Skip to content
RCMTask

Home Blog Compliance The 30-day HIPAA records release deadline: a small-practice playbook

The 30-day HIPAA records release deadline: a small-practice playbook

By Darpan Jain 8 min read

The short answer: Under HIPAA, a covered entity has 30 calendar days from the date a patient submits a written request to provide a copy of their records, with one 30-day extension allowed if you give written notice. State laws may be stricter. For a small practice, the hard part is not the deadline itself — it is knowing, on any given Tuesday, which open requests are at day 14 and which are at day 28.

This is the operating playbook a 1–20 person practice can adopt without buying enterprise software. The first version was assembled from HHS Office for Civil Rights (OCR) guidance, ChartRequest and HealthMark Group public process docs, and the experience of medical practices that have actually been audited under the Right of Access Initiative. It is opinionated. It is meant to be followed.

What HIPAA actually requires

The relevant law is 45 CFR § 164.524 — the HIPAA Privacy Rule’s “right of access” provision. Two facts most practice administrators get wrong:

  • The clock starts when the request is received, not when staff get around to opening it. A request that arrives by fax on Friday and gets logged Monday morning has already burned three days. The HIPAA clock does not care about weekends.
  • The 30 days are calendar days, not business days. A request received on June 1 is due by June 30, regardless of holidays or weekends.

OCR can grant a one-time 30-day extension if you provide written notice to the patient explaining the delay and committing to a new deadline. You can only use the extension once per request. Repeat use of extensions or systematic late delivery is exactly the pattern that triggers Right of Access Initiative enforcement.

The four states a request can be in

Every records request is in one of four states at any time. If your tracking system cannot tell you which is which, you do not have a tracking system — you have a hope.

  1. Pending intake. Received but not yet logged. Should never exceed 24 hours.
  2. Needs cure. Logged but missing a valid authorization (unsigned, expired, wrong scope). Patient or requester has been contacted; clock keeps running.
  3. In fulfillment. Authorization is valid; staff is assembling the records.
  4. Released. Records delivered through your secure channel; audit trail closed.

The four-step routine (Day 0 through Day 30)

Day 0 — intake within 4 hours

Every inbound channel (fax tray, patient portal, email inbox, paper at the front desk) is checked at least twice a day. New requests are logged immediately with the date received, the requester, the scope of records, and the deadline. The deadline is set from the date received, not from the date entered. If you log Friday’s fax on Monday, backdate it accurately — that is not gaming the system, that is honesty about when the clock actually started.

Day 1–3 — authorization check + assignment

Confirm the authorization is valid: signed by the patient or their personal representative, within its expiration window, scoped to a specific set of records, and from a party with legal standing. If anything is missing, move the request to “needs cure” and contact the requester within one business day. The HIPAA clock does not reset — you have to cure inside the same 30 days.

Once the authorization is valid, assign the request to a custodian. The custodian is the staff member who pulls the records from your EHR or paper chart. For a small practice, this is usually a designated medical assistant or the practice manager. For a multi-location group, the custodian should be at the location where the records actually live.

Day 4–14 — fulfill

The custodian pulls the records, verifies completeness against the request scope, and prepares them for delivery. This is the step that takes the longest because it is the one that requires the most attention. The two most common mistakes are over-release (including records outside the requested scope, which is a privacy violation in the opposite direction) and under-release (missing portions that were in scope, which means the requester comes back with a second request and the clock starts over).

A supervisor or privacy officer should see a dashboard view of every active request by day 10. If anything is at risk — a complex chart, a paper-only patient, a missing piece — that is when you have time to react.

Day 15–28 — approve + release

The approver (typically the practice’s privacy officer or a designated supervisor) reviews the assembled records for scope accuracy and delivery method. Once approved, release happens through your secure channel: the patient portal, encrypted email, secure file transfer, or a physical envelope hand-delivered to a verified requester. Each release event is logged with a timestamp, the staff member who released, the delivery method, and a confirmation receipt where one is available.

Day 29–30 — extension or proof of release

If you released on time, the request is closed and the audit trail is complete. If you cannot release on time, send the written extension notice before day 30 — not after. The notice must include the reason for the delay and a specific new deadline within 60 days of the original request. After that, you have used your one extension; further delay is non-compliance.

