Your HIPAA Right of Access: How to Request Your Medical Records, 30-Day Rule and Reasonable Fees

HIPAA Right of Access Overview

Your HIPAA Right of Access lets you inspect or obtain copies of your Protected Health Information (PHI) held by a covered entity, and direct that a copy be sent to a person or app you choose. This right supports health information portability and continuity of care.

Covered entities include most health care providers, health plans, and clearinghouses. Covered Entity Compliance requires policies, workforce training, and timely, consistent responses to access requests without unnecessary barriers.

What you can access

You may access PHI in the “designated record set,” such as medical and billing records, enrollment and claims files, and other records used to make decisions about you. Psychotherapy notes and information compiled for litigation are excluded.

Timing and format

Covered entities must act on your request within 30 calendar days. If your requested form and format are readily producible, they must provide it that way; otherwise, they must offer a readable alternative you agree to, supporting health information portability across systems.

Requesting Medical Records Process

Prepare your request

Identify the provider or plan, the date range, and specific records you need. State your preferred format (for example, portal download, secure email, PDF, paper) and delivery method. If desired, include a patient directive to send PHI to a third party.

Submit and verify

Send the request to the entity’s medical records or privacy office. Reasonable identity verification is expected, but entities may not impose unreasonable measures (for example, forcing in‑person pickup when you asked for mail or electronic delivery).

Agree to fees and delivery

Ask for an itemized estimate of any reasonable copying fees before processing. You may choose to inspect records on-site, receive copies, or request a summary or explanation if you consent to any related fees.

Track and escalate if needed

Calendar the 30-day deadline. If you hear nothing, contact the privacy office. Document all communications; this helps if you later need to complain to the entity or the regulator.

Extension of Time for Record Access

If the entity cannot provide access within 30 days, it may take one extension of up to an additional 30 days. It must send you a written notice within the original 30 days explaining the reason and giving a firm date when access will be provided.

What the notice should include

• The specific reason for delay (for example, records stored off-site or temporary system issues).
• The exact additional time needed, not to exceed 30 more days.
• A contact for questions about your request.

What is not acceptable

• Serial or open-ended extensions.
• Vague promises without a date certain.
• Silence past the deadline without written explanation.

Reasonable Fees and Charges

HIPAA permits a cost-based fee structure for copies of PHI. You cannot be charged to inspect records or to use a patient portal. Reasonable fees may cover only the labor to copy, supplies, and postage if mailed.

How fees may be calculated

• Actual cost: itemized labor for copying and the exact supplies/postage used.
• Average cost schedule: a standard, documented schedule that reflects typical labor and supplies.
• Reasonable flat fee for certain all-electronic copies, where permitted by guidance.

Fee transparency

• Ask for an itemized estimate before processing.
• Confirm whether the request is electronic or paper, as this affects cost.
• You may narrow your request to reduce fees or choose inspection instead of copies.

Permissible and Prohibited Fee Components

Permissible components

• Labor for copying (for example, scanning paper charts, exporting or converting electronic files, and transferring to media).
• Supplies (paper, toner, CD/USB) when used to fulfill your request.
• Postage when you ask for mail delivery.
• Preparation of a summary or explanation if you request and agree to pay for it.

Prohibited components

• Retrieval, access, search, verification, or “handling” fees.
• Fees to maintain systems, portals, or EHRs.
• Per-page fees for electronic copies of ePHI.
• Charges to create or maintain an online account or to view your records in a portal.

State law interplay

If state law is more protective (for example, shorter timelines or lower fees), entities should meet the more stringent standard. If state law allows higher charges or longer timelines, HIPAA’s right of access and cost-based limits still govern your request.

Electronic Access to Medical Records

When PHI is maintained electronically, you can request ePHI in a readily producible electronic format (for example, PDF, text, Blue Button, or a standard export). If you request unencrypted email after being warned of risks, the entity should honor your choice.

Covered entities should not force a particular proprietary portal when your requested format is readily producible. Electronic fulfillment typically results in faster access and lower reasonable copying fees.

Third-Party PHI Requests

You may direct a covered entity to send your ePHI to a third party of your choosing. That patient-directed transmission is part of your right of access, so the 30-day timeline and cost-based limits apply. By contrast, when a third party (for example, an attorney) requests records using its own authorization, that disclosure is not your access request; different fee rules may apply.

Denial of Access and Review Procedures

Some requests can be denied. Unreviewable denials include psychotherapy notes and information compiled for legal proceedings. Other limited grounds are reviewable, such as when a licensed professional believes access is reasonably likely to endanger life or physical safety.

If your request is denied, the entity must provide Access Denial Documentation in writing that states the basis for denial, whether you have a right to review, how to request that review, and how to complain to the entity or the regulator. If the denial is reviewable, a licensed clinician not involved in the original decision must conduct an independent review promptly.

When a covered entity does not maintain the requested PHI but knows where it is kept, it must inform you where to direct your request. Entities should still provide any portions of the record they can, even if part of the request is denied.

Bottom line: use clear written requests, choose electronic delivery when possible, and ask for itemized, cost-based fees. Escalate promptly if deadlines slip or if a denial lacks required documentation.

FAQs.

What is the HIPAA 30-day rule for access to medical records?

The 30-day rule requires covered entities to act on your access request within 30 calendar days. If they cannot meet that timeline, they may take one extension of up to 30 additional days, but only with a written notice explaining the reason and giving a specific new date.

How are reasonable fees for medical records determined under HIPAA?

Fees must be cost-based and limited to labor for copying, supplies, and postage if mailed. Entities may use actual costs, an average-cost schedule, or—in certain all-electronic scenarios—a reasonable flat fee. They may not charge retrieval, search, verification, or per-page fees for electronic copies of ePHI.

Can medical record requests be denied under HIPAA?

Yes, but only for specific reasons. Unreviewable denials include psychotherapy notes and information compiled for litigation. Some denials are reviewable—such as when access is reasonably likely to endanger life or physical safety—and must be reconsidered by an independent licensed professional.

What are my rights if access to records is denied?

You have the right to a written denial that explains the basis, your right to review (if applicable), and how to file a complaint. For reviewable denials, you can request an independent review. You may also complain to the covered entity’s privacy office and to the federal regulator if requirements are not met.