HIPAA and the Right of Access: A Q&A for Covered Entities

Published for Coates' Canons on February 09, 2023.

Under the HIPAA “Right of Access” provision, entities that are subject to HIPAA are required to provide patients with access to their health information upon request, in a timely manner, and at a reasonable cost. Failure to meet these requirements can result in enforcement action, including hefty fines, and a loss of trust from individual patients and the public. This blog post explains the requirements of the Right of Access provision and addresses common questions about compliance with the law.


The “Right of Access” provision is found at 45 C.F.R. 164.524 and falls under the HIPAA Privacy Rule. This provision generally requires covered entities to provide individuals, upon request, with access to their protected health information (PHI) in a designated record set (as defined at 45 C.F.R. 164.501) that is maintained by the covered entity or by a business associate on behalf of the covered entity. Access must be provided in a timely manner, which means that covered entities must act on an individual’s request for access within 30 days or get an extension. Covered entities may charge reasonable cost-based fees for providing copies of the requested records. The law also establishes requirements for how requests for records are made and the form and manner in which covered entities must provide access to records (e.g., paper versus electronic copies). The Right of Access provision applies regardless of whether the individual is requesting access for themselves or requesting that records be sent to a third party.

Q&A: Key Terms and Issues

In this section, I will explain key terms and issues related to compliance with the HIPAA Right of Access provision through a question and answer (Q&A) format. This Q&A does not address every issue that could arise under the HIPAA Right of Access requirements and covered entities are encouraged to consult an attorney if they have specific questions about their own compliance with the law.

Who can exercise the Right of Access under HIPAA?

The Right of Access can be exercised by an individual or the individual’s personal representative under 45 C.F.R. 164.502(g). The individual/personal representative can request that records be provided to the individual/personal representative or to a third party. Under 45 C.F.R. 164.524(c)(3)(ii), requests for the covered entity to send records to a third party must be made in writing, signed by the individual/the individual’s personal representative, and clearly identify the third party to whom the records must be sent.

Who enforces Right of Access violations?

HIPAA violations, including violations of the Right of Access provision, are enforced by the Office of Civil Rights (OCR) within the United States Department of Health and Human Services (HHS). OCR typically learns about potential violations during compliance reviews and through complaints made by patients directly to the agency.

When does the 30-day period for acting on a request begin to run?

Pursuant to 45 C.F.R. 164.524(b)(2)(i), a covered entity “must act on a request for access no later than 30 days after receipt of the request […].” Acting on a request means either (1) informing the individual that the request was accepted and providing the requested records or (2) providing the individual with written notice that all or part of the request has been denied. In guidance published online, OCR has noted that 30 days means 30 calendar (not business) days.

The 30-day clock starts to run even if the covered entity must pass the request on to a business associate to fulfill. Therefore, if a covered entity received a request but then took 10 days to forward the request to their business associate, the business associate would have 20 days to act on the request. The 30-day period also continues to run if the covered entity and requestor spend time negotiating the form and format in which the records will be provided. In some instances, a covered entity can get a 30-day extension for acting on a request (see below).

When can a covered entity get an extension for acting on a request?

If the covered entity is unable to act on a request within 30 days then the covered entity can, on its own, extend the timeframe for acting on the request by another 30 days. Before the original 30-day period ends, the covered entity must give the individual written notice explaining the reasons for the delay and the date by which the covered entity will act on the request (which in the case of an extension can be no later than 60 days from when the request was received). A covered entity can only get one 30-day extension per request. See 45 C.F.R. 164.524(b)(2).

Can a covered entity provide some records now and the rest later?

The issue of providing incomplete records is addressed in several resolution agreements entered into under OCR’s Right of Access Initiative. Covered entities cannot satisfy the timeliness requirement at 45 C.F.R. 164.524(b)(2) by providing some, but not all, of the responsive records within the applicable time period (30 days or, for extensions, 60 days) and then following up with the remaining records after the 30- or 60-day period has run.

Which types of records are excluded under the Right of Access provision?

Individuals do not have a right to access information about them that is not part of a designated record set because it is not used to make decisions about individuals. This could include, for example, quality assurance evaluations or practitioner peer review files. 45 C.F.R. 164.524(a)(1) also states that an individual’s right of access does not extend to psychotherapy notes or information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding, even if those notes or information are stored in a designated record set.

The individual’s right of access exists for as long as the designated record is maintained by the covered entity. Therefore, a covered entity is not obligated to produce records that it no longer maintains. (But note that OCR has said that the fact that records are old, stored offsite, and/or otherwise hard to access does not excuse a covered entity from its Right of Access responsibilities).

Can a covered entity deny a request for records?

