HIPAA Right of Access: Patient Record Request Rules and Timelines
The HIPAA right of access (45 CFR 164.524) is one of the most actively enforced provisions in the entire rule. Since 2019, OCR’s Right of Access Initiative has produced dozens of settlements against providers — many of them small practices — for failing to give patients timely, affordable copies of their own records. Unlike abstract security requirements, this obligation generates complaints from real patients, and OCR treats those complaints as straightforward, high-visibility enforcement.
What patients are entitled to
Patients and their personal representatives can inspect and obtain a copy of PHI in the designated record set — the medical and billing records used to make decisions about them. If records are maintained electronically, the patient may request an electronic copy in the form and format they ask for, provided it is readily producible. Access covers the information itself, not the physical document, so a portable format the patient can actually use is the point.
The 30-day clock
A covered entity must act on a request within 30 calendar days. One 30-day extension is allowed, but only if the entity notifies the patient in writing of the delay and the reason within the original 30 days. There is no second extension. Where state law sets a shorter deadline, the more stringent rule controls — so a 30-day federal ceiling does not excuse missing a 15-day state requirement.
Fee limits — a frequent violation
Fees must be reasonable and cost-based, limited to labor for copying, supplies, and postage. They may not include retrieval or search costs, and they may not be inflated to discourage requests. OCR’s guidance describes a flat $6.50 option for electronic copies of electronically maintained records. Overcharging is itself a violation and has been the trigger in multiple Right of Access settlements.
Third-party directives, denials, and security
Patients may direct a copy to a third party through a signed, written request. Lawful denials are narrow — psychotherapy notes or records compiled for litigation, for example — and most must be written, explain the basis, and describe review and appeal rights. Demanding a subpoena, requiring a non-standard form, or insisting on payment before starting are common unlawful obstacles. Fulfilling requests securely depends on Security Rule controls — verifying the requester’s identity, transmitting over encrypted channels, and logging access — which flow from the Security Risk Analysis required at 45 CFR 164.308(a)(1)(ii)(A). A documented analysis is what tells you whether your release-of-information workflow actually protects PHI in transit. Pair this with disciplined medical records storage practices so records are both findable and protected.
The proposed 2026 Security Rule update
The December 2024 Security Rule NPRM would tighten safeguards around how ePHI is accessed and transmitted, making encryption and multi-factor authentication effectively mandatory rather than addressable. It is a proposal, not final; a roughly 240-day compliance window would follow publication of any final rule. Secure delivery of patient records sits squarely within that scope.
How Medcurity helps
Medcurity helps practices build the documented Security Risk Analysis and policies — including release-of-information and identity-verification procedures — that keep record requests both compliant and secure. Pricing is $499/year (about $42/month); larger organizations can request a quote. Many teams pair this with our HIPAA compliance checklist to operationalize the requirements.
Frequently Asked Questions
How long does a provider have to respond to a records request?
Thirty calendar days, with one permitted 30-day extension only if the patient is notified in writing of the delay and reason within the first 30 days. There is no second extension, and many state laws require a faster turnaround.
How much can a provider charge for copies of records?
Only reasonable, cost-based fees for labor, supplies, and postage — never retrieval or search fees. OCR guidance describes a flat $6.50 option for electronic copies of records that are maintained electronically.
Can a patient have records sent to a third party?
Yes. A patient may direct a copy to a third party through a signed, written request that clearly identifies the recipient and where to send the records.
When can a provider lawfully deny access?
Only in narrow circumstances such as psychotherapy notes or information compiled for litigation. Most denials must be in writing, state the basis, and describe the patient’s review and appeal rights.