HIPAA Patient Right of Access: Deadlines, Electronic Formats, and Reasonable Fees Explained

Understanding your HIPAA Patient Right of Access helps you get copies of your protected health information quickly, in the electronic formats you prefer, and at a reasonable, cost-based fee. Below, you’ll find the exact deadlines, format options, fee rules (including the $6.50 flat-fee option for ePHI), when access can be denied, how third-party requests work, and what covered entity obligations include for fee schedule disclosure and advance notice.

Deadlines for Access Requests

Covered entities must act on your request to access protected health information (PHI) within strict timelines. “Act on” means providing the copy (or arranging inspection) or issuing a written denial with reasons and review rights—not merely acknowledging your request.

• Standard deadline: 30 calendar days from receipt of your request.
• One extension permitted: up to an additional 30 calendar days, but only if you’re sent a written notice within the first 30 days that explains the reason for delay and gives a firm completion date.

Covered entities should avoid unreasonable measures that slow access (for example, requiring you to appear in person when mail or email is feasible). They may verify identity, but verification cannot become a barrier. These covered entity obligations also include tracking requests so deadlines are met.

Electronic Formats for Access

If PHI is maintained electronically, you can ask for an electronic copy. The entity must provide your electronic protected health information (ePHI) in the form and format you request if it is readily producible; if not, you and the entity should agree on a readable alternative (for example, PDF, machine-readable text, or a secure portal download).

• Delivery options commonly include secure portal download, encrypted email, mailed media (CD/USB), or direct email. If you choose unencrypted email, the entity should warn you of the risk and confirm your preference, then honor it.
• Entities cannot force you to use a portal only, require in-person pickup, or refuse to mail or email copies when those are feasible. They may decline methods that pose unacceptable security risks to their systems (such as connecting an unknown USB) and offer alternatives.
• When access is fulfilled using a certified EHR’s “view, download, and transmit” feature, no fee may be charged for that electronic access.

Reasonable Fees for Access

When you request copies (paper or electronic), a covered entity may charge only a reasonable, cost-based fee. That fee may include strictly limited components:

• Labor for copying (creating and delivering the copy in the requested form/format).
• Supplies (paper, toner, or electronic media if you request it on CD/USB).
• Postage (if you ask that the copy be mailed).
• Preparation of a summary/explanation only if you agree in advance and accept the fee.

Costs that may not be charged

• Search and retrieval, verification, documentation review, or record management/maintenance.
• System costs (hardware/software), capital expenses, or general overhead.
• Per-page fees for ePHI copied electronically (per-page fees can apply to paper only and must still reflect actual, reasonable, cost-based amounts).

State fee schedules do not override HIPAA’s “reasonable, cost-based fee” rule if they authorize charges that HIPAA does not permit. Covered entity obligations include ensuring the fee is cost-based and reasonable in every case.

Flat Fee for Electronic Copies

For requests by the individual for an electronic copy of PHI maintained electronically, entities may choose one of three calculation methods:

• Actual cost (case-by-case calculation).
• Average cost (a standard schedule based on typical requests).
• Optional flat fee up to $6.50 per request (a safe, simple alternative for ePHI maintained electronically).

The $6.50 amount is an option, not a cap across all requests. Entities may charge more than $6.50 only when using actual or average cost methods and only if they can support the amount as reasonable and cost-based. The flat-fee option and other patient-rate limits apply to the individual’s own access; different rules may apply when records are sent to non-representative third parties.

Denial of Access

Denials are allowed only in limited circumstances. Two categories are important: information excluded from the right of access and specific grounds for denial.

Excluded from access

• Psychotherapy notes kept separate from the medical record.
• Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding (often called the civil administrative action exemption). The rest of the underlying PHI in your designated record set remains accessible.

Unreviewable grounds for denial

• When the request is for the two excluded categories above.
• Certain correctional-institution situations where providing a copy would jeopardize safety or security.
• Temporary suspension during research that includes treatment if you agreed to the suspension when enrolling, with access restored after the study.
• Records subject to the federal Privacy Act when that law permits denial.
• Information obtained under a promise of confidentiality if access would likely reveal the source.

Reviewable grounds for denial

• A licensed professional determines access is reasonably likely to endanger life or physical safety.
• Access is reasonably likely to cause substantial harm to another person referenced in the PHI (other than a health care provider).
• Providing access to a personal representative is reasonably likely to cause substantial harm to the individual or another person.

When denial is reviewable, you must be told how to request a review by another licensed professional who was not involved in the original decision. Even when some information is denied, the entity must provide the rest of the requested PHI that can be disclosed.

Third-Party Requests

You may direct a covered entity to send your PHI to a third party by submitting a written, signed request that clearly identifies the recipient and destination. After recent court guidance, the “third-party directive” applies specifically to electronic copies of PHI maintained in an electronic health record. For other third-party disclosures, the recipient typically needs a HIPAA authorization, unless another permission applies.

If a personal representative authorization exists under state law, your personal representative is treated as you for HIPAA purposes and can exercise the right of access (including directing copies to others) within the scope of their authority. Fee limits that apply to an individual’s own access also apply when a qualified personal representative makes the request. By contrast, when PHI is sent directly to a non-representative third party at your direction, HIPAA’s patient-rate fee limits may not apply.

Covered entity obligations include timely fulfillment, verification of identity/authority, and using the requested form and format when readily producible.

Advance Notice of Fees

Before fulfilling your request, the entity must tell you—up front—the approximate, cost-based fee that may apply given your chosen format and delivery method. On request, they should provide an itemized estimate that breaks down labor, supplies, and postage. Good practice (and OCR guidance) calls for fee schedule disclosure: entities should post or otherwise make available approximate fee schedules for common request types so you can make informed choices.

Conclusion

HIPAA’s Right of Access gives you prompt timelines, control over electronic formats, and protection from excessive fees. Know your options, specify the form and delivery you want, and expect transparent, cost-based pricing—backed by clear advance notice and fee schedule disclosure.

FAQs

What is the deadline for covered entities to provide access to PHI?

They must act on your request within 30 calendar days by providing the copy or issuing a written denial. One 30-day extension is allowed only with a written explanation sent within the first 30 days that sets a firm completion date.

How can patients request their PHI in electronic format?

Submit a request that specifies the form and format (for example, PDF via secure portal, encrypted email, or mailed USB). If your choice is readily producible, the entity must honor it; if not, you and the entity should agree on a readable alternative. You may request unencrypted email after being warned of risks and confirming your preference.

When can a covered entity charge fees for access to PHI?

Only when providing copies (paper or electronic)—and only a reasonable, cost-based fee limited to copying labor, supplies, postage, and an optional summary you approve in advance. They cannot charge for retrieval, verification, or general overhead, and they may not use per-page fees for ePHI delivered electronically. Portal-based view/download features must be free.

What circumstances allow denial of PHI access?

Access does not apply to psychotherapy notes or information compiled for a civil, criminal, or administrative action. Other unreviewable denials include certain correctional and research scenarios, Privacy Act limits, and confidentiality-source protection. Reviewable denials may occur if access would likely endanger life/physical safety, cause substantial harm to another person referenced in the PHI, or cause substantial harm if provided to a personal representative; these denials carry a right to external review.