OCR Guidance: Timeliness

Individual Access and Timeliness

Patient requests for data are often time-sensitive, and a digital environment offers new opportunities for faster access. OCR’s Guidance explains the time limits for fulfilling requests and parameters for extensions, if appropriate. Explore the information about these processes below and then test your new knowledge with our quiz.

Ready to Test Your Knowledge? Take the Quiz!

Timeliness in Providing Access

“In providing access to the individual, a covered entity must provide access to the PHI requested, in whole, or in part (if certain access may be denied as explained below), no later than 30 calendar days from receiving the individual’s request. See 45 CFR 164.524(b)(2)The 30 calendar days is an outer limit and covered entities are encouraged to respond as soon as possible. Indeed, a covered entity may have the capacity to provide individuals with almost instantaneous or very prompt electronic access to the PHI requested through personal health records, web portals, or similar electronic means. Further, individuals may reasonably expect a covered entity to be able to respond in a much faster timeframe when the covered entity is using health information technology in its day to day operations.”¹

1. HHS: Health Information Privacy Division. (2016, February). 
Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524.”

Extension

“If a covered entity is unable to provide access within 30 calendar days — for example, where the information is archived offsite and not readily accessible — the covered entity may extend the time by no more than an additional 30 days. To extend the time, the covered entity must, within the initial 30 days, inform the individual in writing of the reasons for the delay and the date by which the covered entity will provide access. Only one extension is permitted per access request.”

In Short . . .

In Short

Under the HIPAA Privacy Rule, a covered entity must act on an individual’s request for access no later than 30 calendar days after receipt of the request.  If the covered entity is not able to act within this timeframe, the entity may have up to an additional 30 calendar days, as long as it provides the individual – within that initial 30-day period – with a written statement of the reasons for the delay and the date by which the entity will complete its action on the request.  See 45 CFR 164.524(b)(2).”

. . . Keep it Short

Keep it Short

“These timelines are outer limits, and it is expected that many covered entities should be able to respond to requests for access well before these outer limits are reached.  However, in cases where a covered entity is aware that an access request may take close to these outer time limits to fulfill, the entity is encouraged to provide the requested information in
pieces as it becomes available, if the individual
indicates a desire to receive the information
in such a manner.”

But What If...?

These timeliness requirements apply regardless of whether:

the PHI is maintained by Business Associates

“The PHI that is the subject of the request is maintained by the covered entity or by a business associate on behalf of the covered entity, or the covered entity uses a business associate to fulfill individual requests for access. The 30-day clock starts on the date that the covered entity receives a request for access, so any delay in obtaining the necessary information from a business associate or forwarding the request to the business associate for action “uses up” part of the allotted time.  Alternatively, the 30-day clock starts when, instead of the covered entity, a business associate receives a request directly from an individual because the covered entity instructed the individual through its notice of privacy practices (or otherwise) to submit the access request directly to its business associate for processing.”

The Format is Negotiated

“The covered entity negotiates with the individual on the format of the response.  Covered entities that spend significant time before reaching agreement with individuals on format are depleting the 30 days allotted for the response by that amount of time.”

The PHI is Not Readily Accessible

“The PHI that is the subject of the request is old, archived, and/or not otherwise readily accessible.”

Want More Details?

OCR answers some frequently asked questions:

  • Why Thirty Days?

    Why does HIPAA give covered entities 30 days to respond to individuals’ requests for access to their PHI?  In the digital age, allowing covered entities 30 days to provide individuals with access to their health information seems too long; individuals need this information promptly to manage their health and health care. 

    While some individual access requests should be fairly easy to fulfill (e.g., those that can be satisfied through the use of Certified EHR Technology), the HIPAA Privacy Rule recognizes that there may be other circumstances where additional time and effort may be necessary to locate and obtain the PHI that is the subject of the request, or to provide the PHI in the format requested or agreed to by the individual, or otherwise to act on the request.  The Privacy Rule is intended to set the outer time limit for providing access, not indicate the desired or best result, and it is expected that many covered entities should be able to respond to requests for access well before the 30 day outer limit.  Further, as technology evolves and PHI becomes more readily available via easy-to-use digital technologies, the ability to provide very prompt or almost instantaneous access to individuals will increase.  The Department will continue to monitor these developments.

  • EHR Incentive Program

    Under the EHR Incentive Program, participating providers are required to provide individuals with access to certain information on much faster timeframes (e.g., a discharge summary within 36 hours of discharge, a lab result within 4 business days after the provider has received the results) than under HIPAA.  How do these requirements operate together?

    Health care providers participating in the EHR Incentive Program may use the patient engagement tools of their Certified EHR Technology to make certain information available to patients quickly and satisfy their EHR Incentive Program objectives.  Doing so also has the added benefit of satisfying an individual’s request for access under HIPAA, where the PHI requested by the individual is available through the Certified EHR Technology, and the individual agrees to access the information in this way.  While the Privacy Rule permits a covered entity to take up to 30 calendar days from receipt of a request to provide access (with one extension for up to an additional 30 calendar days when necessary), covered entities are strongly encouraged to provide individuals with access to their health information much sooner, and to take advantage of technologies that enable individuals to have faster or even immediate access to the information.

  • Clinical Laboratory Reports & Timeliness

    In some cases, the 30-day timeframe from a request to provide an individual with access to her PHI may not be sufficient time for a clinical laboratory to complete the test report that is the subject of the individual’s request.  What can a clinical laboratory do in these cases?

    In those limited cases where, due to the nature of the test and the timing of the individual’s request, 30 calendar days may not be sufficient to complete a test report to which the individual has requested access, the laboratory may notify the individual in writing within the 30-day period of the need and specific reason for the delay in providing access to the completed test result and the date by which the laboratory will complete its action on the request, in accordance with § 164.524(b)(2)(iii) of the HIPAA Privacy Rule. The Privacy Rule allows only one extension on an access request and the extension may not exceed an additional 30 calendar days.

    Provide What is Available

    “In the rare circumstance where 60 calendar days is not sufficient to provide the individual with access to the completed test report requested by the individual, the covered laboratory may, at the end of the 60 day period, satisfy the access request by providing the individual with access to the PHI that does exist at the time (e.g., test requisitions, the underlying data being used to generate the reports, other completed test reports) in the designated record set.”

    Explain the Circumstances

    “However, to avoid this situation to the extent possible, in cases where the laboratory knows that a particular test report will take longer than the HIPAA access timeframes, we expect the laboratory to explain this circumstance to the individual. Upon informing individuals of this situation when they request access, the individuals may be willing to withdraw or hold their request until a later time to ensure that they get access to what they want or need. If an individual chooses not to withdraw his or her request for access, the individual will then have a right only to obtain the PHI in the designated record set at the time the request is fulfilled, which may not include the particular test report requested because it is not yet complete.”

Ready to Test Your Knowledge? Take the Quiz!
Next Section: Denying Requests

Patient Stories

Back To Top