How Long Do Clinics Have to Respond to a Medical Records Request?

Written By GT

Most clinics learn the HIPAA “right of access” timelines the hard way, usually when a patient is frustrated, an attorney is involved, or an OCR complaint arrives. The key point is simple: HIPAA does not give covered entities unlimited time to “get around to it.” It sets a firm deadline for action, allows only one limited extension, and expects you to avoid administrative friction that effectively blocks access.

Informational note: This article is for informational purposes only and does not constitute legal advice.

The core HIPAA timeline

Under the HIPAA Privacy Rule, a clinic must act on an individual’s request for access no later than 30 calendar daysafter receiving the request. “Act on” is not vague. It means you either provide the requested access (in whole or in part) or you issue a written denial for any portion you are not providing.

HIPAA allows one, and only one, extension of time. If you cannot act within the initial 30 days, you may take up to an additional 30 calendar days, but only if you provide the individual, within the initial 30-day period, a written statement explaining the reason for the delay and the date by which you will complete your action. In practice, this extension is meant for real constraints, such as records archived offsite or otherwise not readily accessible. It is not meant to normalize slow internal processes.

Two details matter operationally:

First, the clock starts when you receive the request, not when someone finally reads it. If requests funnel into a generic inbox or sit at a front desk for a week, you are burning your compliance window with no benefit.

Second, “30 days” is calendar days. It is not business days. Your internal workflow should be designed with calendar-day math in mind.

What information must be provided?

HIPAA’s right of access applies to the individual’s protected health information (PHI) in a “designated record set.” That definition is broader than many clinics assume. For healthcare providers, it includes the medical records and billing records maintained by or for the provider, and it also includes other records used, in whole or in part, to make decisions about individuals.

This has two practical consequences.

One is scope. Patients are often entitled to more than the last visit note. Billing records, intake information, images, and other materials used to make decisions about the patient are typically inside the designated record set concept.

The second is location. PHI is still subject to access even if it is old, stored remotely, or archived. “It’s in the old system” is not a HIPAA exception. If you maintain it in a designated record set, it is within scope.

HIPAA does include limited exceptions and grounds for denial, including psychotherapy notes and certain information compiled in reasonable anticipation of, or for use in, civil, criminal, or administrative action or proceeding. The right of access is broad, but it is not unlimited. The safest approach is to treat denials as exceptional and to document the specific regulatory basis whenever you deny all or part of a request.

What you can require from the requester, and what you should not require

HIPAA allows covered entities to require requests for access to be in writing, as long as you inform individuals of that requirement. You may also require a request to be submitted on your own form, but only if that form requirement does not create a barrier to access or unreasonably delay access. In other words, your process can be structured, but it cannot be obstructive.

HIPAA also requires you to take reasonable steps to verify the identity of the person making the request. The rule does not mandate a single verification method. It leaves the method to your discretion and professional judgment, but it draws a clear boundary: your verification process cannot be so burdensome that it functions as a barrier.

OCR’s guidance gives concrete examples of unreasonable measures. For instance, if someone wants a copy mailed to their home, requiring them to come in person just to request access and show ID can be an unreasonable barrier. Requiring all patients to use a portal to request access is another common mistake, because not all individuals have ready access to a portal. Requiring requests to be mailed can also create unnecessary delay by slowing your receipt of the request.

A defensible approach is to offer multiple channels for requests, keep verification proportional to the risk, and ensure your process is designed to move the request forward rather than create friction.

Form, format, and delivery matter just as much as timing

Meeting the 30-day timeline is necessary, but it is not sufficient if you ignore the form and format rules.

HIPAA generally requires you to provide access in the form and format the individual requests if it is readily producible in that form and format. If it is not readily producible, you must provide it in a readable hard copy form or another form and format the clinic and individual agree to.

There is an additional, stronger requirement when the PHI is maintained electronically. If the information is maintained in one or more designated record sets electronically and the individual requests an electronic copy, you must provide the electronic copy in the form and format requested if readily producible, or if not, in a readable electronic form and format agreed to by the clinic and the individual.

This matters because a common access failure is forcing an electronic-world request into a paper-world response. For example, a clinic may offer portal access when a patient asked for a PDF. Portal access can satisfy the access right if the patient agrees to it. But if the patient declines and the PDF is readily producible, HIPAA expects you to provide the PDF.

Delivery channel is part of this. Email, portals, portable media, and apps can all be viable ways to deliver access depending on what is requested and what is readily producible. HIPAA does not require you to purchase new software to satisfy every conceivable format request, but it does require you to have the capability to provide some form of electronic copy when you maintain PHI electronically.

Directing records to a third party

HIPAA’s right of access also allows an individual to request that the clinic transmit the individual’s PHI directly to another person or entity designated by the individual. This is often used to send records to another provider, an attorney, an insurer, or a health app.

When an individual uses this right, the request must be in writing, signed by the individual, and clearly identify the designated person or entity and where to send the PHI.

