In the NPRM, we proposed to require covered health care providers and health plans to provide a means for individuals to request access to protected health information about them. We proposed to require covered health care providers and health plans to take action on a request for access as soon as possible, but not later than 30 days following the request.
As in the proposed rule, the final rule requires covered entities to permit an individual to request access to inspect or to obtain a copy of the protected health information about the individual that is maintained in a designated record set. We additionally permit covered entities to require individuals to make requests for access in writing, if the individual is informed of this requirement.
In the final rule, we eliminate the requirement for the covered entity to act on a request as soon as possible. We recognize that circumstances may arise in which an individual will request access on an expedited basis. We encourage covered entities to have procedures in place for handling such requests. The time limitation is intended to be an outside deadline, rather than an expectation.
In the final rule, covered entities must act on a request for access within 30 days of receiving the request if the information is maintained or accessible on-site. Covered entities must act on a request for access within 60 days of receiving the request if the information is not maintained or accessible on-site. If the covered entity is unable to act on a request within the applicable deadline, it may extend the deadline by no more than 30 days by providing the individual with a written statement of the reasons for the delay and the date by which the covered entity will complete its action on the request. This written statement describing the extension must be provided within the standard deadline. A covered entity may only extend the deadline once per request for access. This provision permits a covered entity to take a total of up to 60 days to act on a request for access to information maintained on-site and up to 90 days to act on a request for access to information maintained off-site.
The requirements for a covered entity to comply with or deny a request for access, in whole or in part, are described below.