That isn't an accident. Patient access to medical records is one of the few subjects in American healthcare policy where the political parties have not been able to find anything to fight about for thirty years. Doctors should be able to see your history. You should be able to see your history. Insurance companies and hospital systems should not be allowed to lock either of you out. That's the consensus, and it's been the consensus since the Clinton administration.
You don't need to memorize the law. You need to know what it gives you.
The first law — HIPAA, 1996
Most Americans have heard of HIPAA. Almost no Americans know what HIPAA actually does.
The Health Insurance Portability and Accountability Act was signed by President Bill Clinton in 1996. It is best known to the public for the privacy notices you sign on a clipboard in every doctor's waiting room. Those notices exist because of one specific section of HIPAA called the Privacy Rule, which became effective in 2003.
The Privacy Rule does two things that often get confused. First, it tells doctors, hospitals, and insurers what they can and cannot do with your records. That's the part everyone has heard about. Second — and this is the part nobody talks about — it gives you a federal right to a copy of those same records.
The exact citation is 45 CFR § 164.524. The shorthand is the "Right of Access." It says that any organization that holds your protected health information — your doctor, your hospital, your insurance company, your lab — must give you a copy when you ask for it. They have thirty days. They can charge a small fee for actually copying the records, but they cannot charge you for the time it takes to find them, look through them, or get them ready.
That right has been federal law since 2003. Twenty-three years.
The second law — the Cures Act, 2016
By the mid-2010s, it was clear that HIPAA's Right of Access wasn't enough. Records were going digital. Hospitals were buying multi-million dollar electronic health record systems from vendors who had every business reason to keep those systems incompatible with each other. Patients who tried to use their HIPAA right were running into a new kind of stonewall — not paper records lost in a basement, but digital records held hostage by software designed not to share.
Congress responded with the 21st Century Cures Act.
House: 392 to 26 (Nov 30, 2016)
Senate: 94 to 5 (Dec 7, 2016)
Signed into law by President Obama on December 13, 2016.
It passed the House on November 30, 2016 by a vote of 392 to 26. It passed the Senate the following week by a vote of 94 to 5. President Obama signed it into law on December 13, 2016. The bill's lead authors were Representative Fred Upton, a Republican from Michigan, and Representative Diana DeGette, a Democrat from Colorado. The lead Senate negotiators were Lamar Alexander, a Republican from Tennessee, and Patty Murray, a Democrat from Washington.
To put those vote totals in context: the Cures Act passed the House with the support of 92% of the chamber, in a year when partisan agreement on almost anything was rare. Senate Majority Leader Mitch McConnell called it the most significant legislation passed by that Congress.
The Cures Act did many things. It funded cancer research. It funded mental health treatment. It funded the opioid response. But the part that matters for your records is buried in Title IV. Congress directed the Department of Health and Human Services to write rules saying, in effect: in addition to giving patients their records on request, healthcare organizations are not allowed to interfere with the electronic flow of health information at all. Not subtly. Not creatively. Not at all.
That directive became the Information Blocking Rule.
The Information Blocking Rule, 2020
The Office of the National Coordinator for Health Information Technology — known as ONC — finalized the Information Blocking Rule in May 2020. The citation is 45 CFR Part 171. It was published on May 1, 2020, in the Federal Register at 85 FR 25642. Final compliance was required by April 5, 2021.
The Rule applies to three groups: healthcare providers, the technology vendors who build electronic health record systems, and the health information networks that move data between organizations. None of them are allowed to engage in any practice that interferes with the access, exchange, or use of your electronic health information. There are eight narrow exceptions, all of them spelled out in the regulation — things like protecting patient safety, complying with other laws, and resolving infeasibility. Outside those eight exceptions, blocking is illegal.
This rule was developed during the first Trump administration. It was published under the first Trump administration. It is being enforced under every administration since. The enforcement record is the clearest evidence that this isn't a partisan issue — it's a structural one.
Free, and yours
There is one more thing federal law makes clear, and it deserves its own paragraph.
The records are yours. Not the doctor's. Not the hospital's. Not the insurance company's. Federal law uses the phrase "the individual's right of access" deliberately. The institutions that hold your records are custodians of information about you. They are not the owners of that information. You are.
And in most cases, getting your records is free.
This is not a suggestion in the regulations. It's explicit. Under 45 CFR § 164.524, a provider can charge a small, cost-based fee — but only for actual labor of copying, actual supplies, and actual postage. They are specifically prohibited from charging you for the time it takes to search for your records, retrieve them from storage, review them, identify which records belong to you, or prepare them for delivery. The HHS Office for Civil Rights has stated this plainly in its formal guidance.
