Handling Patient Data Requests: A Practical Guide to GDPR, HIPAA, and Beyond
A patient emails on Tuesday asking for a copy of all their records. Under HIPAA, you have 30 days. Under GDPR, you have 30 days. Under most local equivalents, you have somewhere between 15 and 45. Miss the window or fumble the response, and you've turned a routine request into a complaint to a regulator.
The right workflow makes data requests a 15-minute task. The wrong workflow turns them into a recurring crisis. Here's the right one.
What patients can actually request
| Right | What it means | Typical deadline |
|---|---|---|
| Access | Copy of all data the clinic holds on them | 30 days |
| Portability | Same data in machine-readable format | 30 days (GDPR) |
| Correction | Fix factual errors | 30 days |
| Deletion ("right to be forgotten") | Erase data — with clinical/legal exceptions | 30 days, often partial |
| Restriction of processing | Stop certain uses (e.g., marketing) | Immediate |
A 4-step response workflow
- Acknowledge within 48 hours. "We received your request, we'll respond by [date]." Removes urgency, starts the clock cleanly.
- Verify identity. Don't email records to anyone who asks. A copy of ID + a known patient identifier is the bar.
- Compile the export. Your clinic system should support this natively. If it doesn't, that's a vendor conversation.
- Deliver and log. Send via secure channel, log the request and response in the patient's record.
What "complete record" means
- Demographics & contact info.
- Every visit summary, note, prescription, and order.
- Lab results, imaging, attached documents.
- Billing and payment history.
- Communications log (with caveats — internal staff notes may be exempt).
- Consent records and signed forms.
Sound like a lot? It is, manually. A platform with a "patient data export" button does it in seconds.
Verifying identity safely
- Government ID + the patient's recorded phone or email confirmation.
- For minors, parent/guardian per local law.
- For deceased patients, the executor with documentation.
- Never just an email reply — easily spoofed.
The right-to-delete reality
Full deletion of medical records is almost never legal. Most jurisdictions require retention for years (often 7-10 after last visit). A "deletion" request typically results in:
- Removal of marketing data and non-clinical metadata.
- Restriction of further processing.
- Anonymization where feasible.
- A clear written explanation of what was and wasn't deleted, and why.
Patients accept this once it's explained calmly. They don't accept silence.
Frequently Asked Questions
Quick answers to questions you may have.
Can I charge for fulfilling requests?
What format should I deliver in?
Do I have to include staff notes?
What if the patient wants to argue about what's in their record?
Does the request workflow apply to former patients?
How do I prove compliance if audited?
Start running a calmer clinic today.
Set up takes less than an hour. Your first prescription prints straight onto your pre-printed paper — we’ll help you calibrate.
The summary
Patient data requests aren't a regulatory ambush. They're a routine workflow that, set up once, runs forever. The clinics that panic at every request are the ones without a workflow. The clinics that handle them in 15 minutes have one in place. Pair this with our HIPAA compliance mistakes piece for the broader posture.
Further reading: General Data Protection Regulation (GDPR) on Wikipedia.