What HIPAA's §164.524 Actually Requires

45 CFR §164.524 is one of HIPAA's clearest mandates. It says covered entities — hospitals, physicians, health plans, and their business associates — must provide patients access to their protected health information (PHI) upon request, in the format the patient chooses, within 30 days.

It sounds straightforward. In practice, OCR (the HHS Office for Civil Rights) consistently ranks access denials among the top five categories of HIPAA complaints it investigates. Providers fail in predictable ways: imposing excessive fees, demanding patients come in person, claiming records are "under review," or simply not responding within the deadline.

All of those are violations.

📋

What §164.524 covers

Physician notes, lab results, imaging reports, diagnostic reports, medication lists, immunization records, allergy lists, demographic information, billing records, care plans, and any other PHI a covered entity holds — except for a specific, narrow set of exclusions defined in §164.524(a)(1).

Format Requirements: Paper vs. Electronic Records

Patients have the right to receive their records in the format they request — whether that's paper or electronic. If a provider maintains records electronically, they must accommodate that format in the patient's request.

The 21st Century Cures Act and ONC's information-blocking rules have tightened this further. Since the 2020 and 2023 Cures Act updates, providers using EHRs certified to the 2015 Edition Cures Update (or later) must provide digital copies in the patient's chosen format: PDF, a structured data format like XML, or physical media like a USB drive at the patient's request.

Key points compliance teams should know:

  • Patient preference takes priority. If the patient wants electronic records and the provider maintains them electronically, the patient gets electronic records — not a printed PDF of a digital file.
  • Cannot require in-person pickup. Providers cannot condition access on the patient physically appearing at a clinic. Records must be provided by mail, secure email, patient portal, or a designated third party.
  • USB and physical media. If the patient requests records on a USB drive (particularly relevant for patients transferring to providers in countries with limited digital infrastructure), the provider should honor that request and include all requested PHI in a usable format.
  • EHR patient portal access. Many providers satisfy the electronic access requirement by directing patients to a portal. This is permissible as long as the portal allows the patient to access and download their complete record — not just view it.

State law may be stronger. HIPAA sets the federal floor. Many states — including California, Washington, and New York — have access rights that go further, with shorter response deadlines and lower fee caps. Compliance programs should track the applicable state standard, not just federal HIPAA.

The 30-Day Response Timeline — and When It Can Be Extended

The standard deadline is 30 calendar days from the date the provider receives the written request. Providers must act on the request on or before that date — not start working on it.

One extension is permitted under §164.524(b)(2), but only if the provider:

  • Provides written notice to the patient before the original deadline expires
  • Explains why the extension is necessary (e.g., records stored off-site, large volume of records)
  • Specifies the new expected completion date (no more than 30 additional days)
  • States the patient's right to file a complaint with OCR and the provider's point of contact for the appeal

Providers cannot chain extensions. A second extension requires restarting the clock or a new written agreement with the patient. Repeated unexplained delays constitute a willful neglect of HIPAA requirements — triggering higher penalties and mandatory corrective action plans.

Fees: What Providers Can and Cannot Charge

This is where providers most often overreach — and where patients most often give up. HIPAA allows cost-based fees only:

  • Permitted: Actual cost of preparing and delivering the copy — supplies, labor for copying/printing, postage, and the cost of media (USB drive, CD).
  • Not permitted: Fees for retrieving or searching for records. Staff time spent locating files is not billable to the patient.
  • Not permitted: Flat "administrative fees," "processing fees," or "records department fees" that don't correspond to actual costs.

For electronic records, the labor charge for copying and preparing the digital file is permissible — but not for retrieval. A provider cannot charge $25 for "administrative processing" on top of the actual copy cost.

Many state laws cap fees well below what HIPAA would allow. California caps paper copies at $0.25 per page and electronic copies at $0.25 per page (or the actual cost of a CD/USB). New York caps medical record fees for patients at $15 for the first 100 pages and $0.50 per page thereafter. When state law is more restrictive, state law controls.

