Compliance Foundations

HIPAA Right of Access Requests (45 CFR § 164.524): Respond Inside 30 Days

11 min read · Last reviewed May 23, 2026

A HIPAA right of access request is the patient's federally-protected request for a copy of, or access to, the patient's protected health information in the designated record set. The federal mandate is 45 CFR § 164.524. The response window is 30 calendar days, extendable once by 30 days with written notice. OCR's Right of Access Initiative reached its 54th published action with the 2025 Concentra resolution.

What HHS actually requires

§ 164.524(a)(1) grants the patient (or personal representative) a right to inspect or obtain a copy of PHI in the designated record set. The window is 30 calendar days from receipt of the request per § 164.524(b)(2), with one 30-day extension permitted on written notice within the original window. Acceptable form: the patient's requested form and format if readily producible; otherwise a mutually agreed alternative.

Fees are capped at reasonable cost-based labor, supplies, postage, and pre-agreed summary costs under § 164.524(c)(4). The 2016 OCR guidance on the right of access details the per-record electronic flat-fee option ($6.50 ceiling), the labor-based methodology, and what cannot be charged (search, retrieval, system overhead).

OCR's Right of Access Initiative settlements through 2025 follow a consistent pattern. Published amounts range from King MD at $3,500 (one late response) at the low end to Memorial Hermann Health System at $240,000 — the largest listed ROA settlement — at the high end. Bayfront Health St. Petersburg ($85K, mother's request for fetal heart-monitor records denied), Beth Israel Lahey Health ($70K), University of Cincinnati Medical Center ($65K), and Diagnostic Medical Imaging Services ($23K) sit in the middle of the range. OCR's 2025 Concentra resolution was the 54th published Right of Access action. The settlement amount tracks the severity, not just whether it happened — OCR penalizes pattern more than incident.

The four entities every credible Right of Access procedure references: the HHS Office for Civil Rights (OCR), the OCR Right of Access Initiative, the 21st Century Cures Act Information Blocking Rule, and the ONC Information Blocking enforcement framework.

Template — section by section

``` HIPAA RIGHT OF ACCESS PROCEDURE [Practice Name] Effective: [DATE] Owner: Privacy Officer

  1. PURPOSE

This procedure operationalizes 45 CFR § 164.524 — the patient's right to inspect or receive a copy of PHI in the designated record set — within the 30-day window and the cost-based fee limits.

  1. SCOPE

Every request, regardless of channel, by a patient, a personal representative under § 164.502(g), or an entity holding a HIPAA- compliant authorization under § 164.508.

  1. INTAKE — DAY 0

3.1 Time-stamp every request on arrival (any channel — phone, paper, email, portal, in-person) 3.2 Use the Right of Access Intake Form (Appendix A) 3.3 Confirm requester identity:

  • Patient: government ID or established practice identity
  • Personal rep: ID + documentation of representative status

(POA, guardian appointment, parent of minor)

  • Authorization holder: signed § 164.508 authorization

3.4 Confirm scope: full DRS or specific records / date range 3.5 Confirm requested form and format (paper, PDF, CCDA, portal, email, CD/USB) 3.6 If requester wants unencrypted email, capture written acknowledgement of risk per § 164.524(c)(3) 3.7 Log the request in the Right of Access Tracker

  1. PROCESSING — DAYS 1-25

4.1 Pull the designated record set per § 164.501 definition 4.2 Apply minimal review:

under § 164.524(a)(1)(i))

  • Confirm no information compiled in reasonable

anticipation of litigation (§ 164.524(a)(1)(ii))

  • Confirm no third-party endangerment ground under

§ 164.524(a)(3)(ii) — narrow grounds, requires licensed-professional review 4.3 Convert to requested form/format if readily producible 4.4 Calculate fee per § 164.524(c)(4) — labor + supplies + postage; per-page paper at $0.10-$0.25 ceiling; electronic delivery of electronic records typically modest or zero 4.5 Honor any state-law cap that is stricter 4.6 Deliver via patient-chosen channel

  1. EXTENSION — INSIDE DAY 30

If full response is not possible within 30 days, the Privacy Officer sends the Extension Notice (Appendix C) before day 30, naming:

  • The reason for the delay (specific, not boilerplate)
  • The expected delivery date (within 30 additional days)

The extension is one-time only. Total response window is 60 days.

  1. DENIAL — REVIEWABLE OR UNREVIEWABLE

6.1 Unreviewable denial grounds (§ 164.524(a)(2)):

  • PHI is psychotherapy notes (§ 164.524(a)(1)(i))
  • Compiled in reasonable anticipation of litigation

(§ 164.524(a)(1)(ii))

  • Inmate copy denial under § 164.524(a)(2)(ii)
  • Subject to research with patient consent suspending access

under § 164.524(a)(2)(iii)

  • Subject to Privacy Act denial under § 164.524(a)(2)(iv)
  • Information obtained from a confidential source under a

promise of confidentiality under § 164.524(a)(2)(v) 6.2 Reviewable denial grounds (§ 164.524(a)(3)):

  • Endangerment to the patient or another person, requires

licensed-professional finding

  • PHI references another person and access reasonably likely

to cause substantial harm to that person

  • Personal rep access reasonably likely to cause substantial

harm to the patient 6.3 Every denial is in writing using the Denial Notice (Appendix D) and includes the right to have the denial reviewed by a licensed professional designated by the practice.

  1. FEE TRANSPARENCY

The practice publishes a fee schedule on the website and provides it to the requester before producing the record where any fee will apply. No fee surprises after delivery.

  1. RETENTION

Every Intake Form, every delivery confirmation, every Extension Notice, every Denial Notice, and every tracker entry is retained for six years from the date of creation per 45 CFR § 164.530(j)(2).

  1. INFORMATION BLOCKING

The practice does not engage in any practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information except where required by law or covered by an enumerated exception under 45 CFR Part 171.

Reviewed and approved: ___________________________ Privacy Officer Date: ________ ___________________________ Security Officer Date: ________ ___________________________ Practice Owner Date: ________ ```

Scenario · HIPAA Privacy

What would you do?

A patient calls the front desk: 'I want a copy of all my records on a USB drive, mailed to my home. I'm switching providers.'

Your practice routinely directs patients to the patient portal. The front desk tells the patient 'you have to use the portal' and offers to mail a printed summary instead.

Operational self-diagnosis tool. Not legal advice, not a credential of any kind, not a substitute for counsel. The practice remains responsible for the decision it actually makes.

Right of Access Intake Form (Appendix A)

