Right of Access Under 42 U.S.C. 17935(e): Compliance Guide

Overview of 42 U.S.C. 17935(e)

Under 42 U.S.C. 17935(e), individuals have the right to obtain an electronic copy of their protected health information (PHI) when you use or maintain an electronic health record (EHR). They may also direct you to transmit that electronic copy to a person or entity they designate. This right complements the HIPAA Privacy Rule’s access provisions in 45 C.F.R. § 164.524 and is central to patient health information access.

The right of access applies to PHI in the designated record set, including medical, billing, and other records used to make decisions about individuals. It covers PHI held in your EHR and in other systems that form part of the designated record set. Business associates must support access as required by their agreements and applicable rules, ensuring HITECH Act compliance across your ecosystem.

Key terms you should know

• Protected health information (PHI): Individually identifiable health information maintained or transmitted in any medium.
• Electronic health records (EHR): Electronic repositories of clinical data used to manage care and decisions.
• Designated record set: Records you use to make decisions about individuals (for example, medical and billing records).
• Third-party directive: An individual’s written, signed instruction that you send PHI directly to another person or entity.

Procedures for Electronic PHI Access

Intake and identity verification

Accept access requests through multiple convenient channels (portal, email, mail, in person, or phone where feasible). You may require written requests, but your process must not create unreasonable barriers. Verify identity using reasonable procedures that fit the risk—avoid burdensome requirements that delay access.

Scope and format determination

Confirm the scope of PHI requested from the designated record set and clarify the preferred electronic form and format. Provide the e-copy in the requested form and format if readily producible; otherwise offer an agreed alternative (for example, readable PDF, portal download, Direct secure messaging, FHIR API export, or encrypted media).

Fulfillment workflow

• Locate PHI across EHR modules and connected systems (labs, imaging, ancillary platforms).
• Exclude items not subject to access (for example, psychotherapy notes or information compiled for legal proceedings).
• Quality-check for completeness and ensure the output is usable by the individual.
• Transmit via the designated method, applying appropriate data transmission security safeguards.

Fees and communications

If you charge a fee, it must be reasonable and cost-based, limited to labor for copying, supplies for media, and postage when applicable. Do not charge retrieval or access fees. Provide clear estimates in advance and document the individual’s consent to any fee.

Documentation

• Record the request date, identity verification steps, scope, format, delivery method, and completion date.
• Retain copies of correspondence, fee calculations, and any notices of delay or denial (including review outcomes).

Obligations of Covered Entities

As covered entities, you must provide individuals with timely, workable access to PHI and may not impose unreasonable measures that serve as barriers. You must furnish PHI in the requested electronic form and format if readily producible, or offer a mutually agreeable alternative.

• Honor third-party directives that are clear, conspicuous, and specific, and that include the recipient and destination.
• Apply a reasonable, cost-based fee only; never charge per-page fees for electronic copies of EHR data.
• Provide a summary or explanation of PHI only if the individual agrees and understands any associated fee.
• Maintain policies, workforce training, and audits to ensure consistent patient health information access.
• Oversee business associates so they support access requests without delay or obstruction.

Denials and review

When access is denied based on permitted grounds, issue a timely, written denial explaining the basis and how the individual may seek review (if review is available) or file a complaint. Offer any segregable portions that are not subject to the denial.

Directing PHI Transmission

Accepting third-party directives

Individuals may instruct you, in a written and signed request, to send their electronic PHI directly to a third party. The directive must clearly identify the recipient and the destination (for example, email address, API endpoint, or mailing address for media). Treat these directives with the same priority as direct-to-patient requests.

Method and practicality

• Use the individual’s requested transmission method if readily producible and secure for your systems.
• If a requested method poses unacceptable risk to your systems (for example, unknown USB drives), offer a secure alternative that still meets the request’s intent.
• For unencrypted email chosen by the individual, advise of the potential risk and proceed if the individual still prefers that method.

