HIPAA gives every patient an unconditional right to their medical records — and providers must respond within 30 days. Yet most patients don't know what to request, where to ask, or what they can legally be charged. BillKarma's analysis found that 28% of billing errors are only detectable by comparing the medical record to the itemized bill — meaning your records are not just a right, they are a financial protection tool.
1. What records you can request
HIPAA covers your entire "designated record set" — anything a provider uses to make decisions about your care or billing. In practice, you can request:
| Record type | What it contains | Why it matters for billing |
|---|---|---|
| Progress notes | Physician and nurse documentation of each encounter | Confirms the services actually delivered vs. what was billed |
| Discharge summary | Summary of inpatient stay, diagnoses, treatment | Verifies admission/discharge dates and diagnosis codes |
| Lab results | Blood work, urinalysis, pathology reports | Confirms tests were ordered and performed |
| Imaging reports | Radiology reads for X-rays, CT, MRI, ultrasound | Confirms imaging billed was actually interpreted |
| Operative notes | Surgeon's documentation of procedures performed | Catches CPT code upcoding and phantom procedures |
| Medication administration record (MAR) | Every drug given, dose, time | Catches drugs billed but not administered |
| Billing records | Charges, CPT codes, ICD-10 codes, claim forms | Direct comparison to itemized bill |
| Insurance EOB | Explanation of benefits from your insurer | Shows what was billed vs. what was allowed vs. what you owe |
You can request all of these, or just the ones relevant to your situation. For billing disputes, request the itemized bill, discharge summary, progress notes, and medication administration record at minimum.
2. Where to send your request
The right destination depends on where you received care:
- Hospital inpatient or ER visit: The hospital's Medical Records Department (also called Health Information Management or HIM). Find the contact on the hospital's website under "Patient Services" or "Medical Records."
- Physician office visit: The physician's office directly. If you saw a specialist at a hospital-owned practice, their records are separate from the hospital's records.
- Patient portals: MyChart (Epic), Health Online (Cerner), FollowMyHealth, and others allow you to download records electronically at no cost. This is the fastest method for recent visits.
- Third-party apps: Under the 2021 CMS Interoperability Rule, you can authorize apps like Apple Health or CommonHealth to pull records directly via FHIR API — no paper forms required.
3. How to make the request (step by step)
- Locate the provider's HIPAA authorization form. Most hospitals have this on their website or in the patient portal. If not, a written request works — no specific form is required by HIPAA.
- Include all required information: your full legal name, date of birth, dates of service (or date range), specific records you are requesting, how you want to receive them (electronic, paper, portal), and your signature.
- Specify electronic delivery. Write "Please provide records in electronic format (PDF or standard electronic format) to minimize fees." This eliminates per-page charges.
- Submit with proof of delivery. For written requests, send via certified mail or email with read receipt. Keep a copy of everything you submit.
- Log the date. The 30-day clock starts when the provider receives your request, not when you send it. Note the delivery confirmation date.
- Follow up on day 25. If you haven't received records or an acknowledgment by day 25, call the medical records department. Reference the submission date and request a status update in writing.
- Escalate if ignored. If the provider misses the 30-day deadline without granting an extension, file a complaint at hhs.gov/ocr. This is a federal HIPAA violation.
4. Timeline and what they can charge
HIPAA is specific about both how fast providers must respond and what they can bill you:
| Scenario | HIPAA requirement | Practical tip |
|---|---|---|
| Standard request | Respond within 30 days | Request via portal for same-day access |
| Extension (one allowed) | Up to 30 additional days with written notice to you before day 30 | If they miss day 30 without notice, file with OCR |
| Electronic records fee | Labor cost only — no per-page fees | Explicitly request electronic format in writing |
| Paper copy fee | Reasonable cost-based fee (state laws vary: typically $0.25–$0.75/page) | Request electronic to avoid; some states cap fees further |
| Denial | Provider must give written reason and instructions to appeal | Most denials are reversible; escalate to OCR if unresolved |
HHS has clarified that when a patient requests electronic records to be sent to a third-party app (via FHIR API or direct app access), providers must provide them at no charge. The fee prohibition for electronic records is broadly construed.