``` HIPAA RIGHT OF ACCESS INTAKE Date and time received: ____________________ Intake # ________ Channel: □ phone □ paper □ email □ portal □ in-person

Requester: □ Patient □ Personal rep □ Authorized recipient Requester name: ____________________________ Patient name (if different): ____________________ Patient DOB / MRN: ____________________ Requester ID verified by: ____________________ Date: ________ Personal-rep documentation (if applicable): _____________________ Authorization on file (if applicable): __________________________

Records requested: □ Full designated record set □ Date range: ____________ to ____________ □ Specific records: ______________________________________ □ Other: ______________________________________

Requested form/format: □ Paper □ PDF □ CCDA/electronic □ Portal access □ Email (unencrypted — acknowledgement attached) □ CD / USB drive □ Other: ______________

Day-0 stamp: ____________________ Day-30 deadline: __________ Day-60 deadline (if extended): __________

Assigned to: ____________________ Privacy Officer signoff: ________ ```

Right of Access Tracker (Appendix B)

| Intake # | Day 0 | Day 30 due | Day 60 due | Patient | Scope | Format | Status | Fee | Delivered | Issues | |---|---|---|---|---|---|---|---|---|---|---| | 2026-001 | 2026-05-01 | 2026-05-31 | 2026-06-30 | <name> | full DRS | CCDA via portal | Delivered 2026-05-12 | $0 | 2026-05-12 | — | | 2026-002 | 2026-05-03 | 2026-06-02 | 2026-07-02 | <name> | 2024-2025 visits | PDF email | In progress | $6.50 | — | — | | 2026-003 | 2026-05-08 | 2026-06-07 | 2026-07-07 | <name> | full DRS | paper | Extended 2026-06-01 | est $34 | — | imaging archive pull | | 2026-004 | 2026-05-10 | 2026-06-09 | 2026-07-09 | <name> | imaging only | CD | Delivered 2026-05-22 | $5 | 2026-05-22 | — |

Extension Notice (Appendix C)

``` [Practice Letterhead] [Date]

[Patient Name] [Address]

Re: Your Health Information Access Request — Intake # ________ Originally received: [DATE]

Dear [Patient Name],

This letter is to inform you that we are extending the time to respond to your request for access to your protected health information by an additional thirty (30) days, as permitted by 45 CFR § 164.524(b)(2).

Reason for the extension: [Specific reason — e.g., "the requested records include imaging studies stored in an archived system that requires retrieval from off-site storage"]

Expected response date: [DATE — no later than 60 days from original receipt]

If you have any questions, please contact our Privacy Officer at [phone] or [email].

Sincerely,

[Privacy Officer Name] Privacy Officer [Practice Name] ```

Denial Notice (Appendix D)

``` [Practice Letterhead] [Date]

[Patient Name] [Address]

Re: Your Health Information Access Request — Intake # ________

Dear [Patient Name],

We have reviewed your request dated [DATE] for access to your protected health information. We are denying your request in whole / in part [strike one] for the following reason(s):

□ The records you requested are psychotherapy notes that are excluded from the right of access under 45 CFR § 164.524(a)(1)(i).

