Book a demo Log in / Sign up

Subject Access Request Form Template for the United States

Generate a bespoke document

  • England and Wales
  • Scotland
  • Northern Ireland
  • Ireland
  • United States
  • Alabama (USA)
  • Alaska (USA)
  • Arizona (USA)
  • Arkansas (USA)
  • California (USA)
  • Colorado (USA)
  • Connecticut (USA)
  • Delaware (USA)
  • Florida (USA)
  • Georgia (USA)
  • Hawaii (USA)
  • Idaho (USA)
  • Illinois (USA)
  • Indiana (USA)
  • Iowa (USA)
  • Kansas (USA)
  • Kentucky (USA)
  • Louisiana (USA)
  • Maine (USA)
  • Maryland (USA)
  • Massachusetts (USA)
  • Michigan (USA)
  • Minnesota (USA)
  • Mississippi (USA)
  • Missouri (USA)
  • Montana (USA)
  • Nebraska (USA)
  • Nevada (USA)
  • New Hampshire (USA)
  • New Jersey (USA)
  • New Mexico (USA)
  • New York (USA)
  • North Carolina (USA)
  • North Dakota (USA)
  • Ohio (USA)
  • Oklahoma (USA)
  • Oregon (USA)
  • Pennsylvania (USA)
  • Rhode Island (USA)
  • South Carolina (USA)
  • South Dakota (USA)
  • Tennessee (USA)
  • Texas (USA)
  • Utah (USA)
  • Vermont (USA)
  • Virginia (USA)
  • Washington (USA)
  • West Virginia (USA)
  • Wisconsin (USA)
  • Wyoming (USA)
  • Austria
  • Denmark
  • France
  • Germany
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Australia
  • New Zealand
  • Singapore
  • Hong Kong
  • India
  • Malaysia
  • Pakistan
  • United Arab Emirates
  • Qatar
  • Saudi Arabia
  • South Africa
  • Nigeria
  • Canada
  • Brasil
  • Monaco
  • Bermuda
  • Cayman Islands
  • Gibraltar
  • Isle of Man
  • Mauritius

What is a Subject Access Request Form?

The Subject Access Request Form has become increasingly important in the U.S. privacy landscape as individuals seek greater control over their personal data. This document is designed to facilitate compliance with various U.S. privacy regulations, including federal laws like HIPAA and state laws like the CCPA. Organizations use this form to process requests from individuals seeking to access, review, or receive copies of their personal information. The form typically includes sections for identity verification, specific data request details, and preferred response formats, ensuring a structured and compliant process for handling personal data access requests.

Frequently Asked Questions

Is a Subject Access Request Form legally binding in the United States?

Yes, a properly completed Subject Access Request Form creates legal obligations for organizations under federal laws like HIPAA and the Privacy Act, as well as state laws like the CCPA. Organizations are typically required to respond within specific timeframes (30-45 days for CCPA, 60 days for Privacy Act) and may face penalties for non-compliance. The form itself establishes your formal right to access personal information held about you.

How long does it take to complete a Subject Access Request Form?

A basic Subject Access Request Form typically takes 15-30 minutes to complete, depending on how specific your request is and what documentation you need to gather. You'll need time to clearly describe the information you're seeking, provide identity verification documents, and specify the time period for your request. More complex requests involving multiple data categories may take longer to articulate properly.

Can organizations in the US refuse my Subject Access Request if the form is incomplete?

Yes, organizations can refuse or delay processing your Subject Access Request if the form lacks essential information like proper identity verification, specific description of requested data, or required contact information. Under most US privacy laws, organizations have the right to request clarification or additional information before processing your request. This is why completing all required sections accurately is crucial for timely processing.

How is a Subject Access Request different from a Freedom of Information Act (FOIA) request?

A Subject Access Request seeks your personal information held by any organization (private companies, healthcare providers, etc.), while FOIA requests seek government records from federal agencies that may not contain your personal data. Subject Access Requests are governed by privacy laws like HIPAA and CCPA, whereas FOIA requests fall under transparency laws. FOIA requests also have different processing timelines and fee structures.

Which US privacy laws require organizations to honor Subject Access Requests?

Federal laws like HIPAA (for healthcare information) and the Privacy Act (for federal agency records) require organizations to respond to Subject Access Requests. State laws including the California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), and similar laws in other states also mandate access rights. The specific law that applies depends on the type of organization and data involved.

Can I request someone else's personal information using a Subject Access Request Form?

