What to Do If They Push Back

The good news, and you should hear this clearly before reading anything else, is that patients win these fights. The federal government has paid attention to medical records access for more than two decades, and the enforcement infrastructure that grew up around it is real and functional. The Office for Civil Rights at HHS has resolved fifty-four formal enforcement actions just in the last six years. Most of those settlements began with a single complaint filed online by one patient. The provider involved didn't realize how serious the rules were until the letter from OCR arrived. By then, the question wasn't whether the patient would get their records. It was how much the provider would pay on top of that.

You have four escalation paths. Most situations only need the first one or two. We'll walk through each.

What "pushing back" looks like

Before we get to the complaint process, a quick reality check. Provider pushback comes in five flavors, and recognizing which one you're dealing with helps you respond appropriately.

• Silence. The most common form. You sent the letter. Thirty days came and went. No records, no denial, no email, nothing. This is the easiest case to escalate, because the regulatory deadline is a clear, objective fact.
• Partial records. They sent something, but you can tell pieces are missing. A summary instead of the full file. Clinical notes but no lab results. Reports but no imaging. This is more common than outright denial, because some providers genuinely believe they're being responsive when they're sending a curated subset.
• Unreasonable fees. "It'll be $400 to pull all that." "We charge $1.50 per page and there are 800 pages." "There's a $75 retrieval fee." These quotes range from "technically allowed but high" to "explicitly prohibited by federal law." When in doubt, the rule of thumb is: if the records exist electronically and you asked for them electronically, the fee should be zero.
• Bureaucratic stonewall. "You need to come in person." "We only accept requests through this third-party vendor that charges $40." "You need to fill out our four-page notarized form first." These aren't denials. They're friction designed to make you give up. Each of them may be illegal under the 21st Century Cures Act's information blocking rule, which prohibits "practices that interfere with access to electronic health information."
• Outright denial. Less common, but it happens. Usually phrased as "we cannot release these records." HIPAA allows a small number of denials — for example, if the records would endanger someone's safety, or if they reference psychotherapy notes that are kept separate. But any denial has to come in writing, has to cite the specific exception, and has to inform you of your right to appeal. A denial without those three things isn't a denial. It's just refusal.

Path 01Send the follow-up letter first

Before filing a federal complaint, send Template 6 from the previous chapter.

This isn't about being polite. It's about giving the provider a clear, dated record that they were on notice of their legal obligations, with a 14-day window to fix it. When OCR or ONC eventually investigates, the existence of this letter strengthens your case substantially. And in practice, most provider compliance offices — the people who handle the follow-up letter, not the front-desk staff who handled your original request — know exactly what's coming next and will resolve the issue immediately to avoid it.

Send the follow-up by certified mail with return receipt, or by email with a read receipt requested, or both. Keep copies of everything.

Give it the full 14 days. If at the end of that window you still don't have your records, you escalate.

Path 02File an OCR complaint (HIPAA)

The HHS Office for Civil Rights is the federal agency that enforces HIPAA. They have a free, public complaint portal that anyone can use. Filing takes about fifteen minutes. You don't need a lawyer. You don't need to pay anything.

The 180-day deadline. OCR complaints must be filed within 180 days of the violation. The clock starts when the deadline for the provider's response passed, or when they did the thing you're complaining about. If you discover the problem late, OCR may grant an extension for good cause, but don't rely on it. File within six months.

What happens after you file. OCR reviews the complaint, generally within a few weeks. If they decide it has merit, they open an investigation. The provider receives a formal letter from OCR demanding a response. This alone resolves a large fraction of cases — the provider, now facing federal scrutiny, sends the records and the issue closes. If OCR concludes that the law was violated, they can negotiate a "resolution agreement," which typically includes both providing the records and paying a financial penalty. Penalties under the Right of Access Initiative have ranged from $16,500 to over $200,000.

Path 03File an ONC information blocking complaint (Cures Act)

The Office of the National Coordinator for Health Information Technology — ONC — handles complaints under the 21st Century Cures Act. This is the channel for cases that aren't just slow or incomplete, but where you suspect the provider is using a system or process specifically designed to interfere with your access.

Examples that fit this category: a provider whose patient portal can display records but not download them. A hospital that requires you to use a third-party vendor that charges a fee, even when records are stored electronically. A practice that imposes a multi-week form-processing delay before they'll even accept a written request.

You can file with both OCR and ONC for the same situation. They're separate agencies under separate authorities. Filing both signals that you're serious and increases the likelihood of a thorough investigation. There's no rule against it.

You can file anonymously. Under the Cures Act, information you submit to ONC that could identify you as the complainant is exempt from disclosure under the Freedom of Information Act. The provider doesn't have to know who reported them. This matters if you're worried about ongoing care from the same provider.

Path 04State-level escalation

For situations involving licensed medical professionals, especially when the federal channels haven't produced a fast resolution, state-level complaints add real pressure.

State medical board. Every state has a medical board that licenses physicians. "Failure to provide patient records" is listed as a specific complaint category at most state boards — including, explicitly, the California Medical Board, where it falls under "office practice issues." A medical board complaint can result in license action, fines, or a public record of discipline against the doctor. Search "[your state] medical board file complaint" — every board has an online complaint form.

State attorney general. Most state AG offices have a consumer protection division that handles healthcare complaints. They are particularly useful when the issue involves fees or billing — they have experience with deceptive business practice cases. They are also the right channel when the problem is institutional rather than individual, like a hospital system's policy. Search "[your state] attorney general consumer complaint."

State health department. Many state health departments enforce state-specific patient access laws — like California's 15-day rule or New York's 10-day rule. If your state has a stronger access law than HIPAA and the provider has violated the state rule (even if they're within the federal 30-day window), the state health department is the right channel.

The state options often move faster than federal ones, because state agencies handle fewer total complaints and have direct licensing authority over the provider.

The order of escalation

For most situations, this order works:

1. Original request → 30-day federal deadline.
2. Follow-up letter (Template 6) → 14-day window.
3. OCR complaint → typically resolves within 60-90 days.
4. ONC complaint, if information blocking is involved → can be filed simultaneously with OCR.
5. State complaints, if the situation is still unresolved or if you want to add pressure.

In ninety percent of cases, you won't need to go past Step 3. The follow-up letter resolves many cases. The OCR complaint resolves most of the rest. The state and ONC paths exist for the small minority of situations that are genuinely combative or institutional.

A few practical points

Document everything. Every letter, every email, every phone call. Date and time. The name of the person you spoke to. Save voicemails. Print emails. Take screenshots. The patient who wins these fights is the patient with the paper trail.

You don't owe an explanation. You don't have to justify why you want your records. HIPAA doesn't require a reason. If a provider asks why you're requesting them, the correct answer is "for my own use" or "to share with another provider." That's it.

Don't sign anything that limits your future rights. Some providers will offer a partial release in exchange for you signing a release of liability or an agreement not to file a complaint. Don't sign anything like that. Your right to file a complaint is protected by federal law, and any agreement waiving that right is unenforceable. If a provider asks for this, that itself is reportable.

The system works for the people who use it. OCR's enforcement page lists every settlement publicly, with names. The patients who filed those complaints were not lawyers. They were people who sent a letter, waited the deadline, got ignored or pushed back on, and then filed a complaint on a free government website. That's the entire formula.

The next chapter covers the unusual situations that don't fit the standard pattern: closed practices, deceased providers, records held across state lines, and military and VA records. The rules for those cases are a little different, but they all still rest on the same federal foundation we've spent the last four chapters building.