□ The records you requested were compiled in reasonable anticipation of litigation under § 164.524(a)(1)(ii).

□ A licensed health-care professional has determined that access is reasonably likely to endanger the life or physical safety of the patient or another person under § 164.524(a)(3)(i).

□ Other (specific): ______________________________________________________________

Your right to review: If the reason for denial is a reviewable ground under § 164.524(a)(3), you have the right to have the denial reviewed by a licensed health-care professional designated by us who did not participate in the original decision. HIPAA does not set a deadline for requesting that review; to start the process, contact our Privacy Officer in writing at the address below.

You may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights at https://www.hhs.gov/ocr/complaints/index.html.

Sincerely,

[Privacy Officer Name] Privacy Officer [Practice Name] ```

How to deploy

The deployment sequence: ratify the procedure with the Privacy Officer, Security Officer, and practice owner; train every intake person (front desk, medical records, billing, scheduling) on the 30-day stamp and the intake form; publish the fee schedule on the website; load the tracker into the binder; designate a backup Privacy Officer so the window does not stall during PTO; book a quarterly tracker review on the calendar.

The single highest-leverage move is the time-stamp on the intake. Every OCR Right of Access settlement we have read involves a practice that could not prove when the request arrived. Without a documented Day 0, the practice cannot prove the response was timely. Stamp every request, on every channel, the moment it arrives.

Common gaps

The five most common defects from binder review:

  1. No tracker. Individual requests are handled; there is no central log proving the 30-day window was met. OCR's investigators ask for the tracker.
  2. Day 0 not documented. Request arrived by phone or in person; the date was never written down; the practice cannot prove timeliness.
  3. Format defaulted to paper. Patient requested CCDA or PDF; staff produced paper because that is the practice norm. Information-blocking exposure plus Right of Access exposure.
  4. Fee exceeds the § 164.524(c)(4) ceiling. Per-page paper fees over $0.25, or any electronic-delivery fee for electronic records that runs over the OCR-published flat-fee guidance.
  5. Extension communicated verbally. No written Extension Notice issued inside the original 30 days; OCR treats this as a missed window.

Maintenance cadence

  • Weekly: Privacy Officer reviews the tracker; any request approaching Day 25 is escalated.
  • Monthly: tracker reconciled against EHR access-request logs (if EHR captures portal requests separately).
  • Quarterly: sample five completed requests for documentation completeness; verify any extensions had written notice; verify fee math.
  • Annually: procedure refresh; fee schedule refresh against current OCR guidance and state-law caps; staff retraining; review against the OCR Right of Access Initiative settlement docket for new patterns.
  • On any complaint: full file review and remediation; document the closure in the tracker.

State preemption note: California Health & Safety Code § 123110 requires inspection within 5 working days and transmission of copies within 15 days, with a fee schedule capped at $0.25 per page. Texas HB 300 tightens the EHR-access window to 15 business days. Florida § 456.057 requires copies to be furnished "in a timely manner" and imposes per-page fee caps; the 30-day window is HIPAA's at § 164.524(b)(2), not Florida's. NY Public Health Law § 18 imposes a 10-day inspection window. Where state law is stricter on timeline or fee, state law controls per § 160.203.

How d3rx fits

The d3rx compliance binder generates the Right of Access procedure, the Intake Form, the Tracker, the Extension Notice, the Denial Notice, and the fee schedule with § 164.524, the OCR Right of Access Initiative settlement context, and the Cures Act Information Blocking framework cited inline. The Privacy Officer remains responsible for verifying requester identity, calculating fees, and signing every Denial or Extension Notice.

Step 1 · Get the binder

Get the d3rx compliance binder for your practice

Pre-filled to address the gaps this guide coversHIPAA Right of Access Requests (45 CFR § 164.524): Respond Inside 30 Days. We will email you the section preview and your binder intake link.

No PHI required. We use your email to send the binder preview and intake link only.

Frequently asked

How do I respond to a request for the patient's entire electronic record?

