HIPAA Right of Access: Your Guide to Getting Your Medical Records (Timelines, Fees, and How to Request)

HIPAA Overview of Right of Access

What the right covers

The HIPAA Right of Access gives you the ability to inspect or obtain copies of your medical records—your protected health information—held by doctors, hospitals, clinics, and health plans. It applies to clinical notes, lab results, imaging reports, billing records, and other items in the designated record set, whether on paper or in electronic form.

You can request records for yourself or, with valid documentation, for someone you legally represent. You may also ask for a summary or explanation if you agree to any related fee in advance.

Who must comply and what they must provide

Covered entities and their business associates must provide access in the form and format you request if readily producible. If not, they must offer an alternative that is readily usable. They cannot require you to pick up records in person or create unjustified hurdles that delay access.

Timelines for Medical Record Access

Standard access request timelines

Under HIPAA, providers generally must fulfill a records request without unreasonable delay and no later than 30 calendar days from receipt. This deadline applies whether the records are maintained on site or off site.

Permitted extensions

If a provider cannot meet the 30-day timeline, one extension of up to an additional 30 days is allowed. The provider must give you a written notice before the original deadline, explaining the reason for the delay and stating a new completion date.

Tips to keep your request on track

• Submit a complete request that clearly identifies what you want and your preferred format.
• Confirm the recipient and delivery method (for example, secure email or portal download).
• Follow up promptly if you have not received confirmation within a week.

Fees and Cost Regulations

Reasonable cost-based charge

Providers may charge only a reasonable cost-based charge for copies. This can include labor for copying (not searching or retrieving), supplies such as paper or portable media, postage if mailed, and the cost of preparing a summary if you request one.

What providers cannot charge

• No fees for record retrieval, verification, or maintaining systems.
• No per-page fees for electronic copies of electronic records.
• No charges for simply allowing you to view records in person.

How fees are calculated and disclosed

Providers may calculate the actual labor cost, use a reasonable average cost schedule, or offer a flat fee for standard electronic copies. Upon request, they should explain the basis for the fee before you decide how to proceed.

How to Request Medical Records

Step-by-step process

1. Identify the records: specify dates, providers, and types of documents you need.
2. Choose form and format: ask for electronic copies when available (PDF, portal download, secure email, or other mutually agreed format).
3. Submit your request in writing: use the provider’s form or your own letter; include your contact details and delivery preference.
4. Verify your identity: be prepared to provide acceptable verification without unnecessary burden.
5. Track fulfillment: note the date submitted to monitor the 30-day timeline and any extension.

Authorization for third-party access

If you want your records sent to someone else—such as a family member, attorney, or new clinician—include an authorization for third-party access that names the recipient, describes what should be sent, and states where and how to send it. Your written direction must be clear and signed.

Format and delivery options

When records are electronic, you can usually request secure email, portal download, or portable media. If the specific format isn’t readily producible, the provider should work with you to agree on a reasonably usable alternative.

Denial of Access and Exceptions

Unreviewable exceptions

• Psychotherapy notes kept separately by a mental health professional.
• Information compiled for, or in reasonable anticipation of, legal proceedings.
• Certain correctional institution circumstances where access would threaten safety, security, or custody.

Reviewable grounds for denial

• Releasing the information is reasonably likely to endanger life or physical safety of you or another person.
• The request includes references to another person and release is likely to cause substantial harm.
• A personal representative’s access is likely to cause substantial harm.

These denials are subject to review by a licensed health care professional not involved in the original decision, if you request review.

What must be in a written denial notice

A written denial notice must state the specific reason for the denial, explain your review rights (if applicable), describe how to submit a review request, and include instructions for filing a complaint, including with the provider’s privacy office.

State-Specific Access Regulations

How HIPAA interacts with state law

HIPAA sets a federal baseline. If a state law gives you faster access, lower fees, or stronger privacy protections, the more protective state rule usually applies. Providers should follow the standard that results in greater patient access or privacy.

Common state variations to know

• Shorter access request timelines (for example, 10–15 business days in some states).
• Fee limits for paper copies and certified copies, often with per-page caps.
• Special rules for minors, mental health records, and imaging.

Medical record retention requirements

HIPAA does not set medical record retention requirements for how long records must be kept; it requires retention of HIPAA-related documentation for six years. States set medical record retention requirements, commonly ranging from 5 to 10 years for adults and longer for minors. Retention obligations affect whether older records are still available to access.

Electronic Access to Health Records

Using electronic health record portals

Many providers offer electronic health record portals where you can view, download, and transmit records at no charge. Portal availability does not replace your HIPAA right to receive copies in the format you request if it is readily producible.

APIs, apps, and secure transmission

You may choose to receive records via secure email, direct messaging, or app-based APIs. If you direct a provider to send records to a third-party app, the provider generally must comply, though you may be asked to acknowledge the privacy risks of unencrypted email if you prefer that method.

Practical privacy and security tips

• Use strong passwords and multifactor authentication for portals and apps.
• Limit sharing to the minimum necessary recipients and storage locations you trust.
• Keep a personal log of what you requested, when you received it, and where you stored it.

Conclusion

To get your records efficiently, submit a clear written request, specify your preferred electronic format, and monitor timelines. Providers may charge only a reasonable cost-based charge and must issue a written denial notice if access is refused. Check state rules for faster timelines or additional protections, and use portals or secure apps to streamline electronic access.

FAQs

What is the HIPAA right to access medical records?

It is your legal right to inspect or receive copies of your protected health information held by covered entities. You can choose the format if it is readily producible, request a summary if you agree to any fee, and direct records to a designated third party.

How long do providers have to fulfill a records request?

Providers generally must respond as soon as possible and no later than 30 calendar days from receiving your request. They may take one additional 30-day extension if they send you a written notice explaining the reason and the new completion date. Some states require faster turnaround.

What fees can providers charge for medical record copies?

Only a reasonable cost-based charge is allowed, limited to labor for copying, supplies, postage, and an optional summary if you request it. Retrieval fees are not allowed, and per-page fees are not permitted for electronic copies of electronic records.

What can a patient do if access is denied?

Read the written denial notice carefully. If the denial is reviewable, you can request an independent review by a licensed professional. You can also appeal to the provider’s privacy office and, if necessary, file a complaint with the appropriate authorities.