When a Client Wants Their Records: What the HIPAA Rule Actually Says
If you’ve ever had a client email you asking for “everything in their chart,” you’re not alone. It’s becoming more common as clients (and insurance companies) get savvier about their rights.
But what are you actually required to share under HIPAA?
Under the HIPAA Privacy Rule, clients and their legal representatives have the right to inspect and obtain a copy of their records.
That includes anything you use to make decisions about their care. You must provide the records within 30 days of the request; however, you may request an additional 30 days if you provide written notice explaining the delay.
Clients can request records in paper or electronic form, depending on what’s feasible for your practice.
And no, you can’t deny access just because you’re worried they might disagree with your notes or misinterpret your recommendations. (Yes, even if you know they’ll take that “reduce sodium” note personally.)
What Counts as the “Designated Record Set”
Here’s where most dietitians get tripped up: not everything in your EMR is considered part of the “designated record set.”
You are required to share any documentation that informs decisions about the client’s care, such as:
- Initial and follow-up MNT session notes
- Nutrition assessments, care plans, and goals
- Correspondence with other providers (if it influenced care)
- Lab interpretations or summaries used in your recommendations
- Progress tracking or SMART goal documentation
What you don’t have to provide:
- Administrative paperwork (like scheduling notes or billing records)
- Personal reminders or draft notes are intended solely for your use.
- Copyrighted or generic educational handouts (though including them can show transparency)
This distinction is particularly important when handling MNT insurance denials. If a payer ever audits your documentation or a client requests records after a denied claim, you want your “designated record set” to be clear, compliant, and professional.
Do You Have to Include Handouts or Educational Materials?
If the handouts you provided were specific to the client’s plan of care—say, a customized carbohydrate-counting guide—it’s good practice to include them in the record release. However, HIPAA doesn’t require it.
Generic materials like “High Fiber Food List” or “Healthy Plate Visuals” don’t count as part of the legal record. That said, many dietitians still choose to include them for context or as a gesture of goodwill.
Can You Charge a Fee for Record Requests?
Yes, but only within reason.
HIPAA allows you to charge a cost-based fee that reflects your actual expense in preparing and delivering the records.
This can include:
- Labor for copying or scanning
- Postage (if mailed)
- The cost of a USB or CD (if applicable)
What’s not allowed? “Retrieval,” “review,” or “administrative” fees.
Most dietitians charge between $ 10 and $30 for lengthy or complex record requests, although many waive the fee for electronic copies or short records.
How to Handle Record Requests Like a Pro
Having a clear process saves you from stress when these requests pop up, especially if they’re linked to MNT insurance denials or disputed claims.
Here’s your quick checklist:
- Have a written policy in your HIPAA Notice of Privacy Practices that outlines how clients can request their records.
- Use a formal record request form noting the date, scope (e.g., “all MNT records from 2023–2024”), and format (PDF, portal, printed).
- Redact any third-party identifiers, for example, if your notes mention a family member or another client.
- Deliver records securely via encrypted email, patient portal, or secure mail.
Keep documentation of what was sent and when.
Don’t Forget State Law
HIPAA sets the baseline, but your state law may be stricter.
Some states require you to fulfill requests faster (within 15 days) or limit what you can charge. Always check your state’s health record access laws to stay compliant.
The Bottom Line
When clients request their nutrition records, it’s not a personal matter; it’s their right.
As a provider, it’s your responsibility to handle the request confidently, professionally, and in accordance with the law.
And if your record-keeping ever comes into play during an MNT insurance denial, having organized, compliant documentation can protect your practice and your reputation.
HIPAA isn’t here to trip you up; it’s here to remind you that good documentation is good business.