Under the HIPAA Privacy Rule, a covered entity must act on an individual’s request for access no later than 30 calendar days after receipt of the request. If the covered entity is not able to act within this timeframe, the entity may have up to an additional 30 calendar days, as long as it provides the individual – within that initial
30-day period – with a written statement of the reasons for the delay and the date by which the entity will complete its action on the request. See 45 CFR 164.524(b)(2). These timelines apply regardless of whether:
These timelines are outer limits, and it is expected that many covered entities should be able to respond to requests for access well before these outer limits are reached. However, in cases where a covered entity is aware that an access request may take close to these outer time limits to fulfill, the entity is encouraged to provide the requested information in pieces as it becomes available, if the individual indicates a desire to receive the information in such a manner. Content created by Office for Civil Rights (OCR) What is the timeframe for providing a consumer with an electronic copy once a written request is received?Under the HIPAA Privacy Rule, a covered entity must act on an individual's request for access no later than 30 calendar days after receipt of the request.
How soon does written patient requests for electronic health records must be fulfilled?e. How long does a covered entity have to deliver a patient's requested records? A covered entity must produce records 30 days from the date of request. HIPAA allows a covered entity one 30-day extension if it provides written notice to the patient stating the reason for the delay and the expected date.
How long does the covered entity have to notify the consumer?A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach.
For what period of time may an individual request an accounting of the disclosures of his or her PHI made by a covered entity?An individual may request a HIPAA accounting of disclosures of PHI for a period of time less than six years from the date of the request. If such request is made, the accounting must include disclosures of PHI that occurred during this shorter time period.
|