Federal law gives you a clear legal right to access your own medical records. Under the HIPAA Privacy Rule, healthcare providers and health plans must provide you with a copy of your health information within 30 calendar days of your request. A separate federal law, the 21st Century Cures Act, strengthens this by requiring that you can access all of your electronic health information at no cost. Together, these laws form the baseline for medical records release across the United States, though your state may offer even stronger protections.
What HIPAA Requires
The HIPAA Privacy Rule applies to “covered entities,” which includes most healthcare providers, hospitals, clinics, and health insurance plans. When you request your records, these entities must give you access to what’s called a “designated record set.” This covers your medical records, billing records, enrollment and claims records from your health plan, and any other records the entity used to make decisions about your care.
You have the right to inspect your records in person, obtain a copy, or both. You can also direct the provider to send a copy to a third party of your choice, such as another doctor, a lawyer, or a family member. The request doesn’t need to be complicated. Most providers have a standard form, but HIPAA doesn’t require you to use one. A written request is typically sufficient.
Deadlines for Fulfilling Your Request
A covered entity must act on your request no later than 30 calendar days after receiving it. If the provider can’t meet that deadline, they can take an additional 30 days, but only if they notify you in writing during that initial 30-day window. That written notice must explain the reason for the delay and give you a specific date by which they’ll complete the request. There is no option for further extensions beyond this one-time 30-day addition.
What Providers Can Charge
Providers can charge you a fee for copies, but HIPAA strictly limits what that fee can include. The only allowable costs are labor for physically creating the copy (paper or electronic), supplies like paper, toner, or a USB drive if you request portable media, and postage if you want the records mailed. That’s it.
Notably, providers cannot charge you for searching for your records, retrieving them from storage, reviewing the request, or verifying your identity. They also can’t pass along system maintenance costs, data storage fees, or any labor spent ensuring HIPAA compliance. The Department of Health and Human Services has clarified this point repeatedly because overcharging has been a common problem. Under the 21st Century Cures Act, electronic access to your records through a patient portal must be free.
When a Provider Can Deny Access
There are limited situations where a provider can legally withhold records. The most common exceptions involve psychotherapy notes and safety concerns. Psychotherapy notes, which are a therapist’s personal session notes kept separate from your main medical chart, are specifically excluded from the right of access. However, you still have the right to access the underlying clinical information in your regular medical record, such as diagnoses, treatment plans, and medication lists.
A provider can also deny access if a licensed health care professional determines that releasing the information is reasonably likely to endanger your life or physical safety, or someone else’s. HHS gives the example of a suicidal patient whose provider judges that certain information could lead the patient to self-harm. General concerns about emotional upset are not enough. A provider cannot withhold records simply because they think you won’t understand the information or might be distressed by it.
If your request is denied on these grounds, you have the right to have the denial reviewed by a different licensed professional within the same organization who was not involved in the original decision.
Electronic Access and Information Blocking
The 21st Century Cures Act added a powerful layer to your rights. It prohibits “information blocking,” which is any practice by a provider, health IT company, or health information network that interferes with your ability to access, exchange, or use your electronic health information. This means your provider cannot delay releasing electronic records unnecessarily or create barriers that discourage you from requesting them.
When it comes to format, providers must deliver electronic records in a computable, machine-readable form. This can include standard clinical document formats, spreadsheet-style files, or even PDFs, as long as the PDF is structured so the data can be read by other software. The law doesn’t require a specific file type, but it does require that whatever you receive is genuinely usable, not just a scanned image.
Access by Family Members and Representatives
HIPAA extends access rights to “personal representatives,” not just the patient. If you have legal authority to make healthcare decisions for someone, such as a parent for a minor child, a court-appointed guardian, or a healthcare power of attorney for an incapacitated adult, you generally have the same right to access that person’s records as they would have themselves. Executors or administrators of a deceased person’s estate can also request records.
You can also simply direct your provider to send your records to anyone you choose. This doesn’t require the other person to have legal authority. Your written authorization is enough to trigger the provider’s obligation to transmit the records to the person or entity you name.
How State Laws Interact With HIPAA
HIPAA sets a federal floor, not a ceiling. State laws that provide stronger privacy protections or broader access rights override HIPAA’s requirements. In practice, this means some states require faster turnaround times, cap fees at lower amounts, or grant additional rights not found in federal law. For example, some states set specific per-page rates for paper copies, while others require electronic copies to be provided within fewer than 30 days.
When a state law conflicts with HIPAA and offers less protection to the patient, HIPAA wins. When the state law gives you more rights, the state law wins. This means the answer to “how long can my provider take?” or “how much can they charge?” can vary depending on where you live. Your state health department or attorney general’s office typically publishes the specific rules that apply in your state.
What Happens When Providers Don’t Comply
The Office for Civil Rights (OCR) at HHS enforces HIPAA, and denial of patient access to records is one of the most common complaints they receive. It ranks among the top five most frequently reported HIPAA violations. OCR has settled or imposed penalties in 147 cases to date, totaling nearly $144 million in fines across all types of HIPAA violations.
If a provider ignores your request, charges excessive fees, or refuses to release records without a valid legal reason, you can file a complaint with OCR through the HHS website. OCR investigates these complaints and has the authority to require corrective action or impose financial penalties. Many providers respond quickly once they learn a formal complaint has been filed.