Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

  • About HHS
  • Programs & Services
  • Grants & Contracts
  • Laws & Regulations
  • Radical Transparency
  • Big Wins
  • HIPAA for Individuals
  • Filing a Complaint
  • HIPAA for Professionals
  • Newsroom
Breadcrumb
  1. HHS
  2. HIPAA Home
  3. For Professionals
  4. FAQ
  5. 2046-Under what circumstances may a covered entity deny an individual’s request for access to the individual’s PHI?
  • Authorizations (30)
  • Business Associates (41)
  • Compliance Dates (2)
  • Covered Entities (14)
  • Decedents (9)
  • Disclosures for Law Enforcement Purposes (5)
  • Disclosures for Rule Enforcement (1)
  • Disclosures in Emergency Situations (2)
  • Disclosures Required by Law (6)
  • Disclosures to Family and Friends (28)
  • Disposal of Protected Health Information (6)
  • Facility Directories (7)
  • Family Medical History Information (3)
  • FERPA and HIPAA (10)
  • Group Health Plans (3)
  • Incidental Uses and Disclosures (10)
  • Judicial and Administrative Proceedings (8)
  • Minimum Necessary (14)
  • Notice of Privacy Practice (20)
  • Preemption of State Law (10)
  • Privacy Rule: General Topics (12)
  • Protected Health Information (2)
  • Public Health Uses and Disclosures (13)
  • Research Uses and Disclosures (20)
  • Right to an Accounting of Disclosures (8)
  • Right to File a Complaint (1)
  • Right to Request a Restriction (4)
  • Safeguards (13)
  • Security Rule (24)
  • Smaller Providers and Businesses (145)
  • Student Immunizations (8)
  • Transition Provisions (3)
  • Treatment, Payment, and Health Care Operations Disclosures (30)
  • Workers Compensation Disclosures (5)
  • Limited Data Set (6)
  • Marketing (17)
  • Marketing - Refill Reminders (16)
  • Personal Representatives and Minors (12)
  • Right to Access and Research (58)
  • Mental Health (35)
  • Health Information Technology (41)
  • Telehealth (11)

Under what circumstances may a covered entity deny an individual’s request for access to the individual’s PHI?

A covered entity may deny an individual access to all or a portion of the PHI requested in only very limited circumstances. For example, a covered entity may deny an individual access if the information requested is not part of a designated record set maintained by the covered entity (or by a business associate for a covered entity), or the information is excepted from the right of access because it is psychotherapy notes or information compiled in reasonable anticipation of, or for use in, a legal proceeding (but the individual retains the right to access the underlying PHI from the designated record set(s) about the individual used to generate this information).

Another limited ground for denial exists if a licensed health care professional determines in the exercise of professional judgment that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person. For example, a covered entity may deny a suicidal patient access to information that a provider determines in his professional judgment is reasonably likely to lead the patient to take her own life. However, we stress that this ground is narrowly construed in order to protect individuals’ autonomy interests and their right under the Privacy Rule to obtain information about themselves, which is fundamental in facilitating individuals’ active participation in their own health care. General concerns about psychological or emotional harm are not sufficient to deny an individual access (e.g., concerns that the individual will not be able to understand the information or may be upset by it). In addition, the requested access must be reasonably likely to cause harm or endanger physical life or safety. Thus, concerns based on the mere possibility of harm are not sufficient to deny access. As a result, we expect this ground for denial to apply in extremely rare circumstances. Further, an individual who is denied access based on these grounds has a right to have the denial reviewed by a licensed health care professional designated by the covered entity as a reviewing official who did not participate in the original decision to deny access.

For a complete list of the grounds and conditions for denial of access, see 45 CFR 164.524(a)(2)-(4). Note that an individual may not be required to provide a reason for requesting access, and the individual’s rationale for requesting access, if voluntarily offered or known by the covered entity or business associate, is not a permitted reason to deny access.

If a covered entity denies access, in whole or in part, to PHI requested by the individual based on one or more permitted grounds, the covered entity must provide a denial in writing to the individual no later than 30 calendar days after the request (or no more than 60 calendar days if the covered entity notified the individual of an extension). See 45 CFR 164.524(b)(2). The denial must be in plain language and describe the basis for denial; if applicable, the individual’s right to have the decision reviewed and how to request such a review; and how the individual may submit a complaint to the covered entity or the HHS Office for Civil Rights. See 45 CFR 164.524(d).

The covered entity must, to the extent possible, provide the individual with access to any other PHI requested, after excluding the PHI to which the entity has a ground to deny access. See 45 CFR 164.524(d)(1).

Content created by Office for Civil Rights (OCR)
Content last reviewed June 24, 2016
Back to top

Subscribe to Email Updates

Receive the latest updates from the Secretary and Press Releases.

Subscribe
  • Contact HHS
  • Careers
  • HHS FAQs
  • Nondiscrimination Notice
  • Press Room
  • HHS Archive
  • Accessibility Statement
  • Privacy Policy
  • Budget/Performance
  • Inspector General
  • Web Site Disclaimers
  • EEO/No Fear Act
  • FOIA
  • The White House
  • USA.gov
  • Vulnerability Disclosure Policy
HHS Logo

HHS Headquarters

200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free Call Center: 1-877-696-6775​

Follow HHS

Follow Secretary Kennedy