, in fact, it may be a violation of the right of access if you do not do so when requested by the patient.

The Privacy Rule and the Information Blocking Rule require healthcare providers to provide access to the records in the form and format requested by the patient, if readily producible in that form and format, or if not, in a readable hard copy form. For example, under HIPAA, if a patient requests an electronic copy of a paper record, the provider is required to scan the paper information into an electronic format.

  • Under HIPAA: Physicians are required to provide the records in a “timely” manner (as soon as reasonably possible, but no later than 30 days after the request which likely will be reduced to 15 days under a current proposed amendment). 

  • Under the Information Blocking Rule: Access must be provided “immediately” or “without undue delay.” While the terms are not defined, commentary from the ONC makes reasonably clear that access must be provided within minutes or hours. Several days to provide access will not be acceptable. Further, ONC has made clear that compliance with HIPAA’s timeframes will not be a defense to an Information Blocking violation.