Yes, in most cases it is illegal for a healthcare provider to withhold your medical records. Federal law gives you a clear right to inspect and obtain copies of your health information, and providers who refuse or delay access can face financial penalties ranging from $15,000 to $200,000. The government has actively enforced this right through dozens of settlement actions since 2019.
Your Federal Right to Your Records
Under the HIPAA Privacy Rule (specifically 45 CFR 164.524), you have the right to access and obtain copies of your protected health information held in a provider’s record system. This applies to hospitals, doctor’s offices, clinics, pharmacies, health plans, and any other entity covered by HIPAA. The right lasts for as long as the provider maintains those records.
Once you submit a request, the provider must act on it within 30 days. They can require that your request be in writing, but they have to tell you about that requirement. If you want your records in a specific format, such as an electronic file or a paper copy, the provider must deliver them that way if it’s reasonably possible. If it’s not, they need to work with you to agree on an alternative readable format.
Unpaid Bills Cannot Be Used as Leverage
One of the most common reasons providers try to withhold records is an outstanding balance. This is explicitly not allowed. The Department of Health and Human Services has stated directly that a provider may not withhold or deny access to your health information because you haven’t paid a medical bill. This holds true even if the provider applies your records fee payment toward your unpaid balance instead of processing it as a copy fee. Your right to your records exists independently of any billing dispute.
What Providers Can Legally Withhold
There are a few narrow exceptions where a provider can deny access to specific types of information:
- Psychotherapy notes. These are a therapist’s private notes from counseling sessions, kept separately from the rest of your medical record. They don’t include things like your diagnosis, treatment plan, medication information, session times, or progress summaries. Those items are part of your regular medical record and must be provided on request. Only the therapist’s personal session notes receive this extra protection.
- Litigation materials. Information compiled in anticipation of a lawsuit or legal proceeding, whether civil, criminal, or administrative, can be withheld.
Outside of these categories, a provider has very little legal ground to refuse your request.
Fees Providers Can Charge
Providers are allowed to charge a reasonable, cost-based fee for copies of your records. This fee can only cover the cost of labor for copying, supplies like paper or a USB drive, and postage if you’ve asked for mailed copies. It cannot include costs for searching or retrieving the records.
For electronic copies of records maintained electronically, providers have the option of charging a flat fee of up to $6.50 instead of calculating actual costs. This flat rate is a convenience option, not a mandatory cap. Some providers may charge less, and others may calculate their actual costs, which could be slightly different. But the fee must stay within what HIPAA considers reasonable. A provider charging hundreds of dollars for basic record copies is likely violating the rule.
State Laws May Give You Stronger Protections
HIPAA sets a federal floor for your privacy rights, not a ceiling. If your state has a law that gives you greater access to your records, such as a shorter response deadline or lower allowable fees, that state law applies alongside HIPAA. Both must be followed, and the provider must meet whichever standard is more protective of your rights. This means the specific timeline and cost limits you’re entitled to can vary depending on where you live, so it’s worth checking your state’s health information laws if you’re running into resistance.
The Government Actively Enforces This
This isn’t a rule that exists only on paper. The HHS Office for Civil Rights launched its Right of Access Initiative in 2019 and has since resolved more than two dozen enforcement actions against providers who failed to give patients their records in a timely manner. Penalties have been substantial. In March 2025, Oregon Health & Science University was hit with a $200,000 penalty for failing to provide timely access. A mental health center received a $100,000 penalty in November 2024. A dental practice paid $70,000 in October 2024. Smaller practices haven’t been exempt either, with settlements in the $15,000 to $80,000 range for individual provider offices, labs, and nursing facilities.
The pattern is clear: providers across every specialty and size, from large health systems to solo dental practices, have faced consequences for ignoring or delaying record requests.
What to Do if Your Records Are Being Withheld
Start by submitting your request in writing, either on paper or through the provider’s patient portal. Be specific about what records you want and in what format. Note the date you submitted the request, because the 30-day clock starts ticking at that point.
If the provider ignores your request, delays beyond 30 days, demands payment of an unrelated medical bill first, or charges an unreasonable fee, you can file a complaint with the HHS Office for Civil Rights. The complaint can be submitted online through the HHS OCR complaint portal. You don’t need a lawyer to file, and there’s no cost. OCR investigates these complaints and, as the enforcement record shows, regularly takes action that results in financial penalties and corrective action plans against non-compliant providers.
Keep copies of your written request, any responses you receive, and notes on phone calls or in-person conversations. This documentation strengthens your complaint if you need to escalate.