HIPAA Patient Right to Access Requirements: Timelines, Fees, and What You Must Provide

Timeliness of Access

Covered entities must provide individuals access to their protected health information (PHI) in a designated record set as soon as practicable and no later than 30 calendar days from receipt of a request. You must either provide the requested access or issue a written denial within this timeframe.

If you cannot meet the 30-day deadline, a single extension of the access deadline of up to 30 additional calendar days is permitted. To use this extension, you must, within the original 30 days, send the individual a written notice that explains the reason for delay and the specific date by which you will provide access.

Timely access applies to inspection, paper copies, and electronic copies alike. You may require reasonable identity verification, but you cannot impose barriers such as in‑person pickup only, notarization, or proprietary online portals as the sole submission method.

State laws that are more protective of individuals (for example, shorter turnaround times) control. When in doubt, follow the more stringent standard.

Fees for Copies

HIPAA allows a reasonable cost-based fee for providing copies of PHI. This fee may include only: (1) labor for copying and preparing the copy (paper or electronic), (2) supplies such as paper, toner, or a CD/USB, (3) postage if the copy is mailed, and (4) preparation of a summary or explanation if the individual agrees in advance to receive—and pay for—that summary.

Charges that are not permitted include fees for searching for, retrieving, or otherwise maintaining the data, as well as costs to verify identity, maintain systems, or manage portals. For electronic copies, per-page fees are not appropriate because they do not reflect actual copying labor.

You may calculate the fee using actual costs for the specific request or a documented schedule of average costs that reflects typical labor and supply expenses. A flat fee for a standard electronic copy may be used if it is demonstrably a reasonable cost-based fee. On request, provide an itemized breakdown showing each cost element.

You cannot condition access on payment of unrelated bills for health care services. You may, however, require prepayment of the allowable copying fee for that specific request before providing the copy.

Format of Access

You must provide access in the form and format requested by the individual if the PHI is readily producible that way; otherwise, provide an agreed-upon readable alternative. If multiple readily producible options exist, the individual chooses.

Electronic access should be delivered in a readily accessible format such as PDF, text, or via secure portal. If an individual asks for email delivery and acknowledges the security risks of unencrypted email, you must accommodate the request and document the individual’s preference.

Individuals may inspect PHI in person and request copies. You may also offer a summary or explanation in lieu of the full record if the individual agrees in advance and to any associated reasonable cost-based fee.

Third-party directives and authorization

An individual may direct you, in a written and signed request, to transmit a copy of PHI to a designated third party (for example, a caregiver or an app). This is part of the right of access and does not require a HIPAA authorization. When a third party requests PHI directly from you, patient authorization requirements apply unless another HIPAA permission (such as for treatment) applies.

Exceptions to Access

HIPAA excludes two categories from the right of access: (1) psychotherapy notes kept separately by a mental health professional, and (2) information compiled in reasonable anticipation of, or for use in, a legal proceeding. These are not subject to individual access.

Other limited grounds permit denial of access, some of which are reviewable by another licensed health care professional. Reviewable denials include situations where a licensed professional determines that access is reasonably likely to endanger the life or physical safety of the individual or another person, or where access is likely to cause substantial harm to another person referenced in the record or to the individual when requested by a personal representative.

Unreviewable denials include certain correctional institution limitations where providing a copy would jeopardize safety, and temporary suspensions of access to research records if the individual agreed to the suspension during a clinical trial, with access restored at the end of the study.

For any denial of access, you must provide a timely, written denial that states the basis for the denial, whether the individual has a right to review, how to exercise that review, and how to file a complaint. You must also provide access to any portions that can be reasonably segregated and are not subject to the denial.

Advance Notice of Fees

Before fulfilling a request, inform the individual of any applicable charges and offer lower‑cost alternatives (for example, an electronic copy instead of paper). On request, provide a written, itemized estimate that shows each component of the reasonable cost-based fee.

Obtain the individual’s agreement before charging for optional services like summaries or expedited shipping. Do not surprise bill. You may require prepayment of the disclosed, allowable fee, but you may not deny access because the individual has unpaid medical bills unrelated to the copying request.

Enforcement of Access Rights

The Office for Civil Rights enforcement has made timely, affordable access a priority. OCR investigates complaints, requires corrective action plans, and may impose civil monetary penalties for noncompliance. Patterns of unreasonable delays, improper denial of access, or impermissible fees are frequent enforcement triggers. State attorneys general may also bring actions under HIPAA and state law.

To reduce risk, implement clear policies, staff training, and tracking for requests; standardize fee calculations; and document every step—from receipt to fulfillment or denial. When an extension of access deadline is necessary, send the required written notice promptly and meet the new date. Always provide as much access as permissible, even when a partial denial is justified.

Conclusion

Deliver requested PHI quickly, in the individual’s preferred format when feasible, and at a reasonable cost-based fee. Use the single permitted extension only when necessary and with proper notice, avoid impermissible charges, and limit denial of access to the narrow exceptions HIPAA allows. Strong procedures and transparent communication help you meet legal requirements and support patient trust.

FAQs.

What is the required timeframe for providing access to PHI?

You must act on a request within 30 calendar days by providing access or issuing a written denial. If you cannot meet the 30 days, you may take one extension of up to 30 additional days, but only if you send a written notice within the original 30 days explaining the reason and stating the date you will complete the request.

How are fees for copying PHI determined?

Fees must be a reasonable cost-based fee limited to copying labor, supplies, postage if mailed, and any summary the individual agrees to receive. You may not charge for searching, retrieving, verifying, or maintaining systems. Per-page fees are not appropriate for electronic copies because they do not reflect actual copying costs.

When can access to PHI be denied under HIPAA?

Access can be denied for psychotherapy notes and information compiled for litigation. Other limited grounds allow denial—such as when a licensed professional determines that access is reasonably likely to endanger someone’s life or physical safety—but many of these are subject to review by another licensed professional. Even with a denial, you must provide any segregable information not subject to the denial.

What penalties apply for failure to comply with access requirements?

OCR can require corrective actions, monitor compliance, and impose civil monetary penalties. Repeated delays, improper denial of access, or impermissible fees increase enforcement risk. Individuals may also file complaints with OCR, and state attorneys general can take action under HIPAA and state law.