Patient Requesting Medical Records: HIPAA Timelines and Denial Rules

A patient walks up to your front desk and says, “I want a copy of my medical records.” Your staff member smiles, takes down the request, and promises to “look into it.” Three weeks later the request is still sitting in someone’s inbox. That delay is not just bad customer service — it may already be a HIPAA violation. The right of access under 45 CFR 164.524 is one of the most actively enforced provisions in HIPAA today, and OCR has made it the centerpiece of an ongoing enforcement initiative that has produced dozens of settlements since 2019.

The Right of Access: What the Law Actually Says

Under the HIPAA Privacy Rule, individuals have the right to inspect and obtain a copy of their protected health information (PHI) held in a designated record set. That term covers medical records, billing records, insurance enrollment records, and any other records used to make decisions about the individual. The right extends to information maintained in any form — paper, electronic, or a combination.

The regulation at 45 CFR 164.524 establishes that covered entities must act on a request for access no later than 30 calendar days from the date of the request. If the information is not maintained or accessible on-site, the deadline extends to 60 calendar days. A single 30-day extension is permitted if the entity provides the individual with a written statement of the reasons for the delay and the date by which the request will be fulfilled. That means the absolute maximum timeline is 60 days for on-site records and 90 days for off-site records — and even those maximums are expected to be exceptions, not the norm.

OCR has repeatedly emphasized that 30 days is a ceiling, not a target. Practices should fulfill straightforward requests much faster — ideally within days when the records are electronic.

What Format Must You Provide?

If the individual requests records in a specific electronic format and your practice can readily produce them in that format, you must do so. Common examples include PDF, patient portal download, or transmission via secure email. If the requested format is not readily producible, you must provide the records in a readable hard copy or another electronic format agreed upon by both parties. You may not refuse to provide electronic records simply because your EHR makes export inconvenient.

Patients may also direct you to transmit records to a third party — a new provider, an attorney, a family member — as long as the request is in writing, clearly identifies the designated recipient, and is signed by the individual. This “right to direct” access is absolute and is a frequent source of OCR complaints when practices drag their feet.

Fees: What You Can and Cannot Charge

HIPAA limits the fees a covered entity may charge to a “reasonable, cost-based fee.” Under OCR guidance, you may charge for:

• Labor for copying (whether paper or electronic)
• Supplies for creating the copy (paper, USB drive, CD)
• Postage, if the individual requests mailing

You may not charge for search and retrieval time, maintaining systems, or recouping the cost of your EHR. OCR has provided a flat-fee option of up to $6.50 per request for electronic copies as a safe harbor. Many states impose separate, sometimes stricter, fee limits — always check your state’s requirements as well. Excessive fees are themselves a violation and have been the basis for multiple OCR enforcement actions.

When You Can Deny a Request

The grounds for denying access are narrow and explicitly enumerated in 45 CFR 164.524(a). You may deny access without providing the individual an opportunity for review in these circumstances:

• Psychotherapy notes: Separately maintained notes recorded by a mental health professional are excluded from the right of access.
• Information compiled for legal proceedings: Records compiled in reasonable anticipation of litigation are exempt.
• Certain research records: If the individual agreed to a temporary suspension of access when consenting to participate in research, access may be denied until the research concludes.
• Information obtained from a non-healthcare-provider source under a promise of confidentiality: Access may be denied if granting it would reasonably reveal the source.
• Records maintained by federal correctional institutions: Under specific custodial circumstances.

Additionally, a licensed healthcare professional may deny access if, in their professional judgment, the access would be reasonably likely to endanger the life or physical safety of the individual or another person. This reviewable denial must be documented, and the individual must be informed of their right to have the denial reviewed by another licensed professional who did not participate in the original decision.

What you may not use as a basis for denial: an unpaid balance, a disagreement with the patient, administrative inconvenience, or the belief that the patient “doesn’t need” the records. These are among the most common reasons practices get into trouble with OCR.

The OCR Right of Access Enforcement Initiative

Since 2019, OCR has pursued a targeted enforcement initiative specifically focused on the right of access. Settlements have ranged from $3,500 for a solo dental practice to $240,000 for a hospital system. The pattern is consistent: a patient requests records, the practice delays or refuses, the patient files an OCR complaint, and OCR finds the practice either exceeded the 30-day timeline, charged excessive fees, or denied the request without a valid legal basis.

Many of the settled cases involve practices that simply failed to respond at all, or that required patients to appear in person to pick up records, or that charged hundreds of dollars for a PDF export. The enforcement message is unmistakable: OCR takes this right seriously, and the penalties for noncompliance are real even for small practices.

Building a Compliant Records Request Workflow

The best way to avoid a right-of-access complaint is to build a repeatable process:

1. Centralize intake. Designate a single point of contact (or role) for all records requests. Use a tracking log or a platform like GuardWell to timestamp every request when it arrives.
2. Acknowledge immediately. Send the patient a written or electronic acknowledgment within two business days confirming receipt of the request and the expected fulfillment date.
3. Fulfill fast. For electronic records, aim for 10 business days or fewer. Do not wait until day 29.
4. Document everything. Record the date received, the date fulfilled, the format provided, any fees charged, and the identity of the staff member who fulfilled the request.
5. Know your denial grounds. If you believe a denial is warranted, document your legal basis under 45 CFR 164.524(a) and provide the patient with a written denial that includes their right to a review and instructions for filing a complaint with OCR.

Integrating records request tracking with your broader risk assessment process ensures that access-related risks are identified and addressed before they become complaints.

What Happens When a Patient Complains to OCR

When a patient files a right-of-access complaint, OCR will request documentation of your process: the date you received the request, any communications with the patient, the date you fulfilled or denied the request, and your policies and procedures for handling access requests. If you cannot produce this documentation, OCR treats the absence of evidence as evidence of noncompliance. Practices with no formal process and no tracking log are effectively indefensible.

A documented compliance program — including written policies, staff training, and an access request log — is your strongest defense. Even if your response was slightly delayed, demonstrating that you have a functioning program and acted in good faith can significantly influence the outcome.

Frequently Asked Questions