The four common edge cases

1. The requester wants paper, but the records are electronic

You can charge a reasonable cost-based fee for the copy. You cannot deny the format unless production is technically not feasible. “Our EHR doesn’t do that” usually does not count as not feasible.

2. A patient asks for records to be sent to a third party (attorney, payer)

This is a different track than a self-access request. The authorization rules are stricter, and you can charge more — but you still owe the response in 30 days.

3. The request is for psychotherapy notes

Psychotherapy notes have a special carve-out under § 164.524(a)(1)(i): you are not required to release them to the patient. You can still release them at your discretion, but you can also deny — with a written denial that explains the reason. Most practices do not have psychotherapy notes that fall under this exception; check before assuming you do.

4. The patient is a minor

Whose authorization governs depends on state law and the specific service. In most states the parent has access to a minor’s records until age 18, with carve-outs for reproductive care, mental health, and substance-use treatment. When in doubt, consult your privacy officer.

What an OCR investigator asks for

If OCR opens an investigation — usually because a patient complained about not receiving their records — they will typically request:

  1. A list of all access requests received in the past 12–24 months
  2. The response timeline for each: date received, date of authorization validation, date of fulfillment, date of release
  3. A copy of every denial issued, with the legal basis cited
  4. Your practice’s written Release of Information policy and HIPAA training records for the staff handling ROI

The practical implication: you need to be able to produce a structured export of #1, #2, and #3 in under a business day. A folder of paper requests does not satisfy this. Neither does a spreadsheet that has been edited and overwritten. An immutable audit trail with timestamped state changes does.

How RCMTask handles each step

Every step of the playbook above corresponds to a feature in RCMTask’s Release of Information module:

  • Intake — a single form with the receiving channel logged, the deadline set automatically from the date received, and the request moved to “Pending intake” status until logged.
  • Authorization check — required fields enforce the validity criteria; missing fields move the request to “needs cure” automatically with a notification to the requester.
  • Custodian assignment — role/location/department permissions route the request to the right staff member without manual escalation.
  • Approver review — a separate approval step with a documented sign-off, configurable to skip for low-risk requests on practices with limited staff.
  • Release — the release event is captured with method, recipient, and timestamp; the audit trail closes the request.
  • Extension — if the request hits day 25 without release, RCMTask surfaces it on the dashboard and prompts the extension-notice workflow.
  • Audit export — the full register exports to PDF or CSV, formatted for OCR document requests.

The whole module is included in the $250 Activation. There are no per-request fees. The same dashboard tracks the practice’s other back-office work — eligibility, prior auth, denials, HIPAA training — so the privacy officer has one view instead of five.

Frequently asked questions

What if our EHR has a release-of-information feature already?

Most EHR ROI features are “push records out” tools, not “manage the request lifecycle” tools. They typically do not track the 30-day clock as a workflow object, do not route through custodian and approver, and do not produce a per-request audit trail. RCMTask sits on top of your EHR: pull the records there, track the request here.

Do we need to start fresh, or can we import open requests?

You can import. Open and recent-closed requests come in as CSV; the 30-day clock is recalculated from each request’s original received-date so deadlines do not reset. Most practices migrate over a 1–2 week window with the old system in read-only mode.

What if we use an outsourced ROI service?

Outsourced services move the work off your team but rarely give you the visibility you need to satisfy an audit. RCMTask is appropriate when you want the workflow controlled in-house. Some practices use both: outsource the actual record-pulling for high-volume periods, but keep the tracking, authorization-check, and audit trail in-house.

How long does the audit trail need to be retained?

HIPAA requires retention of policies, procedures, and required-by-rule documentation for six years from the date of creation or the last date in effect. RCMTask retains the audit trail for the HIPAA-mandated six years by default; longer retention is configurable for practices subject to stricter state law.

Last updated 2026-05-29 to reflect current HHS Office for Civil Rights guidance and the 2026 HIPAA Security Rule update.

Try RCMTask free.

A free Sandbox with demo data. Activate ($250) when you're ready to run real workflows. No card, no time limit.

Start free Book a demo