skip to Main Content

Making Requests

Let’s start with the first step to accessing health information: making the request. How can individuals request medical records or other health information? What information must patients or caregivers provide as part of the request? How can providers verify individuals’ identities? Answers to these questions and more can be found in this section. Don’t miss out on the quiz!

Ready to Test Your Knowledge? Take the Quiz!

Making Requests for Access

“A covered entity may require individuals to request access in writing, provided the covered entity informs individuals of this requirement. See 45 CFR 164.524(b)(1). Covered entities also may offer individuals the option of using electronic means (e.g., e-mail, secure web portal) to make requests for access. In addition, a covered entity may require individuals to use the entity’s own supplied form, provided use of the form does not create a barrier to or unreasonably delay the individual from obtaining access to his PHI, as described below.”¹

1. HHS: Health Information Privacy Division. (2016, February). 

Identity Verfication

“The Privacy Rule requires a covered entity to take reasonable steps to verify the identity of an individual making a request for access. See 45 CFR 164.514(h). The Rule does not mandate any particular form of verification (such as obtaining a copy of a driver’s license), but rather generally leaves the type and manner of the verification to the discretion and professional judgment of the covered entity, provided the verification processes and measures do not create barriers to or unreasonably delay the individual from obtaining access to her PHI, as described below. Verification may be done orally or in writing and, in many cases, the type of verification may depend on how the individual is requesting and/or receiving access – whether in person, by phone (if permitted by the covered entity), by faxing or e-mailing the request on the covered entity’s supplied form, by secure web portal, or by other means.”

For Example

For Example


“For example, if the covered entity requires that access requests be made on its own supplied form, the form could ask for basic information about the individual that would enable the covered entity to verify that the person requesting access is the subject of the information requested or is the individual’s personal representative.”


“For those covered entities providing individuals with access to their PHI through web portals, those portals should already be set up with appropriate authentication controls, as required by 45 CFR 164.312(d) of the HIPAA Security Rule, to ensure that the person seeking access is the individual or the individual’s personal representative.”

Not Allowed

Not Allowed

For example, a doctor may not require an individual:

  • Who wants a copy of her medical record mailed to her home address to physically come to the doctor’s office to request access and provide proof of identity in person.
  • To use a web portal for requesting access, as not all individuals will have ready access to the portal.
  • To mail an access request, as this would unreasonably delay the covered entity’s receipt of the request and thus, the individual’s access;

While a covered entity may not require individuals to request access in these manners, a covered entity may permit an individual to do so, and covered entities are encouraged to offer individuals multiple options for requesting access.

Unreasonable Measures

While the Privacy Rule allows covered entities to require that individuals request access in writing and requires verification of the identity of the person requesting access, a covered entity may not impose unreasonable measures on an individual requesting access that serve as barriers to or unreasonably delay the individual from obtaining access.

Want More Details?

OCR answers a frequently asked question:

  • Standing Access

    May a covered entity accept standing requests from individuals to access their PHI or to have their PHI sent to a third party of their choice?

    Yes, and covered entities should have processes in place that enable individuals to receive access to their PHI, including to direct a copy of their PHI to a third party of their choice, on a standing, regular basis, without requiring individuals to repeat their requests for access every time a copy of their PHI is to be sent or otherwise made accessible.  Further, covered entities should take advantage of technology and tools that automate such regular access.

Ready to Test Your Knowledge? Take the Quiz!

Patient Stories

Back To Top