No, Subject Access Request Forms are designed for individuals to access only their own personal information. You cannot use these forms to obtain another person's data unless you have legal authority such as power of attorney, guardianship, or are the parent of a minor child. Organizations will require proof of identity and legal authority before releasing anyone else's personal information.

Why do organizations charge fees for processing Subject Access Requests in the US?

US privacy laws generally allow organizations to charge reasonable fees to cover administrative costs of processing Subject Access Requests, though many provide the first request free annually. Fees typically apply to extensive searches, copying costs, or repeated requests. CCPA limits fees to actual costs, while HIPAA allows reasonable copying and postage fees. Always ask about fee structures before submitting your request.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

LinkedIn

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

LinkedIn

Jurisdiction

United States

Reviewed by

Swetha Meenal & Imad Mohammed Nazar

Publisher

GenieAI

Category

Subject Access Request

Sector

Business

Cost

Free to use

Last updated

About the Subject Access Request Form

A Subject Access Request Form is a legal document that allows you to formally request access to personal information that organizations hold about you. Under various United States privacy laws, you have the right to know what data companies collect, how they use it, and in many cases, obtain copies of your personal information. This form provides a standardized way to exercise these rights while ensuring organizations can process your request efficiently and in compliance with applicable regulations.

When do you need this document?

You need this form whenever you want to access personal information held by organizations subject to U.S. privacy laws. Healthcare providers must respond to requests under HIPAA, allowing you to access your medical records and health information. Credit reporting agencies must provide your credit report under the Fair Credit Reporting Act (FCRA). Educational institutions must grant access to student records under FERPA. In California, businesses covered by the CCPA must disclose what personal information they collect and how they use it. Federal agencies must respond to requests under the Privacy Act of 1974. You may also need this form when investigating identity theft, reviewing employment records, or understanding how businesses use your data for marketing purposes.

Key legal considerations

The identity verification section is crucial because organizations must confirm your identity before releasing personal information to prevent unauthorized disclosure. You'll typically need to provide government-issued identification and may need to include additional verification if requesting information on behalf of someone else. The data request details section should be specific about what information you're seeking and the time period involved, as this helps organizations locate relevant records efficiently. Be aware that organizations may charge reasonable fees for processing requests, particularly for extensive searches or multiple copies. Response timeframes vary by law – HIPAA allows 30 days, while the CCPA requires responses within 45 days. Some information may be exempt from disclosure, such as data that would compromise others' privacy or reveal trade secrets.

Legal requirements in United States

Under HIPAA, covered entities must provide access to protected health information within 30 days and may charge reasonable copying fees. The FCRA requires consumer reporting agencies to provide free annual credit reports and respond to requests within 15 days. FERPA gives parents and eligible students the right to inspect education records within 45 days of a request. The California Consumer Privacy Act grants California residents the right to know what personal information businesses collect and requires responses within 45 days, with possible 45-day extensions. Federal agencies under the Privacy Act must respond within 10 working days, though extensions are common for complex requests. Organizations must verify your identity using reasonable methods, which may include requiring notarized signatures for sensitive information. If you're requesting information on behalf of someone else, you'll need proper authorization, such as a power of attorney or written consent from the data subject.

GOVERNING LAW

Applicable law

This Subject Access Request Form is drafted to comply with United States law. Key legislation includes:

Privacy Act of 1974: Federal law governing the collection, maintenance, use, and dissemination of personal information maintained by federal agencies

HIPAA: Health Insurance Portability and Accountability Act - Regulates the use and disclosure of protected health information by healthcare providers and related entities

FCRA: Fair Credit Reporting Act - Regulates the collection, dissemination, and use of consumer credit information

FERPA: Family Educational Rights and Privacy Act - Protects the privacy of student education records and gives parents certain rights with respect to their children's education records

CCPA: California Consumer Privacy Act - Provides California residents with rights regarding their personal information and imposes obligations on businesses that collect it

CPRA: California Privacy Rights Act - Expands and modifies the CCPA, providing additional privacy rights to California consumers

GLBA: Gramm-Leach-Bliley Act - Requires financial institutions to explain their information-sharing practices and protect sensitive data

COPPA: Children's Online Privacy Protection Act - Imposes requirements on operators of websites or online services directed to children under 13 years of age

GDPR Compliance Consideration: While not a US law, organizations handling EU residents' data must consider GDPR requirements in their Subject Access Request processes

State Privacy Laws: Various state-specific privacy laws such as Virginia's CDPA and Colorado's CPA that may impact Subject Access Request requirements

Explore 208,390+ legal templates

Explore 208,390+ legal templates

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it