Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

  • About HHS
  • Programs & Services
  • Grants & Contracts
  • Laws & Regulations
  • Radical Transparency
  • Big Wins
  • HIPAA for Individuals
  • Filing a Complaint
  • HIPAA for Professionals
  • Newsroom
Breadcrumb
  1. HHS
  2. HIPAA Home
  3. For Professionals
  4. FAQ
  5. 2050-How timely must a covered entity be in responding to individuals’ requests for access to their PHI?
  • Authorizations (30)
  • Business Associates (41)
  • Compliance Dates (2)
  • Covered Entities (14)
  • Decedents (9)
  • Disclosures for Law Enforcement Purposes (5)
  • Disclosures for Rule Enforcement (1)
  • Disclosures in Emergency Situations (2)
  • Disclosures Required by Law (6)
  • Disclosures to Family and Friends (28)
  • Disposal of Protected Health Information (6)
  • Facility Directories (7)
  • Family Medical History Information (3)
  • FERPA and HIPAA (10)
  • Group Health Plans (3)
  • Incidental Uses and Disclosures (10)
  • Judicial and Administrative Proceedings (8)
  • Minimum Necessary (14)
  • Notice of Privacy Practice (20)
  • Preemption of State Law (10)
  • Privacy Rule: General Topics (12)
  • Protected Health Information (2)
  • Public Health Uses and Disclosures (13)
  • Research Uses and Disclosures (20)
  • Right to an Accounting of Disclosures (8)
  • Right to File a Complaint (1)
  • Right to Request a Restriction (4)
  • Safeguards (13)
  • Security Rule (24)
  • Smaller Providers and Businesses (145)
  • Student Immunizations (8)
  • Transition Provisions (3)
  • Treatment, Payment, and Health Care Operations Disclosures (30)
  • Workers Compensation Disclosures (5)
  • Limited Data Set (6)
  • Marketing (17)
  • Marketing - Refill Reminders (16)
  • Personal Representatives and Minors (12)
  • Right to Access and Research (58)
  • Mental Health (35)
  • Health Information Technology (41)
  • Telehealth (11)

How timely must a covered entity be in responding to individuals’ requests for access to their PHI?

Under the HIPAA Privacy Rule, a covered entity must act on an individual’s request for access no later than 30 calendar days after receipt of the request. If the covered entity is not able to act within this timeframe, the entity may have up to an additional 30 calendar days, as long as it provides the individual – within that initial 30-day period – with a written statement of the reasons for the delay and the date by which the entity will complete its action on the request. See 45 CFR 164.524(b)(2).

These timelines apply regardless of whether:

  • The PHI that is the subject of the request is maintained by the covered entity or by a business associate on behalf of the covered entity, or the covered entity uses a business associate to fulfill individual requests for access. The 30-day clock starts on the date that the covered entity receives a request for access, so any delay in obtaining the necessary information from a business associate or forwarding the request to the business associate for action “uses up” part of the allotted time. Alternatively, the 30-day clock starts when, instead of the covered entity, a business associate receives a request directly from an individual because the covered entity instructed the individual through its notice of privacy practices (or otherwise) to submit the access request directly to its business associate for processing.
  • The covered entity negotiates with the individual on the format of the response. Covered entities that spend significant time before reaching agreement with individuals on format are depleting the 30 days allotted for the response by that amount of time.
  • The PHI that is the subject of the request is old, archived, and/or not otherwise readily accessible.

These timelines are outer limits, and it is expected that many covered entities should be able to respond to requests for access well before these outer limits are reached. However, in cases where a covered entity is aware that an access request may take close to these outer time limits to fulfill, the entity is encouraged to provide the requested information in pieces as it becomes available, if the individual indicates a desire to receive the information in such a manner.

Content created by Office for Civil Rights (OCR)
Content last reviewed June 24, 2016
Back to top

Subscribe to Email Updates

Receive the latest updates from the Secretary and Press Releases.

Subscribe
  • Contact HHS
  • Careers
  • HHS FAQs
  • Nondiscrimination Notice
  • Press Room
  • HHS Archive
  • Accessibility Statement
  • Privacy Policy
  • Budget/Performance
  • Inspector General
  • Web Site Disclaimers
  • EEO/No Fear Act
  • FOIA
  • The White House
  • USA.gov
  • Vulnerability Disclosure Policy
HHS Logo

HHS Headquarters

200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free Call Center: 1-877-696-6775​

Follow HHS

Follow Secretary Kennedy