HIPAA Medical Records Access Rules for Providers: Processing Requests, Deadlines, Fees, and e‑Copy Formats

Medical Records Access Deadlines

As a covered entity, you must provide individuals with access to their designated record set without unreasonable delay and no later than 30 calendar days from receiving a request. This outer limit applies whether records are on-site, off-site, or archived, and it covers both paper and electronic health information.

If you cannot meet the initial deadline, HIPAA permits one extension of up to 30 additional days. To use it, you must send an extension notification before the original due date that explains the reason for delay and states a specific completion date. Track these dates, because missing them is a common right‑of‑access compliance failure.

Respond sooner whenever feasible. If only part of the record is readily available, provide that portion while you finish the remainder. When a patient directs you to send records to a third party, the same deadline and extension notification requirement apply.

Processing Medical Records Requests

Design your workflow so patients can exercise their right of access easily and consistently. Your process should cover intake, verification, fulfillment, and documentation while avoiding unreasonable barriers.

Intake and request methods

• Accept requests in writing through multiple channels (portal, email, mail, fax, or in person). Do not require in‑person pick‑up or use of a specific portal if the patient prefers another method.
• Requests need not cite HIPAA or provide a reason; a clear description of what the patient wants is sufficient. Offer simple forms to help patients specify date ranges, types of records, and the desired delivery method.

Identity verification without barriers

• Verify identity using reasonable measures (e.g., known information, photo ID at pick‑up, portal authentication). Avoid burdensome steps such as notarization or requiring proprietary apps.
• If a personal representative requests access, confirm authority under applicable law before proceeding.

Scope of access

• Provide information in the designated record set, including medical and billing records and other records used to make decisions about the individual. Exclude psychotherapy notes and information compiled for litigation.
• If the patient asks for specific items (e.g., visit notes, lab results, imaging), limit the response accordingly to speed fulfillment.

Direction to a third party

• When the PHI is in an EHR, honor a patient’s written, signed directive to send an electronic copy to a designated third party. The request must clearly identify the recipient and where to send the information.

Documentation

• Log receipt dates, identity verification steps, what was released, to whom, in what format, fees assessed, and the date fulfilled. Retain copies of any extension notice and denial letter.

Fee Calculation and Limitations

HIPAA allows reasonable cost‑based fees for copies provided to individuals (or their personal representatives). Your fee may include only certain components tied to the act of copying.

What a reasonable cost‑based fee may include

• Labor for copying (including extracting and loading data, and creating a deliverable in the requested format).
• Supplies (paper, toner, CD, DVD, or USB) when used to fulfill the request.
• Postage, if the individual asks for mailing.
• Preparation of a summary or explanation, but only if the individual agrees in advance.

Prohibited fee components

• Search, retrieval, and access fees (including “chart pull” or archival retrieval charges).
• Costs for maintaining systems, portals, or EHR subscriptions.
• Verification, documentation, or handling fees unrelated to copying.
• Per‑page fees for electronic copies of PHI maintained electronically.

Permissible calculation methods

• Actual cost: Calculate the specific labor, supplies, and postage for the request.
• Average cost: Use a reasonable schedule of costs that reflects typical labor and supply time for standard request types.
• Flat fee (electronic copies of ePHI to the patient): You may charge a flat fee not to exceed $6.50 as a simple alternative. This option is voluntary; you may instead use actual or average cost methods.

Advance fee disclosure

• Provide a clear, advance fee disclosure before fulfilling the request, including your cost method, any per‑request estimate, and lower‑cost alternatives (e.g., secure portal download instead of mailed media).
• Publish or make available a fee schedule upon request, and obtain approval if the estimate changes materially. Transparent, advance fee disclosure reduces disputes and supports compliance.

Providing Electronic Copy Formats

Provide the copy in the form and format requested by the individual if it is readily producible. If not, offer a readable alternative that is readily producible and acceptable to the individual. Strive to meet the patient’s preference whenever possible.

Common readily producible formats

• Electronic documents: PDF, text, or readable HTML.
• Structured clinical data: C‑CDA or via an API (e.g., FHIR‑based patient access to EHR data) to a chosen app.
• Imaging: DICOM files or JPEG/PNG copies if requested and feasible.

