From the HIPAA Weekly Advisor (Briefings on HIPAA):
Q: When patients request copies of their medical records, should covered entities release only the records that they generated and withhold information from other sources? If so, which HIPAA regulation addresses this topic?
A: Covered entities may not withhold documents they include as part of a patient’s medical record, irrespective of the source.
One misconception about HIPAA is that it allows patient access only to information generated by a covered entity and not to any additional information that outside sources contribute to the medical record. Any policy that prohibits access to medical record information created by a provider or other third party is indefensible and is in violation of the HIPAA privacy rule.
Refer to 45 CFR 164.501 (definition of a designated record set) and 45 CFR 164.524 (individual’s right to access his or her designated record set).