OCR’s current position in its right-of-access FAQs is that the same right-of-access provisions apply when an individual directs PHI to a third party, including the requirements around timeliness, form and format, bases for denial, and fee limitations. Operationally, treat these as access requests with a destination field, not as a separate category you can slow-walk or reprice.

Fees: what you can charge, what you cannot charge, and why clinics get this wrong

HIPAA allows a clinic to charge a reasonable, cost-based fee when an individual requests a copy of PHI, or agrees to a summary or explanation. The fee is tightly limited to specific categories. In general, it may include labor for copying, supplies (including portable media if the patient requests portable media), postage when mailing is requested, and preparing an explanation or summary if the individual agrees in advance.

The most common fee compliance mistakes are charging for activities HIPAA does not allow. OCR guidance makes clear that “labor for copying” does not include the costs of reviewing the request, verifying the request, searching for and retrieving the records, or otherwise doing the internal work to locate and prepare responsive information. Those activities may feel like labor, but HIPAA does not allow you to pass those costs to the individual under the right of access fee limits.

HIPAA also expects transparency. OCR warns that failing to provide advance notice of fees that may impact the form, format, or manner of access can be an unreasonable measure that becomes a barrier to access. If you charge fees, you should be able to explain them, and the clinic should be able to produce a breakdown when requested.

For electronic copies of PHI maintained electronically, OCR provides an optional approach that many clinics use because it is simple: you may charge a flat fee not to exceed $6.50 per request for an electronic copy of PHI maintained electronically. OCR has also clarified that this $6.50 flat fee option is not a universal fee cap for every request and every scenario. It is a permitted option for a specific category of request.

Denials, partial denials, and “we cannot do that”

If you deny all or part of an access request, HIPAA requires a written denial that includes specific content, including the basis for the denial and information about any rights the individual has to have the denial reviewed (where applicable), as well as how to file a complaint. Denials are not supposed to be casual. If you are going to deny, you should be able to point to the regulatory basis and document it.

In practice, clinics often deny by accident rather than intent. The most common “accidental denials” are insisting the patient must come in person, refusing to send electronic copies when the records are electronic, requiring portal-only access, or refusing to send records to a third party when the request meets the written and signed directive requirements. OCR has repeatedly signaled, through enforcement and guidance, that these are not minor technicalities. They go to the core of the right of access.

A defensible workflow that meets HIPAA without administrative bloat

A workable access program for a small clinic is less about legal nuance and more about process engineering.

Start by treating access requests as time-sensitive work items with a single owner. The clock starts on receipt, so request intake must be reliable. This is why clinics with a single intake channel and a clear handoff to a designated owner tend to outperform clinics with informal “tell the front desk” processes.

Next, verify identity in a way that fits the request channel and the risk, but do not force in-person steps when the request is otherwise straightforward. OCR explicitly discourages measures that function as barriers. This is where offering multiple channels helps. Email and portal-based requests can work, and they often allow verification to piggyback on existing authentication controls.

Then resolve scope quickly. A large share of delays come from ambiguity about what is being requested. A short clarification step early can prevent weeks of back-and-forth later.

Finally, produce the records in the requested form and format if readily producible, deliver them through the agreed channel, and document what you did. The documentation is not ceremonial. It is the proof you rely on if the patient disputes timing, alleges noncompliance, or files a complaint.

If you are running this through spreadsheets and inbox searches, you will eventually miss a deadline. Tools exist to track deadlines, document actions, and keep the access workflow from becoming an improvisational exercise. That is where a platform like Timber can help without changing your legal obligations.

Sources

  • 45 CFR § 164.524 (Access of individuals to protected health information, including timeliness, form and format, third-party directives, fees, and denials). 

  • HHS OCR FAQ: “How timely must a covered entity be in responding to an individual’s request for access to PHI?” 

  • HHS OCR Guidance: Individuals’ Right under HIPAA to Access their Health Information (designated record set, timeliness, extensions, verification, unreasonable measures, form and format, fee transparency). 

  • 45 CFR § 164.501 (Definition of “designated record set”). 

  • HHS OCR FAQ: What personal health information do individuals have a right to access? 

  • 45 CFR § 164.524(c)(4) and HHS OCR FAQ on allowable fees (what may be included and what may not). 

  • HHS OCR FAQ: Flat fee option for electronic copies maintained electronically (up to $6.50) and clarification that it is an option, not a universal cap. 

  • HHS OCR FAQ: Right to direct PHI to a third party (written, signed request that identifies recipient and destination). 

  • HHS OCR FAQ: Third-party directives and how right-of-access provisions apply. 

  • HHS OCR Guidance: Access right, health apps, and APIs (individual-directed transmission to third-party apps, including via unsecure channels). 

GT
Previous

Do You Have to Report a HIPAA Incident if No Data Left the System?
Next

When Is a HIPAA Business Associate Agreement Required, and When Is It Not?