HIPAA Right of Access (164.524) and AI Agents Handling Record Requests

OCR's Right of Access Initiative has resolved more than 50 cases since 2019. The fact pattern is almost always the same: patient asked for records, got bounced or charged too much, complained, and OCR fined the practice. AI agents can be the fix or the next defendant.

What the law actually says

flowchart LR
  Voice[Voice call] --> Redact[PII / PHI redaction]
  Redact --> LLM[LLM with BAA]
  LLM --> Resp[Response]
  Resp --> Sanitize[Remove non-needed PHI]
  Sanitize --> Caller[Caller]
  Resp --> AuditDB[(Audit DB)]

45 CFR 164.524 establishes an individual's right to inspect and obtain a copy of protected health information about themselves in a designated record set. The covered entity must act on the request no later than 30 days after receipt under 164.524(b)(2)(i), with a single 30-day extension permitted with written notice. The Privacy Rule at 164.524(c)(2) requires the form and format requested if readily producible, including electronic format if the records are maintained electronically. Fees are limited under 164.524(c)(4) to a reasonable, cost-based fee covering labor for copying, supplies, postage, and preparation of an explanation or summary if requested.

OCR's Right of Access Initiative has produced at least 54 resolved enforcement actions through 2026, with civil monetary penalties typically ranging from $3,500 to $200,000 per violation. The most common failure modes: not responding within 30 days, charging more than the cost-based fee, refusing electronic format, and refusing access to a personal representative.

The proposed Privacy Rule modifications under the December 2020 NPRM (still pending as of 2026) would shorten the response timeline to 15 days. Practices building today should design for 15.

What this means for AI voice and chat agents

An AI voice agent that takes record requests is a perfect fix for the OCR pattern — when designed correctly. The agent can capture the request, verify the requester's identity under 45 CFR 164.514(h), confirm the form and format requested, log the receipt timestamp, and route to the records team with a 30-day SLA already on the clock. An agent designed badly can do the opposite: ignore the request as a "general inquiry," fail to log it, or quote a fee that does not match the cost-based standard.

The personal-representative path is the highest-risk slice. Parents, spouses, durable-power-of-attorney holders, and estate executors all have lawful access in defined scenarios under 45 CFR 164.502(g). The agent has to recognize the request, verify the representative's authority, and not over-disclose. A common failure: the agent reads back the patient's chart to a spouse who is not the personal representative because they "have the same last name."

How CallSphere implements

CallSphere's Healthcare Voice Agent has a dedicated record-request intent recognized at intake. The agent captures the requester's identity, verifies them against healthcare_voice records, classifies the request (self vs personal representative vs third party with authorization), confirms the form and format, and creates a tracked ticket with a 30-day deadline (15-day deadline configurable for practices preparing for the proposed shortening). The audit trail captures every step: receipt timestamp, identity-verification method, classification, fee quoted, fee basis (cost-based or flat), and final delivery timestamp. Sentiment and lead scores still run, and a post-call AI summary documents what the patient asked for. Practices fielding heavy record-request volume should review /industries/healthcare and start with a 14-day trial. Pricing on /pricing.

Compliance and build checklist

1. Recognize "I want my records" as a record-request intent at intake — never as a general inquiry.
2. Capture the receipt timestamp, requester identity, and form/format requested in writing.
3. Verify identity under 45 CFR 164.514(h) — DOB plus one factor, or photo ID for in-person.
4. Recognize personal-representative status (parent, POA, executor) and verify authority.
5. Track the 30-day clock from the receipt timestamp, not from the records-team triage.
6. Configure for 15-day response in case the proposed Privacy Rule modification finalizes.
7. Quote only cost-based fees under 164.524(c)(4) — labor, supplies, postage, summary if requested.
8. Deliver in the requested electronic format if readily producible.
9. Log every denial and the basis (psychotherapy notes 164.524(a)(1), legal-proceeding records 164.524(a)(1)(ii)).
10. Notify the patient in writing of any 30-day extension under 164.524(b)(2)(ii).
11. Audit response timing monthly and remediate trends fast — OCR pattern enforcement looks for repeats.

FAQ

What is the deadline today? 30 days under 45 CFR 164.524(b)(2)(i), with one 30-day extension on written notice. The pending proposal would shorten to 15 days.

Can the AI agent collect a fee? It can quote a cost-based fee. It must not quote a flat fee that exceeds the labor-supplies-postage limit unless the patient prospectively agrees in writing.

What about electronic records? 164.524(c)(2)(ii) requires electronic format if requested and readily producible. PDF on a portal usually qualifies; faxed paper does not.

What if the patient wants psychotherapy notes? Those are excluded from the right of access under 164.524(a)(1)(i). The agent should explain politely and document the response.

Can a personal representative get the records? Yes under 45 CFR 164.502(g) when their authority is verified. The agent must verify, not assume.

Sources

• 45 CFR 164.524, Access of individuals: https://www.ecfr.gov/current/title-45/section-164.524
• 45 CFR 164.502(g), Personal representatives: https://www.ecfr.gov/current/title-45/section-164.502
• HHS, Right to Access FAQs: https://www.hhs.gov/hipaa/for-professionals/faq/right-to-access-and-research/index.html
• HHS, Resolution Agreements (Right of Access Initiative): https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
• HHS, Individuals' Right under HIPAA to Access their Health Information: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html