Skip to Main Navigation
Skip to Main Content
The University of Texas at Dallas

HIPAA Privacy Manual

Section 9: Access and Denial of Patient Request for PHI


The information in this document applies to all UTD faculty, staff, students, volunteers, and any other contractors or agents granted access to Protected Health Information (PHI).


Record: Any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated.

Designated Record Set: A group of records maintained by or for UTD that are the medical records and billing records about patients maintained by or for UTD; the enrollment, payments, claims adjudication, and case or medical management record systems maintained by or for a health plan; or used, in whole or in part, by or for UTD to make decisions about patients.


The access and denial process is managed by the custodians of the unit or subsidiary medical record. Patients have a right to inspect and receive a copy, at their expense, of the PHI in their designated record set. Exceptions to this include: psychotherapy notes, but not a summary of these (Use and Disclosure of Psychotherapy Notes); information compiled in anticipation of or use in a civil, criminal, or administration action or proceeding; and Employee Assistance Program (EAP) records, which are not part of the record set, but may be requested separately. These rules and procedures are to ensure the patient’s rights are protected.

Procedure: All faculty and staff must strictly observe the following standards:


A patient has the right to inspect, or receive copies of PHI about the patient in a designated record set for as long as the PHI is maintained in the designated record set. If UTD does not maintain the PHI that is the subject of the patient’s request for access, and UTD knows where the requested information is maintained, UTD must inform the patient where to direct the request for access. The patient must make the request in writing using the General Authorization form. Based on Texas law, UTD must act on the patient's request no later than the 15th business day after receipt and payment of the request. UTD shall: make the information available, in full or in part, for examination; or inform the authorized requestor if the information does not exist, cannot be found, or is not yet complete. Upon completion or location of the information, UTD will notify the patient.

If the access is granted, in whole or in part, UTD must comply with the following requirements:

  • UTD must provide the patient access to his/her PHI in the designated record sets, including inspection or receiving a copy, or both. If the same PHI that is the subject of a request for access is maintained in more than one designated record set or at more than one location, UTD need only produce the PHI once in response to a request for access.
  • UTD must provide the patient with access to the PHI in the form or format requested by the patient, if it is readily producible in such form or format; or, if not, in a readable hard copy form or such other form or format as agreed to by both parties.
  • UTD may provide the patient with a summary of the PHI requested, in lieu of providing access to the PHI or may provide an explanation of the PHI to which access has been provided, if: The patient agrees in advance to such a summary or explanation; and the patient agrees in advance to the fees imposed, if any, by the covered entity for such summary or explanation.
  • UTD must provide the access as requested by the patient in a timely manner, including arranging with the patient for a convenient time and place to inspect or receive a copy of the PHI, or mailing the copy of the PHI at the patient’s request. UTD may discuss the scope, format, and other aspects of the request for access with the patient as necessary to facilitate the timely provision of access.

If the patient requests a copy of the PHI or agrees to a summary or explanation of such information, UTD may impose a reasonable, cost-based fee, provided that the fee includes only the cost of:

  1. Copying, including the cost of supplies for and labor of copying, the PHI requested. The fee schedule for these services is set by the State of Texas. To obtain the fee schedule contact the Medical Records Department (MRD)
  2. Postage, if the patient has requested the copy, summary, or the explanation be mailed. The fee schedule for postage can be obtained from MRD; and preparing an explanation or summary of the PHI, if agreed to by the patient.

DENIAL OF PHI PROCEDURE: UTD must allow a patient to request access to inspect or receive a copy of PHI maintained in their designated record set. However, UTD may deny a patient’s request without providing an opportunity for review when:

  • an exception detailed above in the policy statement exists;
  • UTD is acting under the direction of a correctional institution and the prisoner’s request to obtain a copy of PHI would jeopardize the patient, other prisoners, or the safety of any officer, employee, or other person at the correctional institution, or a person responsible for transporting the prisoner;
  • the patient agreed to temporary denial of access when consenting to participate in research that includes treatment, and the research is not yet complete;
  • the records are subject to the Privacy Act of 1974 and the denial of access meets the requirements of that law;
  • the PHI was obtained from someone other than UTD under a promise of confidentiality and access would likely reveal the source of the information

UTD may also deny a patient access for other reasons, provided that the patient is given a right to have such denials reviewed under the following circumstances:

  • a licensed healthcare provider, designated or appointed by the Clinical Review Committee, has determined that the access is likely to endanger the life or physical safety of the patient or another person;
  • the PHI makes reference to another person who is not a healthcare provider, and a licensed healthcare professional, designated or appointed by the Clinical Review Committee, has determined that the access requested is likely to cause substantial harm to such other person;
  • the request for access is made by the patient’s surrogate decision maker and a licensed healthcare professional, designated or appointed by the Clinical Review Committee, has determined that access is likely to cause substantial harm to the patient or another person.

If access is denied on a ground permitted above, the patient has the right to have the denial reviewed by a licensed healthcare professional, designated or appointed by the Clinical Review Committee to act as a reviewing official, and who did not participate in the original decision to deny. UTD must provide or deny access in accordance with the determination of the reviewing official.

If UTD denies access, in whole or in part, to PHI, UTD must comply with the following requirements: UTD must, to the extent possible, give the patient access to any other PHI requested, after excluding the PHI to which UTD denied access.

UTD must provide a timely, written denial to the patient, in plain language and containing:

  • The basis for the denial;
  • If applicable, a statement of the patient’s review rights, including a description of how the patient may exercise such review rights; and a description of how the patient may complain to UTD pursuant to the Privacy Complaint Policy.

If the patient has requested a review of a denial, UTD must designate or appoint a licensed UTD health care professional by the Clinical Review Committee, who was not directly involved in the decision to deny access. UTD must promptly refer a request for review to such licensed health care professional. The licensed health care professional must determine, within a reasonable period of time, whether or not to deny the access requested based on the standards discussed before under procedures. UTD must promptly provide written notice to the patient of the findings of the Clinical Review Committee, and take other action as required by this section to carry out the licensed health care professional’s determination.

Enforcement: All supervisors are responsible for enforcing this policy. Individuals who violate this policy will be subject to the appropriate and applicable disciplinary process, up to and including termination or dismissal.