5. What providers cannot do
These actions are HIPAA violations — if a provider attempts them, you have grounds to file a complaint:
- Deny access because you have an unpaid bill. Outstanding balances have zero effect on your right to records. Full stop.
- Charge excessive fees for electronic records. Per-page fees for electronic delivery are not permitted under HHS guidance.
- Take longer than 60 days without a written explanation. Even with the extension, 60 days is the absolute maximum.
- Require you to use a specific form. HIPAA requires only a written request with identifying information. Providers may have their own forms, but cannot require them if you submit a valid written request.
- Release records to the wrong person without your written authorization. This protects you as well as obligates the provider.
To file a complaint: visit hhs.gov/ocr, call 1-800-368-1019, or submit online. Complaints must generally be filed within 180 days of the violation. There is no cost to file.
6. Requesting records for a deceased family member
HIPAA continues to protect a deceased person's health information for 50 years after death. To access a deceased family member's records, you must establish legal authority. Accepted forms of authority include:
- Executor or administrator of the estate — present letters testamentary or letters of administration issued by the probate court
- Personal representative named in a valid will — present the relevant will documentation
- Surviving next-of-kin where state law grants access rights (varies by state)
Note: A power of attorney expires at death and does not establish authority to access records posthumously. If no formal authority exists, consult a probate attorney about your options before requesting records.
Common reasons to access a deceased family member's records: resolving estate billing disputes, malpractice investigations, disability or life insurance claims, and understanding hereditary health conditions.
7. Your right to amend your records
HIPAA gives you the right to request a correction if your records contain information you believe is inaccurate or incomplete. The process:
- Submit a written amendment request to the provider's medical records department
- Explain specifically what you believe is wrong and provide supporting documentation if available
- The provider has 60 days to respond (with one 60-day extension, notified in writing)
- If the provider denies the amendment, they must give you a written reason and allow you to submit a statement of disagreement — which must be appended to your record
Providers can deny amendment requests if the record was created by another provider, the information is accurate and complete as written, or the record would not be available for inspection under HIPAA. But the denial and your rebuttal become part of the permanent record.
8. Why BillKarma needs your records
BillKarma cross-references your medical records against your itemized bill and EOB to catch errors that are invisible without clinical documentation. The most common errors that require record comparison include:
- Phantom procedures: A CPT code billed for a procedure not documented in the operative or progress notes
- Upcoded services: A higher-complexity evaluation and management (E&M) code billed than the documentation supports
- Drugs not administered: Medications appearing on the charge list that are not in the medication administration record
- Wrong admission dates: An inpatient stay billed for more days than the discharge summary reflects
- Duplicate tests: Lab or imaging billed twice when records show it was performed once
Frequently asked questions
Can a hospital deny my medical records because I have an unpaid bill?
No — this is a HIPAA violation. Your right to access records is unconditional and unrelated to payment status. File a complaint at hhs.gov/ocr if a provider attempts this.
How long does a provider have to respond to my records request?
30 days from receipt of your request, with one optional 30-day extension (they must notify you in writing before the first deadline expires). Missing both deadlines is a federal violation.
What can providers charge for medical records?
For electronic records: labor cost only — per-page fees are not permitted. For paper: a reasonable cost-based fee (often $0.25–$0.75/page, capped by state law). Request electronic format to minimize fees.
How do I request records for a deceased family member?
You need legal authority: executor of the estate (with letters testamentary), personal representative in the will, or surviving next-of-kin where state law permits. A power of attorney expires at death.
Can I access my records through a patient portal app?
Yes. Under the 2021 CMS Interoperability Rule, hospitals must allow third-party apps to pull your records via FHIR API at no charge. Apple Health, CommonHealth, and similar apps support this.
What if I disagree with something in my medical record?
Submit a written amendment request. The provider has 60 days to respond. If they deny it, you can submit a statement of disagreement that becomes a permanent part of your record.