Yes. Under 45 C.F.R. 164.524(a)(2)(i), a covered entity may deny a request for records that are excluded under the Right of Access provision. Otherwise, a covered entity may deny a request only in the limited- and uncommon- set of situations that are described at 45 C.F.R. 164.524(a)(2)(ii)-(v) and 164.524(a)(3). A covered entity that denies all or part of a request for records must comply with the steps set out at 45 C.F.R. 164.524(d), which includes providing the individual with written notice of the denial within 30 days of receiving the request (or 60 days, in the event of an extension).

Do records have to be provided in a particular form and manner?

Yes. In addition to the timeliness requirement set out at 45 C.F.R. 164.524(b)(2), a covered entity must provide access to records in the form or format requested by the individual if the records are readily producible in that form or format. If the records are not readily producible in the form or format requested, then access must be provided in a readable hardcopy form or some other form or format that the covered entity and individual agree on. The covered entity may also provide the individual with a summary of the requested health information in lieu of providing entire records if the individual agrees in advance to receive the summary instead of full records and to any fees charged by the covered entity for generating and providing the summary. If the individual asks to inspect their records (rather than receive a copy) then the covered entity must arrange a convenient time and place for the individual to come in and inspect the records. See 45 C.F.R. 164.524(c)(1)-(3).

Can a covered entity charge a fee for inspections of records, or just for copies?

45 C.F.R. 164.524(c)(4) only allows a covered entity to charge reasonable, cost-based fees for fulfilling a request for a copy of a record. If an individual wants to inspect their record but is not asking the covered entity to create a copy of the record for them, then the covered entity cannot charge the individual a fee for the inspection- even if there are minimal labor costs involved with allowing the individual to inspect the records. OCR has expounded upon this in guidance by explaining that a covered entity also cannot charge an individual a fee because the individual uses their own supplies to make a copy of a record (e.g., by taking notes or photos) while inspecting their records.

What does it mean for a fee to be “cost-based?”

“Cost-based” means that the fee can only include costs of the labor and supplies (e.g., paper, CDs, USB drives) used in copying the records or developing a summary under 45 C.F.R. 164.524(c)(2)(iii) and postage (if the records will be mailed). OCR has explained in guidance that labor costs cannot include the costs of searching for and retrieving the requested records. In the same guidance, OCR describes three permitted methods for calculating a cost-based fee for access to records:

  1. Calculating the actual costs of providing access to the requested records or creating a summary of the records, if that is what the requestor agreed to receive. The fee must be calculated using reasonable hourly labor rates, which will vary based on the level of skill needed to produce the records in the requested format, and can also include the cost of supplies or postage.
  2. Creating a fee schedule based on the average labor costs involved in fulfilling common types of requests. In addition to the labor cost listed in the fee schedule, the covered entity can charge for the costs of supplies and postage. OCR has stated that fee schedule rates cannot be charged as a per page fee when providing paper or electronic copies of PHI that is maintained electronically.
  3. Charging a flat fee for copies of PHI that is maintained electronically, not to exceed $6.50 in total.

Regardless of which method is used, OCR requires covered entities that charge fees to provide individuals with a fee estimate in advance of fulfilling the request (since the fee amount may inform the format and manner in which the individual requests to access the records).

Health care providers in North Carolina are also subject to the fee limitations set forth in G.S. 90-411. This statute authorizes a health care provider to charge a reasonable fee for the costs incurred when fulfilling a request, including costs incurred while searching for the requested records. However, as previously mentioned, OCR prohibits covered entities from including search and retrieval labor costs when calculating a fee for accessing records. Therefore, North Carolina health care providers that are subject to HIPAA should not build the labor cost of searching for records into the fees that they charge for copies of records.

A final note: while the law allows for charging fees, OCR strongly encourages covered entities to provide access to records at no cost across the board, but especially in situations where the individual’s financial situation would make it difficult or impossible to afford the fee.

The patient whose information is being requested has an unpaid bill. Can the covered entity withhold the requested records until that bill is paid?

No. OCR has addressed this question in guidance and made clear that a covered entity cannot withhold or deny an individual access to their health information solely because the individual has an outstanding bill for services provided by the covered entity. The North Carolina Medical Board (NCMB) also takes a stance against withholding records because of an overdue account or bill. See NCMB Position Statement 3.2.1.

What other issues should covered entities be thinking about when handling requests under the HIPAA Right of Access provision?

The 30-day timeline (or 60-day timeline, for extensions) that is established by the Right of Access provision can create a sense of urgency for covered entities that receive requests for records; however, it is important that covered entities that are working quickly to act on a request not forget the additional HIPAA requirements that they must satisfy when providing access to records. For example, under 45 C.F.R. 164.514(h), a covered entity still needs to take reasonable steps to verify the identity of the person requesting access to the records before the disclosure is made.

The post HIPAA and the Right of Access: A Q&A for Covered Entities appeared first on Coates’ Canons NC Local Government Law.

Topics - Local and State Government