Can't access your records? Errors in your file? Learn your rights under HIPAA and how to file complaints with OCR.
Medical records issues encompass a range of problems patients face when trying to access, correct, or protect their health information. Under the Health Insurance Portability and Accountability Act (HIPAA), patients have fundamental rights to their medical records, but violations of these rights remain common. Issues include delayed or denied access to records, excessive fees for copies, errors in medical documentation, improper disclosure of sensitive health information, and data breaches affecting millions of patients. The Office for Civil Rights (OCR) within the Department of Health and Human Services enforces HIPAA's Privacy Rule and investigates complaints about medical records violations. With the implementation of the 21st Century Cures Act in 2020, additional protections against information blocking have strengthened patient rights to electronic health information.
Over 25,000 patients file complaints each year about HIPAA violations, with access denial being the most common issue reported to the Office for Civil Rights.
Despite HIPAA's 30-day requirement, patients often wait 40-60 days to receive their medical records, with some cases taking months when providers delay or ignore requests.
Anthem Inc. paid $16 million in 2018 for a data breach affecting 79 million people, the largest HIPAA settlement in OCR history, demonstrating serious enforcement of patient rights.
Over 133 million patient records were exposed in data breaches during 2023, marking one of the worst years for healthcare data security and patient privacy violations.
OCR can impose civil monetary penalties ranging from $100 to $50,000 per violation, with annual maximum penalties of $1.5 million per violation category for repeated violations.
A staggering 89% of healthcare organizations have experienced at least one data breach in recent years, putting patient privacy and medical records security at significant risk.
Provider refuses to provide records or exceeds HIPAA's 30-day requirement (60 days with one extension). This is the most common HIPAA violation, with patients unable to obtain copies of their own medical information for various illegitimate reasons.
Common Examples:
Provider charges more than reasonable cost-based fees for medical records copies. HIPAA limits fees to labor, supplies, and postage costs. Many states have additional fee caps ranging from $0.15-$1.00 per page plus reasonable flat fees.
Common Examples:
Incorrect information in medical records including wrong diagnoses, medications, allergies, or procedures. Errors can lead to dangerous medical decisions and treatment. HIPAA gives patients the right to request amendments to their records.
Common Examples:
Unauthorized release of medical records to third parties without patient consent. HIPAA requires patient authorization for most disclosures, with limited exceptions for treatment, payment, and healthcare operations.
Common Examples:
Unauthorized access, theft, or exposure of electronic health records affecting multiple patients. Healthcare data breaches have exposed over 500 million patient records since 2009. Breaches must be reported to OCR within 60 days if affecting 500+ patients.
Common Examples:
Provider refuses to correct errors in medical records when patient submits valid amendment request. Under HIPAA, patients have the right to request amendments, and if denied, to file a statement of disagreement that stays with the record.
Common Examples:
21st Century Cures Act prohibits practices that interfere with access, exchange, or use of electronic health information. Information blocking includes charging excessive fees, delaying access, or limiting format of electronic records.
Common Examples:
Personal representatives and family members facing difficulty obtaining medical records of deceased patients. HIPAA protections continue for 50 years after death, but authorized representatives have right to access for estate, claims, or health-related purposes.
Common Examples:
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule gives you fundamental rights over your health information. These rights apply to all covered entities including hospitals, doctors, clinics, health plans, and healthcare clearinghouses. Your rights include the right to access your medical records within 30 days, the right to request corrections to errors, the right to know who has accessed your records, and the right to request restrictions on how your information is used. HIPAA also protects your mental health records, substance abuse treatment records, and HIV/AIDS information with additional safeguards. If a provider violates your HIPAA rights, you can file a complaint with the Office for Civil Rights (OCR) within 180 days of when you knew or should have known about the violation. OCR investigates complaints and can impose civil monetary penalties ranging from $100 to $50,000 per violation, with annual maximums of $1.5 million per violation category. While HIPAA itself does not provide a private right to sue, many states have additional privacy laws that allow patients to sue providers directly for damages.
You have the right to inspect and obtain a copy of your medical records within 30 days of your request. This is called the HIPAA Right of Access and is one of the most fundamental patient rights under federal law.
Under HIPAA and the 21st Century Cures Act, you have the right to receive your medical records electronically in a commonly used format that you request, at marginal cost only.
If you believe there is an error or missing information in your medical records, you have the right to request that your provider amend (correct) the records.
You have the right to receive an accounting (list) of certain disclosures of your health information made by your provider within the past six years.
You have the right to request restrictions on how your health information is used or disclosed for treatment, payment, or healthcare operations.
You have the right to request that your provider communicate with you about health matters in a certain way or at a certain location.
Even if your records are maintained electronically, you have the right to receive a paper copy if you prefer, though provider can charge for paper copies at reasonable cost.
You have the right to direct your provider to send a copy of your medical records directly to a third party you designate (another provider, lawyer, family member, etc.).
You have the right to receive a Notice of Privacy Practices (NPP) that explains how your health information may be used and your rights under HIPAA.
If you believe your HIPAA rights have been violated, you have the right to file a complaint with the Office for Civil Rights (OCR) without retaliation.
Provider fails to provide medical records within HIPAA's required 30-day timeframe, or denies access entirely without valid exception. This is the most frequently reported HIPAA violation.
Provider charges more than reasonable cost-based fees for medical records copies. HIPAA limits fees to labor, supplies, and postage. Many states have stricter fee caps.
Provider gives partial records, omitting key documents like lab results, imaging reports, consultation notes, or billing records.
Incorrect information in medical records including wrong diagnoses, medications, allergies, procedures, or test results that could lead to dangerous medical decisions.
Provider refuses to correct obvious errors in medical records when patient submits valid amendment request, or fails to respond within required 60-day timeframe.
Unauthorized release of medical records to employers, family members, insurance companies, or other third parties without patient consent or valid HIPAA exception.
Compare medical records rights and HIPAA enforcement across different regions
HIPAA protects your right to access your medical records. File complaints with OCR if providers violate your rights.