How many days must a facility respond to requests for access to PHI?

Under the HIPAA Privacy Rule, a covered entity is required to respond to requests for access to protected health information (PHI) within a specific timeframe. The correct answer reflects that the entity must respond to access requests within 30 days of receiving the request. If the entity is unable to fulfill the request within that timeframe, they may extend the response period for an additional 30 days, provided they notify the individual of the delay and the reason for it.

The choice indicating 60 days misunderstands the allowable additional extension, as it combines the original period with the extension, rather than indicating the timeline for the initial response. Therefore, understanding the rules around these timelines is crucial for entities managing patient information and ensuring compliance with HIPAA regulations.