What is the HIPAA Right of Access, When Must Covered Entities Respond to Right of Access Requests, and What are Potential Consequences of Right of Access Standard Noncompliance?

Introduction

This article discusses the HIPAA Privacy Rule "Right of Access" standard, which requires covered entity health plans and providers make PHI in a designated set available to a patient who requests that PHI.


What is the HIPAA Right of Access?

The HIPAA Privacy Rule generally provides individuals with a legal, enforceable right to see and receive, upon request, copies of the information in their medical and other health records maintained by their healthcare providers and health plans maintained in a designated record set. This right is known as the HIPAA “right of access.” It can be found at 45 CFR 164.524. 

What is the Timeline for a Response to a Right of Access Request?

In providing access to the individual, a covered entity must provide access to the PHI requested, in whole, or in part (if there is a valid reason to deny access to part of the PHI, no later than 30 calendar days from receiving the individual's request. The 30 calendar days is an outer limit and covered entities are encouraged to respond as soon as possible by HHS. Indeed, a covered entity may have the capacity to provide individuals with almost instantaneous or very prompt electronic access to the PHI requested through personal health records, web portals, or similar electronic means. Further, individuals may reasonably expect a covered entity to be able to respond in a much faster timeframe when the covered entity is using health information technology in its day-to-day operations.

If a covered entity is unable to provide access within 30 calendar days -- for example, where the information is archived offsite and not readily accessible -- the covered entity may extend the time by no more than an additional 30 days. To extend the time, the covered entity must, within the initial 30 days, inform the individual in writing of the reasons for the delay and the date by which the covered entity will provide access. Only one extension is permitted per access request.

What are the Potential Consequences of Failure to Comply With The Right of Access Standard?

Covered entities that fail to meet the deadlines are subject to potential penalties. In 2019, the Department of Health and Human Services' (HHS) Office for Civil Rights announced a "Right of Access Initiative," in which it committed to ramping up enforcement of the right of access standard. As of July 14, 2025, OCR has brought 53 enforcement actions against providers and health plans under the initiative. Examples of right of access enforcement actions can be found here.