A patient may request the entire designated record set per [§ 164.524(a)(1)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524). The practice produces an electronic copy in the form and format requested if readily producible, otherwise in a mutually agreed readable electronic form. The 30-day window applies regardless of size. We see practices try to deliver paper printouts of EHR data when the patient requested CCDA or PDF; OCR's Right of Access Initiative has settled against practices for exactly that. Honor the requested format if you can produce it.

Can I charge for the copy and how much?

Yes, within strict limits. [§ 164.524(c)(4)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524) allows a reasonable, cost-based fee covering only: labor for copying (in whatever form), supplies, postage, and the cost of preparing a summary if the patient agreed in advance to a summary instead of the record. The fee may NOT include search-and-retrieval, data-storage, or system-overhead costs. Per-page fees are scrutinized — OCR's 2016 guidance treats $0.10-$0.25 per page as the upper bound for paper. For electronic copies of electronic records, the fee should typically be modest or zero. CA, NY, TX, and FL have state-law caps that may be lower.

What does the OCR Right of Access Initiative actually penalize?

OCR launched the Right of Access Initiative in 2019. Published settlements range from $3,500 (King MD, a single late response) to $240,000 (Memorial Hermann Health System, the largest listed ROA settlement). By 2025, OCR's [Concentra Health Services](https://www.hhs.gov/press-room/ocr-settles-with-concentra.html) resolution marked the 54th Right of Access action. The pattern is consistent: a patient (or their personal representative) requested records; the practice missed the 30-day window or refused; OCR settled and typically attached a multi-year Corrective Action Plan.

Does the 30-day window have any extension?

[§ 164.524(b)(2)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524) allows a single 30-day extension if the practice provides the patient with a written statement before the original 30 days expire, naming the reason for the delay and the expected response date. Total time including extension is 60 days. OCR settlements treat the written-extension requirement as strict — calling the patient or noting the chart is not sufficient. Issue the extension letter in writing inside the original window.

What if the request comes from the patient's spouse, parent, or attorney?

Verify the requester is a personal representative under [§ 164.502(g)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.502) or the patient has signed a HIPAA-compliant authorization under [§ 164.508](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.508). Spouses are not automatic personal representatives. Parents are personal representatives for unemancipated minors subject to state-law minor-consent carve-outs (mental health, reproductive, substance use). Attorneys need either a power of attorney that includes health-information authority or a signed authorization. The verification step is the most common defect — practices accept requests at face value, OCR cites it as a Privacy Rule failure.

Can I require the patient to use the patient portal?

No, and the 21st Century Cures Act Information Blocking rule reinforces this. The patient chooses the form and format of delivery to the extent the practice can produce it. If the patient wants email, the practice produces email (with the patient's documented acknowledgement of unencrypted email risk under [§ 164.524(c)(3)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524)). If the patient wants a CD or a USB drive, the practice produces it. The portal is one option, not a required channel.

How does the Cures Act Information Blocking rule interact with § 164.524?

The [ONC Information Blocking rule](https://www.healthit.gov/curesrule/) treats unreasonable interference with the access, exchange, or use of electronic health information as a separate violation enforceable by OCR (against providers) and OIG (against developers and HINs). Slow-walking a § 164.524 request, narrowing the production to paper when CCDA is producible, or requiring the patient to come in person to sign forms are all candidate information-blocking events. A Right of Access defect can now trigger two enforcement vectors at once.

Turn this into a review-ready binder

The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.

Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.

This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Sources & Citations
  1. 45 CFR § 164.524https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524
  2. King MD at $3,500https://www.hhs.gov/sites/default/files/king-md-ra-cap.pdf
  3. Memorial Hermann Health System at $240,000https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/memorial-hermann-roa/index.html
  4. 2025 Concentra resolutionhttps://www.hhs.gov/press-room/ocr-settles-with-concentra.html
  5. OCR Right of Access Initiativehttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
  6. 21st Century Cures Act Information Blocking Rulehttps://www.healthit.gov/curesrule/
  7. ONC Information Blocking enforcement frameworkhttps://www.healthit.gov/topic/information-blocking
  8. California Health & Safety Code § 123110https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=HSC&sectionNum=123110
  9. Texas HB 300https://www.hhs.texas.gov/regulations/rules/hb-300-medical-records-privacy
  10. Florida § 456.057http://www.leg.state.fl.us/Statutes/index.cfm?App_mode=Display_Statute&URL=0400-0499/0456/Sections/0456.057.html
  11. NY Public Health Law § 18https://www.nysenate.gov/legislation/laws/PBH/18
  12. § 160.203https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-B/section-160.203
  13. indexhttps://www.hhs.gov/ocr/complaints/index.html

Sources verified as of May 23, 2026

Research Aid Notice

This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.

Related Guides