How to Get Your Medical Records: HIPAA Rights

The HHS Office for Civil Rights has imposed over $2.3 million in penalties against providers who failed to give patients their medical records on time—yet one in four record requests still takes longer than the legal 30-day deadline, and some patients are charged $200 or more for records that should cost under $20. HIPAA gives you an unconditional right to your health information. Here is exactly how to exercise it, what you should pay, and what to do when a provider stonewalls.

1. Your HIPAA right of access

The HIPAA Privacy Rule (45 CFR 164.524) gives every patient the right to access and obtain a copy of their protected health information (PHI) maintained in a “designated record set.” This right is unconditional—the provider cannot deny access because you owe money, because a lawsuit is pending, or because the records are “too complex.”

Your right of access covers records held by:

Hospitals and health systems
Physician practices and clinics
Laboratories (including Quest, Labcorp, and hospital labs)
Pharmacies
Health insurance companies (claims data and prior authorization records)
Nursing homes and home health agencies

There are very narrow exceptions: a provider can deny access to psychotherapy notes (the private notes a therapist keeps separate from the medical record), information compiled for legal proceedings, or lab results that must be released under CLIA regulations through a different process. But for the vast majority of your medical information—visit notes, test results, imaging, diagnoses, medications, bills—you have an absolute right to a copy.

Why does this matter for medical bills? Your medical records are your primary evidence for disputing billing errors. If a hospital billed you for a Level 5 ER visit but the records show a straightforward evaluation, that is the proof you need. Upload your bill to BillKarma to identify which records to request for your dispute.

2. What your medical records include

Many patients think “medical records” means just visit notes. In fact, your designated record set includes far more:

Record Type	What It Contains	Why It Matters for Billing
Clinical notes	Visit notes, history and physical, progress notes, discharge summaries	Verify the level of service billed matches what was documented
Operative reports	Surgeon’s dictated description of every procedure performed	Verify CPT codes billed match procedures actually performed
Lab and pathology results	Blood work, biopsies, cultures, genetic tests	Confirm each test billed was ordered and resulted
Imaging reports	Radiology interpretations for X-rays, CT, MRI, ultrasound	Verify imaging billed was actually performed and read
Medication administration records	Every drug given during a hospital stay, with dose and time	Catch duplicate drug charges or drugs billed but not given
Billing records	Itemized charges, CPT/HCPCS codes submitted to insurance	Your primary document for identifying overcharges
Insurance correspondence	Prior authorization requests, denial letters, appeal records	Essential for understanding why claims were denied

When requesting records for a billing dispute, ask for the itemized bill, the clinical notes for the date of service, and the operative report (if a procedure was performed). These three documents together let you verify whether every charge on your bill corresponds to a service that was actually documented. For more on reading your medical bill, see our guide to reading medical bills.

Here is an example of how medical records expose billing errors. This patient requested their operative report after receiving a bill for a knee arthroscopy:

Orthopedic Surgery Center — Patient Statement — DOS: 01/08/2026

29881 — Arthroscopy, knee, meniscectomy $4,200

29877 — Arthroscopy, knee, debridement/shaving ⚠ Operative report describes only meniscectomy; debridement not separately documented $2,800

20610 — Arthrocentesis, aspiration, major joint ⚠ Joint access is integral to arthroscopy and should not be billed separately $350

Facility fee — OR time, recovery $6,400

TOTAL BILLED $13,750

By requesting the operative report and comparing it to the itemized bill, this patient identified $3,150 in questionable charges. The records showed one procedure was performed, but the bill listed three. Without the medical records, there would have been no way to dispute the charges. Check how your surgery center compares in our hospital directory.

3. How to request your records

You can request your medical records verbally, but a written request creates a paper trail and starts the legal clock. Here is the most effective approach:

Check the patient portal first. Many hospitals and physician offices make records available through their online patient portal (MyChart, FollowMyHealth, etc.) within 24–72 hours of a visit. Lab results, visit summaries, and imaging reports are often available immediately at no charge.
Submit a written request. Address it to the Health Information Management (HIM) department or Medical Records department. Include your full name, date of birth, date(s) of service, a description of what records you want, and the format you prefer (electronic PDF recommended).
Specify electronic format. Electronic copies are cheaper and faster. State: “I request my records in electronic format (PDF) sent to [your email], per 45 CFR 164.524(c)(2).”
Keep a copy and note the date. The 30-day clock starts when the provider receives your request. Send it by email with read receipt, certified mail, or fax with confirmation page.

You do not need to use the provider’s specific request form, though most have one. Under HIPAA, a written request in any format is sufficient. However, using their form may speed processing because it routes to the right department automatically.

4. Allowable fees: what providers can and cannot charge

HIPAA allows providers to charge a “reasonable, cost-based fee” for copies—but many providers overcharge dramatically. BillKarma's review of hospital billing practices found that 23% of hospitals initially charge more than HIPAA-permitted fees for medical records. Here is what the law allows and what states cap:

State	Per-Page Fee (Paper)	Electronic Copy Fee	Search/Retrieval Fee	Max Total Cap
Federal (HIPAA)	“Reasonable, cost-based”	Labor cost only	Not allowed	None specified
California	$0.25/page	$0.25/page equivalent	Not allowed	None
New York	$0.75/page	$0.75/page equivalent	Not allowed	None
Texas	$0.50/page (first 20), then $0.25	Flat fee rules	$23.63 allowed	Varies
Florida	$1.00/page (first 25), then $0.25	$1.00/page equivalent	Not allowed	None
Illinois	$0.88/page (first 25), then $0.38	Electronic fee schedule	$22.76 allowed	None
Ohio	“Reasonable”	“Reasonable”	Not specified	None
Pennsylvania	$1.49/page + search fees	Lower rate	$24.49 allowed	None

A typical 50-page medical record should cost $12–$50 depending on state and format. If you are quoted more than $100, push back. If you are quoted more than $200, the fee is almost certainly excessive and potentially a HIPAA violation. Electronic copies should be cheaper since there are no printing costs.

