Why does HIPAA give covered entities 30 days to respond to individuals’ requests for access to their PHI? In the digital age, allowing covered entities 30 days to provide individuals with access to their health information seems too long; individuals need this information promptly to manage their health and health care.
While some individual access requests should be fairly easy to fulfill (e.g., those that can be satisfied through the use of Certified EHR Technology), the HIPAA Privacy Rule recognizes that there may be other circumstances where additional time and effort may be necessary to locate and obtain the PHI that is the subject of the request, or to provide the PHI in the format requested or agreed to by the individual, or otherwise to act on the request. The Privacy Rule is intended to set the outer time limit for providing access, not indicate the desired or best result, and it is expected that many covered entities should be able to respond to requests for access well before the 30 day outer limit. Further, as technology evolves and PHI becomes more readily available via easy-to-use digital technologies, the ability to provide very prompt or almost instantaneous access to individuals will increase. The Department will continue to monitor these developments.