When Can You Legally Deny Patient Access to Their Records? A Guide to HIPAA Denial Rules (45 CFR § 164.524(a))
Executive Summary
Small healthcare practices must balance regulatory obligations with patient expectations, particularly when responding to medical record access requests. Under 45 CFR § 164.524, the HIPAA Privacy Rule grants individuals the right to inspect and obtain a copy of their Protected Health Information (PHI) in a designated record set. However, there are narrow, legally defined situations where access may be denied. These denials are either “reviewable” or “unreviewable,” each requiring distinct procedures. This article provides a practical roadmap for understanding and applying denial provisions lawfully, protecting your practice from noncompliance, and safeguarding patient trust.
Introduction
For small healthcare providers, meeting HIPAA’s access requirements can present significant operational challenges, especially when sensitive medical details, mental health information, or legal proceedings are involved. Covered entities must know not only when access must be granted, but also when it may be denied and how to navigate each scenario in strict accordance with federal law. Improper handling of denial procedures can result in Office for Civil Rights (OCR) investigations, patient complaints, and costly enforcement actions. This article outlines the essential guidance on lawful denial practices under § 164.524, tailored for the realities of small practices.
Understanding the Right of Access
The right of access applies to PHI maintained in a “designated record set,” which generally includes:
- Medical records
- Billing records
- Records used to make decisions about the individual
This right extends to both patients and their personal representatives and applies for as long as the PHI is retained. Covered entities must act on access requests within 30 days. One 30-day extension is allowed if the individual is informed in writing of the delay and the reasons for it. While a reasonable, cost-based fee may be charged for copying and mailing records, this fee must not be excessive or a barrier to access. PHI should be provided in the form and format requested by the patient, including electronic copies when feasible.
Unreviewable Denial Grounds
-
Psychotherapy Notes
These are notes recorded by a mental health professional documenting or analyzing counseling session content. If maintained separately from the medical record, they are specifically excluded from access rights. -
Records for Legal Proceedings
PHI compiled in anticipation of, or for use in, legal proceedings—civil, criminal, or administrative—may be withheld without recourse. -
Ongoing Research Restrictions
Access may be denied during an ongoing clinical trial if the individual agreed to temporary denial as a condition of participation. Access must be reinstated when the research concludes. -
Privacy Act Exemptions
PHI maintained in records governed by the federal Privacy Act may be withheld if such denial complies with that Act’s requirements. -
Confidential Source Protection
If the PHI was obtained from someone other than a healthcare provider under a promise of confidentiality, and access would likely reveal their identity, denial is allowed. -
Inmate Security Concerns
For individuals in correctional institutions, access may be denied if granting it would risk security, custody, or rehabilitation efforts. This generally applies only to copies, not in-person inspection.
Reviewable Denial Grounds
Unlike unreviewable denials, these must follow specific procedures, including offering the individual a review by a licensed, uninvolved healthcare professional. These reviewable grounds include:
-
Threat to Safety
If a licensed healthcare professional determines that providing access would likely endanger the life or physical safety of the individual or another person, access may be denied. Emotional harm alone is not sufficient. -
Substantial Harm to Others
If access is likely to cause significant harm to another person (other than a healthcare provider), denial is permitted based on professional judgment. -
Personal Representative Risks
When the request is made by a personal representative and granting access is likely to cause substantial harm to the individual or another person, the covered entity may deny access again, with the option of review.
In each scenario, the patient must be notified of the denial and informed of their right to request an independent review.
The Denial Process and Patient Rights
-
Issue a Timely, Written Denial
The patient must receive a written notice within 30 days of the request (or within 60 days if an extension was used). The notice must clearly explain:- The reason for the denial
- Whether the denial is subject to review
- Instructions for requesting a review, if applicable
- Information on filing a complaint with the provider or HHS
-
Facilitate the Review (if Applicable)
If the denial is reviewable, the practice must assign an independent, licensed healthcare professional who was not involved in the original decision. The reviewer’s determination is final and must be honored. -
Provide Partial Access
If only part of the PHI is subject to denial, the remainder must still be disclosed to the individual, to the extent feasible. -
Document Everything
All access requests, denial decisions, reviews, and related communications must be documented and retained to demonstrate compliance in case of an audit or investigation.