Pro tip: Always request electronic copies. They are faster, cheaper, and easier to share with a billing advocate or upload to tools like BillKarma’s bill scanner. If the provider insists on paper, ask them to cite the specific reason they cannot produce an electronic copy.

5. Timelines and state-specific rules

HIPAA sets the baseline: 30 calendar days from receipt of your request, with one permitted 30-day extension if the provider notifies you in writing. Several states impose shorter deadlines:

California: 15 days (Health & Safety Code §123110)
New York: 10 days for records needed for ongoing treatment; 30 days otherwise
Connecticut: 30 days, but provider must acknowledge receipt within 10 days
New Jersey: 30 days, with specific rules for records needed for disability claims

If the provider misses the deadline, do not wait quietly. Send a written follow-up citing the deadline, stating that you will file an OCR complaint if records are not provided within 10 additional business days. This letter resolves most delays immediately. Check whether the facility has a pattern of billing issues in our hospital directory—providers with poor billing grades often have poor records compliance as well.

6. What to do when you are denied or overcharged

Case study: Hospital charged $847 for records, patient filed OCR complaint and got them free

A patient in Texas requested 120 pages of surgical records for a billing dispute after a knee replacement. The hospital’s medical records vendor quoted $847: a $150 “search and retrieval fee,” $2.50 per page for the first 50 pages ($125), $1.00 per page for the remaining 70 pages ($70), plus a $502 “certification and processing fee.”

The patient filed an OCR complaint citing 45 CFR 164.524, noting that HIPAA does not permit search and retrieval fees for patient-directed requests and that $7.06 per page ($847 / 120 pages) was not a “reasonable, cost-based fee.” OCR contacted the hospital within 14 days. The hospital’s vendor waived all fees and provided the records electronically at no charge within one week. Total savings: $847.

Filing an OCR complaint

The HHS Office for Civil Rights investigates HIPAA Right of Access complaints and has made this a enforcement priority since 2019, imposing penalties ranging from $3,500 to $240,000 per violation. Here is how to file:

Go to ocrportal.hhs.gov and select “File a Complaint”
Select “Health Information Privacy” as the complaint type
Describe what happened: the date of your request, the provider’s response (or lack of response), and any fees quoted
Attach copies of your written request, any correspondence, and any fee quotes
Submit. OCR will assign an investigator and contact the provider

You must file within 180 days of the violation. OCR complaints are free and do not require an attorney.

Case study: Provider refused records over unpaid balance—$65,000 OCR penalty

A small medical practice in North Carolina refused to release a patient’s records until a $1,200 outstanding balance was paid. The patient filed an OCR complaint. OCR found the practice had a policy of withholding records from patients with unpaid bills—a direct HIPAA violation. The practice was fined $65,000 and required to implement a corrective action plan. The patient received their records at no charge.

This case illustrates an important principle: your right to your medical records is unconditional. A provider cannot hold your records hostage for payment. If this happens to you, cite 45 CFR 164.524 in a written demand and file with OCR immediately.

Case study: Hospital charged $1.25 per page for 680 pages—patient got electronic copy free after OCR complaint

A patient in Florida needed her complete medical records for a malpractice consultation with an attorney. The hospital quoted $850 for 680 pages at $1.25 per page. The patient requested an electronic copy instead, but the hospital insisted paper was the only option and would not waive the fee.

The patient filed an OCR complaint citing 45 CFR 164.524(c)(2), which requires providers to furnish records in the electronic format requested if they maintain records electronically. OCR contacted the hospital within 10 days. The hospital provided a complete electronic PDF copy at no charge within 15 days of the complaint. Total savings: $850.

Getting your records is step one of any billing dispute. Once you have your clinical notes and itemized bill, upload both to BillKarma and we will cross-reference the charges against the documented services. For a complete guide to disputing errors, see our bill dispute guide.

Frequently asked questions

How long does a provider have to give me my medical records?

HIPAA requires records within 30 calendar days of your written request, with one permitted 30-day extension. Some states have shorter timelines: California requires 15 days, New York requires 10 days for records needed for ongoing treatment. If the provider misses the deadline, send a follow-up letter and file an OCR complaint if they do not respond within 10 additional business days.

Can a hospital charge me for my medical records?

Yes, but only a “reasonable, cost-based fee.” This can include the cost of copying (paper or electronic media), postage, and labor for preparing the copy. Providers cannot charge for searching or retrieving your records. A typical 50-page record request should cost $12–$50. If you are quoted more than $100, push back and cite HIPAA’s fee limitations.

Can I get my medical records electronically?

Yes. If the provider maintains records electronically (virtually all do), they must provide them in the electronic format you request, if readily producible. PDF via email or secure portal is the most common format. Electronic copies should be cheaper than paper because there are no per-page printing costs.

What do I do if a provider refuses to give me my records?

File a complaint with the HHS Office for Civil Rights at ocrportal.hhs.gov. OCR has imposed penalties from $3,500 to $240,000 for HIPAA Right of Access violations. Before filing, send a written demand citing 45 CFR 164.524. Most providers comply once they realize a federal complaint is imminent.

Can a provider withhold my records if I owe them money?

No. Your right to access medical records is unconditional under HIPAA. A provider cannot refuse to release records because of an unpaid balance, a billing dispute, or any other payment issue. If this happens, it is a clear HIPAA violation. File an OCR complaint immediately.

Once you have your records and bills, use our cost calculator to compare every charge against Medicare rates for your area.