Transmission methods

• Secure portal download, secure email, Direct messaging, or API access to the patient’s designated application.
• If a patient requests unencrypted email after being advised of the risks, you may send it to the address they specify.
• If you cannot accept patient‑supplied portable media (e.g., USB) for security reasons, provide an alternative such as portal download, encrypted email, or your own media.

Form and format nuances

• Do not force paper if an electronic copy is readily producible.
• You are not required to create a new record or custom report, but you must export information in a readily producible format from the designated record set.

Denial of Access Conditions

Access may be denied only under specific access denial criteria, and you must follow strict procedural safeguards. Provide any portions not subject to denial and explain the basis for any withheld material.

Unreviewable denials

• Psychotherapy notes.
• Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
• Research records, if access is temporarily suspended during a study consistent with the signed consent and the individual will regain access upon study completion.

Reviewable denials

• A licensed health care professional determines that granting access is reasonably likely to endanger the life or physical safety of the individual or another person.
• The records reference another person (not a provider) and access is reasonably likely to cause substantial harm to that person.
• A personal representative’s access is reasonably likely, in your professional judgment, to cause substantial harm to the individual or another person.

Denial process

• Provide a timely, written denial explaining the specific basis, the individual’s right to a review (for reviewable denials), how to request that review, and how to file a complaint.
• Offer summary or alternative access if the individual agrees, and release non‑denied portions promptly.

Patient Rights and Corrections

Patients have a right to inspect and obtain copies of their PHI and to request corrections when they believe information is inaccurate or incomplete. Your role is to make this process accessible and timely.

Amendment timelines and process

• Respond to amendment requests within 60 days; one 30‑day extension is allowed with written notice explaining the delay and providing a new due date.
• If you accept an amendment, append or link it to the affected records and, upon the patient’s request, send the amendment to relevant parties, including business associates, who may rely on the information.
• If you deny an amendment, send a written denial stating the basis and inform the individual of the right to submit a statement of disagreement and to request that you include their request and your denial in future disclosures.

No unreasonable barriers

• Do not require patients to state a reason to access records.
• Keep identity verification reasonable and avoid steps that deter legitimate access.

State Law Compliance for Fees

HIPAA sets a floor for patient access. When state law is more protective of access—such as imposing lower fee caps or shorter deadlines—you must follow the more stringent state standard. When state law allows higher charges or per‑page pricing that conflicts with HIPAA’s reasonable cost‑based fees for individuals, HIPAA controls.

• For electronic copies of ePHI, do not assess per‑page fees even if state schedules include them.
• For paper copies, per‑page fees may be used only if they reflect actual cost and do not exceed more protective state caps.
• Third‑party requests that fall outside HIPAA’s individual right of access (e.g., subpoenas without patient direction) are generally governed by state law; apply those fee rules separately from HIPAA access requests.
• Maintain and periodically update a state‑by‑state fee reference to ensure your reasonable cost‑based fees and advance fee disclosure align with more stringent state requirements.

FAQs.

What is the deadline for providing medical records under HIPAA?

You must provide access without unreasonable delay and no later than 30 calendar days after receiving the request. If you need more time, you may take one 30‑day extension by sending a written notice before the original deadline that explains the reason and gives a specific new date.

How are fees for medical records copies calculated?

Charge only reasonable cost‑based fees: labor for copying, supplies, and postage if mailed. Exclude retrieval, verification, and system maintenance costs. Use actual cost, an average cost schedule, or a flat fee of up to $6.50 for electronic copies of ePHI provided directly to the patient.

What formats can medical records be provided in?

Provide the copy in the form and format requested if readily producible—commonly PDF, readable text/HTML, C‑CDA or other structured export, and DICOM for imaging. If not readily producible, offer an alternative the patient accepts, such as portal download, secure email, or encrypted media.

When can access to medical records be denied?

Deny access only under narrow conditions. Unreviewable denials include psychotherapy notes and information prepared for litigation. Reviewable denials apply when a licensed professional determines access is reasonably likely to endanger life or physical safety or cause substantial harm to another person. Provide written reasons, explain review rights when applicable, and release any non‑denied portions.