Safeguards and recordkeeping

• Confirm recipient details and document the directive and the transmission steps.
• Retain evidence of the individual’s request, warnings given (if any), and the date and method of transmission.

Timing and Security Requirements

Timeliness

Act on access requests no later than 30 calendar days from receipt. If you cannot meet the 30-day timeframe, you may take one 30-day extension by providing a written explanation before the initial period ends and giving a specific completion date. Fulfill sooner whenever feasible, especially for urgent care needs.

Data transmission security

Use reasonable safeguards to protect electronic PHI in transit and at rest. Encrypt transmissions and media when practicable; verify recipient addresses; and log disclosures. The “minimum necessary” standard does not apply to disclosures to the individual, but you must still confirm identity and use secure processes.

Operational controls

• Track deadlines and automate reminders to prevent lapsed responses.
• Standardize templates for estimates, delay notices, and denials with review rights.
• Monitor metrics (turnaround time, completion rate, complaints) to identify and correct bottlenecks.

HITECH Act Compliance

Core alignment

HITECH Act compliance includes enabling electronic copies from your EHR, honoring third-party directives, and integrating workflows that make access routine rather than exceptional. Your policies should map these steps end-to-end, from intake to delivery and documentation.

Business associates and technology partners

Ensure contracts require business associates to assist promptly with access requests and to maintain capabilities that generate electronic copies in common, usable formats. Coordinate on secure transmission methods and contingency plans for system outages.

Accountability and enforcement

Adopt a written fee schedule, publish clear instructions for patients, and audit cases for timeliness and accuracy. Consistent adherence reduces enforcement risk and demonstrates a culture of compliance with the HITECH Act’s access objectives.

Regulatory References under 45 C.F.R. § 164.524

What the regulation covers

• Scope of access: Individuals may inspect or obtain a copy of PHI in the designated record set, with limited exclusions.
• Form and format: Provide the copy in the requested electronic form and format if readily producible, or agree on an alternative.
• Third-party directive: Individuals may direct you to send the copy to a designated person or entity.
• Timeliness: Act within 30 days, with one permissible 30-day extension and required written notice.
• Fees: Only reasonable, cost-based fees are permitted; retrieval or access fees are not allowed.
• Denials: Provide written denials with review rights where applicable and release any separable, non-denied PHI.
• Documentation: Maintain policies, request processing records, fee calculations, and notices of delay or denial.

Documentation you should maintain

• Standard operating procedures for receiving, verifying, fulfilling, and documenting requests.
• Templates for acknowledgments, fee estimates, extensions, and denials with review instructions.
• Logs tracking request dates, completion dates, formats, transmission methods, and fees.

Summary

To comply with the right of access under 42 U.S.C. 17935(e) and 45 C.F.R. § 164.524, build a reliable, patient-centered process: verify identity without burden, deliver electronic copies in the requested format when feasible, honor third-party directives, meet the 30-day timeline, and apply only reasonable, cost-based fees. Strong documentation, training, and security controls complete an effective, defensible program.

FAQs

What is the right of access under 42 U.S.C. 17935(e)?

It is the individual’s right to obtain an electronic copy of PHI maintained in an EHR and, if desired, to direct you to transmit that copy to a designated third party. This HITECH-based right works alongside 45 C.F.R. § 164.524 to strengthen patient health information access.

How must covered entities respond to electronic access requests?

Covered entities must verify identity, determine the scope, and provide an electronic copy in the requested form and format if readily producible, or an agreed alternative. You may charge only a reasonable, cost-based fee and must document the request, processing steps, and delivery method.

Can individuals direct PHI to third parties?

Yes. Individuals can submit a written, signed directive that clearly identifies the recipient and destination. You should send the electronic PHI using the requested method if readily producible and secure for your systems, advising of any risks if the individual chooses unencrypted email.

What are the timing requirements for providing electronic PHI?

You must act on requests within 30 calendar days of receipt. If you need more time, you may take one additional 30-day extension by sending a written notice before the original period ends that explains the delay and states a new completion date.