A real-life case of study:
A small health clinic adopted inappropriate practices that prevented
him from providing timely access to the medical records of his
patients. In addition, he issued unclear denial letters, without
informing patients about their right to request a decision review.
After receiving multiple complaints, the Office of Civil Rights
(OCR) initiated an investigation. As a result, the clinic signed a
resolution agreement that included the payment of $65,000, the
formal update of its policies and the implementation of a two-year
corrective action plan. Although the violations were not
intentional, but a product of a misunderstanding about what
constitutes an adequate denial, the error was expensive for a small
medical practice.
Common Pitfalls
-
Confusing Note Types
A frequent error is mistaking psychotherapy notes (excluded) for regular progress notes (included). Misclassifying these can result in improper denials. -
Failure to Meet Timelines
Missed deadlines are one of the most common violations cited by OCR. Even if the reason for delay seems valid, a proper extension notice must be issued. -
Incomplete Denial Letters
Vague or partial explanations are not compliant. Denial notifications must contain all required elements to withstand scrutiny. -
Improper Denial Reasons
Practices sometimes deny access because they believe the patient may misunderstand the information or experience emotional distress. These are not valid HIPAA justifications. -
Omitting the Right to Review
If the denial is reviewable, the patient must be explicitly informed of their right to appeal. Failing to do so can trigger enforcement action.
Expert Tips
- Define the Designated Record Set in Writing Establish what’s included and what’s not in your designated record set. This reduces uncertainty when processing requests.
- Use Standardized Denial Templates Create templates that include all mandatory language for both reviewable and unreviewable denials. This reduces legal risk and saves time.
- Develop a Written SOP A formal Standard Operating Procedure (SOP) ensures consistency across staff and helps ensure procedural compliance.
- Train Staff Annually To ensure all staff involved in patient communications understand access rights, timelines, and valid grounds for denial.
- Designate Review Personnel in Advance Identify at least one licensed healthcare professional (who is not involved in the patient’s care) to serve as a reviewer when needed.
- Audit Your Access Log Regularly Monitor requests, denials, and timelines to identify trends, training needs, or potential compliance gaps before OCR does.
Simplified Compliance Checklist
| Task | Responsible Party | Timeline | Reference |
|---|---|---|---|
| Define Designated Record Set | Compliance Officer | Initial Setup | 45 CFR § 164.524 |
| Respond to Access Requests | Records Manager | ≤ 30 Days | 45 CFR § 164.524(b)(2) |
| Issue Written Denial Notices | Compliance Lead | At Time of Denial | 45 CFR § 164.524(d) |
| Offer Review Option (if applicable) | Designated Reviewer | Upon Request | 45 CFR § 164.524(a)(3) |
| Provide Partial Access | Records Manager | Ongoing | 45 CFR § 164.524(d)(1) |
| Document All Activity | Compliance Officer | Continuous | HIPAA Documentation Requirements |
| Train Staff on Denial Rules | Compliance Lead | Annually | 45 CFR § 164.530(b) |
Regulatory References and Official Guidance
Concluding Recommendations and Next Steps
Complying with HIPAA’s access requirements doesn’t end with saying
“yes” or “no” to a patient. Each response must be carefully
evaluated, documented, and delivered in accordance with the rule.
Small practices can protect themselves and their patients by
instituting clear policies, ongoing training, and reliable review
mechanisms.
Next Steps:
- Review and update your access policies to ensure proper classification of denial grounds
- Prepare and implement standardized denial response templates
- Assign independent clinical reviewers for denial appeals
- Train all staff on timelines and documentation protocols
- Conduct quarterly audits of your access and denial logs
- Subscribe to HHS updates to stay current on enforcement trends
When in doubt, always err on the side of transparency but stay firmly within HIPAA’s legal framework.