In this blog, we will discuss one of the “rights” that HIPAA gives individuals concerning their medical records. HIPAA provides the individual with the right to access their records in a “timely” fashion.  While not the most cumbersome act in many Pharmacies, the request from patients to access their records is something Pharmacies must respond to in a quick and timely fashion.

The Officer of Civil Rights (OCR), the agency responsible for the enforcement of HIPAA, believes that a Patient having access to their records in a timely manner leads to lower healthcare costs and better outcomes. To push this idea home, the OCR has been on a mission.   Over the last two years, the OCR has issued fines to 19 HIPAA covered entities between September 2019 and June 2021 for over $1.1 Million (individual penalties ranged from $5,000 to $200,000 and averaged a little more than $60,000 per fine, OCR’s HIPAA News Releases & Bulletins).

We also see that an additional $27 million was collected as part of 16 other investigated violations unrelated to access to records during the same period. It’s clear the OCR is focused on ensuring access to records and is not holding back on investigating and instituting fines when they determine the access to records and other areas of the HIPAA Rules have been violated.

Request for Access

When a Pharmacy receives a request for access from a patient (or personal representative), the Pharmacy needs to provide access within 30 days. The Pharmacy may notify the patient if additional time (up to 30 days) is required – however, this does not typically occur in Pharmacies.  But the extra time is available for whatever reason.   Some State laws have stricter time frames that will supersede the HIPAA regulations and must be followed.

The patient may request that the copies be in an electronic format. If so, the Pharmacy will need to comply with the request as long as the Pharmacy Management System and/or other Computer Systems can provide the data in the requested format.

When a parent or spouse requests the records of their spouse or children (above the State age of medical consent), you should mail the requested records directly to the patient with a note stating who requested the records and instructions for the individual to provide the records to the requestor if they approve.  Sending the records in this fashion ensures that you are not violating the patient’s privacy by giving their medical records to their spouse or parent.

Fee for Access

The Federal Government allows you to charge a reasonable cost-based fee for providing access; however, many states do not permit a fee – in these cases, you would need to follow your state laws. If you are charging fees, please review the OCR Guidance about fees.

Denying Access

Technically you could deny access. However, in most Pharmacy situations, it may be hard to deny access.  The regulation provides instances when you may deny access and further breaks them down into two areas, Non-Reviewable and Reviewable.


  • Psychotherapy notes (not something most Pharmacies will have)
  • Information created in reasonable anticipation of legal proceedings (access to the actual patient’s records used to generate the information cannot be denied)
  • Requests from an inmate in a correctional institution
  • During a research project for as long as the research is ongoing and provided the patient agreed to a “denial of access”


  • Pharmacist (or other licensed health care professional) determines in the exercise of professional judgment that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person
  • Records refer to another person’s health information

If a denial is reviewable, the patient has the right to have the Pharmacy designate another health care professional (that did not participate in the initial denial) to review the request and the reasons for the denial.  The Pharmacy must provide access if the health care professional determines access should be provided.

If denying access, you must provide a denial in writing to the individual no later than 30 days after the request was made or no more than 60 days if you notified the patient of an extension.  The written denial must be in plain English and inform the patients of their right to have the denial reviewed, if applicable.

The Future

In 2019, OCR proposed some updates to individuals’ right to access their records and requested comments from interested parties. As of July 2021, the OCR has closed the comment period and is currently reviewing the comments.  These potential changes include:

  • Changing the initial time frame to receive records to 15 days with a potential for an additional 15 days.
  • Allowing Patients to take notes and photos of their records during interactions
  • Changes to the requirements of providing access and transmitting electronic records when available
  • Reducing identify verification
  • Posting estimated fees schedules for access requests on company websites and providing itemized bills for access to records

How Can PRS Help?

PRS has been at the forefront of HIPAA Compliance for Pharmacy since the beginning of HIPAA in 2003.  Our HIPAATrack Program (and all of our Programs) have been developed by individuals who own and worked in Pharmacies.

PRS’s HIPAATrack is designed to walk you through the process of implementing and maintaining the Pharmacy’s HIPAA Compliance Program. The Program provides Policies, Procedures, and Forms following the HIPAA Regulations.  The HIPAATrack program also contains online HIPAA Training based on the included Policies and Procedures, so there are no worries whether your employees are receiving training or just education.

For more information about PRS Pharmacy Services’ Pharmacy Compliance Offerings, click on one of the following links, HIPAATrack and COMPLIANCETrack, or call PRS at 1-800-338-3688. Join the thousands of independent pharmacies that currently enjoy the benefits of PRS’s Compliance Programs.