HIPAA Right to Access Your PHI: Requests, Timelines, and Fees Explained

Check out the new compliance progress tracker

Product Pricing Demo Video Free HIPAA Training
LATEST
video thumbnail
Admin Dashboard Walkthrough Jake guides you step-by-step through the process of achieving HIPAA compliance
Ready to get started? Book a demo with our team
Talk to an expert
Blog HIPAA HIPAA Right to Access Your PHI: Requests, Timelines, and Fees Explained

HIPAA Right to Access Your PHI: Requests, Timelines, and Fees Explained

Kevin Henry

HIPAA

March 12, 2024

6 minutes read
Share this article
HIPAA Right to Access Your PHI: Requests, Timelines, and Fees Explained

Timeliness of Access

Under HIPAA, you have the right to inspect and obtain a copy of your protected health information (PHI) from Covered Entities—health plans, most health care providers, and health care clearinghouses—in a designated record set.

Covered Entities must act on your request without unnecessary delay and generally no later than 30 calendar days after receiving it. If they cannot meet this deadline, a single 30-day extension is allowed, but only if you receive a written notice before the first 30 days expire explaining the reason and the new date.

Acting on a request means providing the records, sending a written denial that identifies your review rights, or issuing a compliant extension letter. The 30-day outer limit is not a grace period; entities are expected to provide access as soon as reasonably possible.

If state law requires a faster response, that shorter timeline controls, as explained under State Law Considerations.

Permissible Fees

HIPAA allows only a Reasonable Cost-Based Fee for copies of PHI. This fee must reflect actual, necessary costs of fulfilling your request and nothing more.

  • Labor for copying: creating and transmitting paper or electronic copies, extracting PHI from an EHR, and packaging files for secure transmission.
  • Supplies: paper, toner, envelopes, or external media such as a CD or USB if you request it.
  • Postage: when you ask to have copies mailed to you.
  • Preparing a summary or explanation if—and only if—you specifically request and agree to it.

Per-page charges are generally not appropriate for electronic copies. You may ask for a cost estimate in advance so you can choose the most economical delivery option.

Prohibited Costs

HIPAA imposes a clear Verification Costs Prohibition and bars charges that are unrelated to copying and delivering the records. The following are not permissible:

  • Verification of identity, retrieval, and searching for records.
  • Maintaining, storing, or licensing record systems, including EHR subscription or portal costs.
  • Overhead not tied to copying, such as staff time to review records for legal risk or to handle routine intake.
  • Fees to allow online portal access, subscription charges, or account set-up costs.
  • Conditioning access on payment of unrelated past-due bills for care.

You also cannot be charged to inspect your PHI in person. Only copies and agreed summaries may incur a Reasonable Cost-Based Fee.

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

State Law Considerations

HIPAA sets a national floor, but State Law Precedence applies when a state rule is more protective of privacy or access. If a state mandates a faster turnaround, lower fee limits, or additional patient rights, the state requirement governs.

Conversely, if state law allows longer timelines or higher fees than HIPAA, the federal HIPAA standard controls and the less protective state rule is preempted. When in doubt, ask the provider to identify the specific legal authority for any timeline or fee they cite.

Format of Access

You can receive your records in the Readily Producible Format you request. If the PHI is maintained electronically, you are entitled to an electronic copy; common formats include PDF, text, or images delivered by secure portal, encrypted email, or on external media.

If your requested format is not readily producible, the Covered Entity must work with you to provide an alternative that is readily producible and acceptable to you. Requests for postal mail or unencrypted email are permitted if you accept the associated risks after being advised of them.

A provider may not require you to pick up records in person if you asked for mail or electronic delivery. The chosen format and method should prioritize timely access, usability, and security consistent with your preferences.

Exceptions to Access

HIPAA recognizes narrow situations where access may be denied. Two categorical exclusions are the Psychotherapy Notes Exemption and information compiled in reasonable anticipation of or for use in Legal Proceedings Documentation.

  • Psychotherapy Notes Exemption: a clinician’s separate psychotherapy notes are excluded from the access right.
  • Legal Proceedings Documentation: material prepared for or used in civil, criminal, or administrative actions is excluded.
  • Endangerment: access may be denied if a licensed professional determines it is reasonably likely to endanger the life or physical safety of you or another person.
  • Confidentiality of others: access may be limited to protect another person referenced in the record when serious harm is likely.
  • Research: temporary suspension of access if you agreed in writing while participating in a research study.
  • Inmates: access may be limited when providing a copy would jeopardize health, safety, security, custody, or rehabilitation in a correctional setting.

If access is denied for a reviewable reason, you must receive a written denial explaining the basis and how to request a timely review by a different licensed professional. In short, you have broad rights to your PHI in a Readily Producible Format, subject only to a Reasonable Cost-Based Fee and a few narrowly defined exceptions.

FAQs.

What is the timeframe for responding to a PHI access request?

Covered Entities must act on your request without unnecessary delay and no later than 30 calendar days after receipt. A single 30-day extension is allowed with written notice explaining the reason and the new date. If state law requires a shorter timeline, that shorter period applies.

What fees can covered entities charge for PHI copies?

A Reasonable Cost-Based Fee limited to labor for copying, supplies, postage (if mailed), and preparing a summary or explanation if you specifically request and agree to it.

Are there any costs that HIPAA prohibits charging for access to PHI?

Yes. The Verification Costs Prohibition means you cannot be charged for verifying identity, searching for and retrieving records, maintaining or licensing systems, general overhead not tied to copying, portal subscriptions, or unrelated past-due balances. There is no fee to inspect your PHI in person.

How do state laws affect HIPAA rights to access PHI?

State Law Precedence applies when a state rule gives you more protection—such as a faster response time or lower fee caps—in which case that state requirement governs. If a state rule is less protective than HIPAA, the HIPAA standard preempts it.

Share this article

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Related Articles

Comparing Popular HIPAA-Compliant Telehealth Tools
HIPAA Oct 01, 2025

Comparing Popular HIPAA-Compliant Telehealth Tools

Choosing among HIPAA-compliant telehealth tools comes down to how well each platform fits your cl...

Top Cloud Storage Mistakes That Can Lead to HIPAA Violations
HIPAA Oct 01, 2025

Top Cloud Storage Mistakes That Can Lead to HIPAA Violations

You rely on cloud storage to keep Protected Health Information (PHI) available and secure, yet a ...

Examples of Physical Safeguards in HIPAA-Compliant Clinics
HIPAA Oct 03, 2025

Examples of Physical Safeguards in HIPAA-Compliant Clinics

Facility Access Controls. To protect Electronic Protected Health Information (ePHI), you need la...