And there is a category of requests where the law goes further. If you ask for your records electronically through a provider's patient portal — what the regulations call the "View, Download, and Transmit" function of Certified Electronic Health Record Technology — HHS guidance states that providers cannot charge any fee at all. Not for labor. Not for supplies. Not for anything. The cost is zero, because the labor and supplies are zero.
This matters because the most common scare tactic providers use against patients exercising their rights is the threat of fees. "It's going to cost you hundreds of dollars to get all of that." That threat is, in most cases, illegal under federal law. Knowing this in advance is half the battle. When a provider tries to quote you a fee that doesn't sound right, you can cite the rule. The Cures Act and the Information Blocking Rule make this even stronger: a provider who imposes unreasonable fees specifically to discourage you from requesting your records may be committing information blocking, which is a separate federal violation with its own penalty structure.
Your records are your property. Federal law says you can have them, mostly for free, and in nearly every case at no cost when they come to you electronically. Anyone who tells you otherwise is either misinformed or hoping you are.
What enforcement actually looks like
The two enforcement bodies are the Office for Civil Rights (OCR) at HHS, which enforces the HIPAA Right of Access, and ONC, which enforces information blocking.
The HIPAA Right of Access Initiative was launched by OCR in 2019, during the first Trump administration. Its purpose was simple: stop just writing guidance and start fining the institutions that wouldn't honor patient requests. As of December 16, 2025, OCR has announced 54 enforcement actions under that initiative.
A few recent examples, all involving patients who requested their own records and were denied or delayed:
- Concentra, Inc., a Texas-based occupational health provider, settled with OCR for $112,500 in December 2025. A patient had made six requests for his records beginning in February 2018 and didn't receive them until March 2019.
- Oregon Health & Science University paid $200,000 in March 2025 after a patient's personal representative made repeated requests beginning in April 2019 and didn't receive the complete records until August 2021.
- American Medical Response, an ambulance service, was hit with a $115,200 civil monetary penalty in August 2024 for taking 370 days to respond to a single patient request.
- A New Jersey hospital system paid $100,000 in April 2024 for denying a patient's personal representative access.
These are not abstract. These are providers who tried to ignore the law and discovered the law has teeth. Every one of those settlements began with a single patient filing a single complaint.
What states have added
Federal law sets the floor. States can — and many do — go further.
Several states have written stronger access laws on top of HIPAA:
- California: requires records within 15 calendar days under Health & Safety Code § 123110, half of HIPAA's 30-day window. Per-page copy fees capped at 25 cents for paper, 50 cents for microfilm. The California Confidentiality of Medical Information Act adds privacy protections beyond what HIPAA requires.
- Texas: under House Bill 300 and the Texas Medical Records Privacy Act, providers with electronic health record systems must deliver electronic records within 15 business days of a written request. Texas also prohibits retrieval fees.
- New York: requires access within 10 days of a written request under Public Health Law § 18. Paper copy charges capped at 75 cents per page.
- Florida: under Board of Medicine rule 64B8-10.003, copy fees capped at $1.00 per page for the first 25 pages and 25 cents per page after that.
When state law gives you more rights than HIPAA, state law wins. The legal term is preemption, and it works one way only: stronger protections always apply. A provider in California cannot tell you "HIPAA gives me 30 days" if California gives you 15. The 15-day rule applies.
You don't need to know the citation for your state to use your rights. You just need to know that if a provider tells you the federal deadline, your state may have given you a faster one — and that filing a complaint with your state attorney general's office is one of the most effective ways to enforce it.
What this means for you
You have two federal laws on your side, both with bipartisan history, both still actively enforced, in every state.
You have additional protections in many states on top of that.
You have a federal complaint process that has resulted in fifty-four enforcement actions in six years against organizations that tried to ignore the rules.
You have, in plain language, the legal right to ask for a copy of every record any healthcare organization holds about you, and you have a federal agency that will go after them on your behalf if they refuse.
Federal law applies in all fifty states, the District of Columbia, and every U.S. territory. It does not matter where you live, where you were treated, or where you moved from. Records held in Texas about care you received in California are still yours. Records held by a federal employer like the VA are still yours. Records held by an insurance company you no longer use are still yours. This is the single point that holds across every chapter of this guide and every situation you will encounter: the right is national, the right is personal, and the right was written for one purpose — so that you can have the information you need to take care of yourself.
Your information is yours, for your better health.
— The Law of the LandThe next chapter shows you exactly how to ask.