Photo Credit: Getty Images
Fulfilling patients’ rights to access their medical records
By Joe DeLoach, OD, FAAO
Sept. 17, 2025
Access to medical records is an ongoing source of confusion and misinformation in many health care practices, including optometry practices.
Through visits to offices, monitoring blog comments and conversations with colleagues, it is clear that uncertainty persists regarding the release of patients’ medical records.
Access to medical records is a major focus of the Office for Civil Rights (OCR) and the recent HIPAA omnibus rule. It is also central to upcoming proposed HIPAA privacy rule changes. The OCR made its position clear in its August 2023 statement: “OCR will spare nothing and no one in the quest to reduce the complaints against small physician practices related to record access.”
While HIPAA does not explicitly state who owns the medical record in all cases, it clearly establishes that patients have extensive rights regarding their medical records. Let’s review!
Who Can You Release Information To
There are six main situations regarding the release of patient information:
- The patient – for best compliance, always provide what the patient requests.
- Someone the patient asks you to send their records to.
- Release of records to another health care provider you referred the patient to for coordination or referral care.
- Law enforcement, judges or court action and other special conditions.
In these four situations, no signed release from the patient is required. This is reinforced in the proposed rule changes.
- Someone seeking information not directly requested by the patient or where it is unclear if the patient requested the release.
- Any other entity requesting or needing patient information.
In these two situations, a signed release from the patient is required.
What Information Is Considered Part of the Medical Record
What doctors and payers consider the patient’s medical record is not always the same as the HIPAA “designated record set.” The designated record set includes everything involved in the patient’s care – examination results, diagnostic testing results, ancillary notes, billing and payment records, insurance claim submission data and more. When a patient requests their records, they have the right to specify any and all data considered part of the designated record set.
Patient Acknowledgment
Patients have the right to their complete medical records. The Department of Health and Human Services (HHS) makes it clear that any attempt to delay or impose unreasonable barriers to access is a violation of patient rights.
While making a patient sign a form to release their own records is not illegal, HHS discourages this practice, stating it could present an undue barrier. The same applies to requests to release records to other individuals or entities at the patient’s direction. Any action that could delay access may be considered a violation. Any time it is unclear whether the patient is directly requesting the release, a signed acknowledgment is appropriate.
Release of records for coordination or referral of care does not require patient acknowledgment. Such release is considered part of the patient’s treatment and carries implied consent.
Release of records to a court, law enforcement, legal counsel or when the physician deems it in the patient’s best interest does not require patient acknowledgment.
Payer requests for medical records for audit purposes also do not require patient acknowledgment.
A signed release is recommended any time the release is not initiated by the patient, not related to coordination of care or is not a legal issue as described. If the provider is unsure whether the request came from the patient, a signed release is recommended.
What About Requests for Patient Records from Vendors?
A unique situation involves ophthalmic vendors requesting patient prescriptions for glasses or contact lenses. No acknowledgment is required here, as the doctor must release the prescriptions under other federal laws, with few exceptions. However, if unsure if the patient requested the release, it is wise to obtain and document at least verbal consent.
Prescriptions themselves are not considered part of the designated record set. Release of prescription data is governed by federal FTC rules and, in many cases, state laws.
When required, acknowledgment (verification) of the request can be written or verbal (documented in the medical record). HIPAA leaves to the provider’s discretion whether to verify identity by photo ID or other means.
Form of Release
The Privacy Rule requires providers to release records in the form and format requested by the patient. The patient may request paper copies, encrypted portal delivery, encrypted email or even unsecure email with written acknowledgment. The records must include all examination data and diagnostic testing results. The patient has the right to request actual copies of diagnostic test results.
A patient may request their records be downloaded to a storage device they provide, though providers are not required to use patient-supplied devices due to security concerns; using a provider-supplied device is best. Providers cannot charge a patient for a storage device they provide. Under the new omnibus rule, patients also have the right to capture digital copies of their records using a smartphone.
Timeliness of Providing Access
Originally, HIPAA allowed up to 30 days to provide records. Recent amendments reduced this to 15 days. Many states already require 15 days or less. Regardless, providers should produce records without delay. HHS states electronic medical records make immediate provision feasible.
Fees for Copies
Charging patients for their medical records is discouraged by HHS.
If the provider uses electronic health records, HHS maintains there is no meaningful work involved in transferring records and no fee should be charged to the patient. Providers may charge a flat fee of $6.50, though this is not recommended as it may upset patients.
For paper records, providers may charge a reasonable, cost-based fee if the patient requests a copy or summary of their protected health information. The fee can include only the cost of: (1) labor for copying whether paper or electronic; (2) supplies for creating copies; (3) postage when mailing; and (4) preparation of a summary if requested by the patient.
The fee cannot include costs associated with verification, documentation, searching, maintaining systems, recouping capital or other unauthorized expenses, even if state law allows such charges. Charging excessive fees, such as $2 for 20 pages at 10 cents per page, is a good way to upset patients.
A proposed amendment would eliminate all fees for patients to obtain their medical records.
Providers may charge payers or their designees for audit-related requests as allowed by state law. However, most provider contracts forbid charging payers for record release. State laws allowing larger fees often do not override HIPAA and are generally invalid. In certain cases, state law may apply for releasing records to an entity not designated by the patient.
Grounds for Denial of Access
Legitimate reasons to deny a patient access to their medical records are rare and may include:
- The information is part of a clinical investigation.
- Granting access is likely to endanger the life of the patient or another person.
- Granting access is likely to cause harm to the patient.
Access cannot be denied because the patient or their insurer owes the provider money.
Bottom Line: Give Patients Their Records
More information is available at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html
Read another article by Dr. DeLoach here.
Joe DeLoach, OD, FAAO, is chief compliance officer for Practice Performance Partners (PPP) and former Clinical Professor at the University of Houston College of Optometry. To contact: joe@practiceperformancepartners.com