For medical tourism patients: If a patient requests records to take to a provider in another country, the provider must provide them — and can only charge the actual preparation and delivery cost. A provider that inflates the fee for international records requests is violating HIPAA. Document all requests thoroughly.

Cross-Border Portability: When Patients Travel Home with Records

A US hospital treating a patient from Thailand, Singapore, or the EU must still honor the patient's HIPAA access rights. The patient's nationality and location after discharge do not change the provider's HIPAA obligations.

In practice, cross-border portability involves navigating multiple frameworks simultaneously:

  • HIPAA covers the US provider's obligations to provide access and allow transfer to a third party of the patient's choice.
  • Thailand PDPA (2019) and Singapore PDPA (2012, amended 2020) govern what the receiving provider can do with the records once they arrive — restrictions on cross-border transfer of health data without consent apply on the receiving side.
  • EU GDPR for patients from EU member states requires a lawful basis for any transfer of health data and may require additional safeguards (Standard Contractual Clauses) if the receiving country doesn't have an adequacy decision.
  • Information-blocking rules (ONC) apply to US providers — actively blocking or discouraging a patient from taking their records to an international provider is an information-blocking violation under 45 CFR Part 171.

For providers serving international patients, the compliance posture should be: honor the request completely, document the format and delivery method, and leave it to the receiving provider to handle their side's data protection requirements.

What to Do When a Provider Denies Access

Providers can deny access in a narrow set of circumstances — psychotherapy notes recorded by a mental health provider in the course of treatment, information compiled in reasonable anticipation of litigation, and certain other exclusions. Providers must give patients a written denial explaining the reason and their right to have the denial reviewed.

Patients have two parallel paths:

  1. Internal review. The provider must have a process for the patient to request a review of the denial. The denial review must be conducted by a licensed healthcare professional (not the same person who made the original denial decision).
  2. OCR complaint. Patients can file a complaint at hhs.gov/ocr or by mail to the HHS Office for Civil Rights. OCR investigates complaints and can require corrective action plans and impose civil monetary penalties. Filing is free.
  3. State complaint. If state law provides stronger access rights (which most do), patients can also file with their state health department or attorney general. State enforcement may be faster than federal OCR investigations.

Providers: If you receive an access request from a patient, document every step of your response — request received date, staff assigned, records located, copy prepared, shipped/delivered. If OCR investigates and finds a gap in your documented process, the penalty exposure is real. Digital consent and records management systems with audit trails make this documentation automatic.

How Veridoc Supports HIPAA Portability Compliance

Veridoc was built for the compliance workflows that portability rights create — not just consent management. The platform tracks access requests, records delivery confirmation, and maintains audit logs of every records transfer. When a patient requests their data, the compliance team has a complete, timestamped record of what was provided, in what format, and when.

For hospitals serving international patients, Veridoc supports multi-format record delivery, cross-border consent documentation (covering both the HIPAA access right and the receiving country's data protection requirements), and blockchain-verified audit trails that hold up in regulatory review.

See It In Action

Need to Manage Consent and Record Portability Across Borders?

Veridoc automates HIPAA access request tracking, multi-format record delivery, and cross-border portability documentation — with immutable audit trails your compliance team can present to any regulator.

Book a Personalized Demo →

Key Takeaways for Compliance Officers

Patient data portability under HIPAA is not optional and not discretionary. Compliance teams should audit their current access request workflow against these standards:

  • Do you have a documented process for acknowledging access requests and tracking them to completion within 30 days?
  • Is your fee schedule reviewed against state law caps — not just federal HIPAA allowances?
  • Do you accommodate electronic format requests, or do you default to paper-only?
  • Are your denial decisions documented with the specific regulatory basis cited, and do patients receive written explanations?
  • Do you have a documented internal review process for access denials that patients can invoke?
  • Do staff handling access requests receive annual training on §164.524 requirements?

OCR's enforcement trend is clear: access rights complaints are investigated, and violations carry real penalties. Building the right workflow now is cheaper than remediation later.