Your Patient Right of Access to Records under HIPAA

last updated on January 23, 2023

As a hospital patient, you’re legally entitled to information about how your hospital made treatment and billing decisions about you. 

This is known as a patient’s “right of access,” and it falls under the HIPAA Privacy Rule — the same umbrella of HIPAA rights that also ensures your patient data is protected. 

Exercising your right of access is especially powerful for negotiating hospital bills. At Goodbill, for example, we request detailed records for patients to help us flag discrepancies and build a strong case for negotiating with hospitals. While hospitals generally won’t send you these records on their own, they’re required to do so within 30 days once they get your request. 

HIPAA rights grants patients “right of access” to receive their billing and medical records from a hospital. The hospital must comply within 30 days of receiving the request.

Here’s an overview of what the HIPAA Right of Access legislation guarantees, and how to exercise your right of access.

Which Records are Covered under Right of Access?

Your HIPAA rights entitle you access to almost any patient health information about you, as long as it falls within the "designated record set" and is what the law calls “readily producible,” which means that the hospital already has it on file.

Something is within the "designated record set" if it's maintained by or for a covered entity (like a hospital) and used — in any way — to make decisions about you as an individual patient. That covers things like medical, billing, and claims records. You’re also entitled to specify the method and format that you’d like your documents delivered, for example: Email, fax, postal mail, Word document, PDF.

Billing Records

You have right of access to your billing records, like your itemized bill and UB-04 claim form, which provide detailed breakdowns of the procedures and charges you received during your hospital visit. Unlike the type of hospital bill you usually get in the mail, these provide standardized codes that help you identify errors or inflated charges when preparing to negotiate your hospital bill. Hospitals generally don’t send you these types of bills on their own, so you’ll need to exercise your HIPAA right of access to request them.

Medical Records

You also have right of access to your medical records, which include lab test results, X-rays and doctors’ notes. However, nowadays you can usually get your medical records online from your hospital’s patient portal, within minutes. 


There are a few exceptions that aren’t covered under HIPAA right of access, like psychotherapy notes taken by a mental health provider. 

How Do I Make A Right of Access Request?

Hospitals can require you to make the request in writing, though they sometimes accept them over the phone. 

Phone Request

The fastest way to find out whether your hospital accepts HIPAA right of access requests over the phone is to call your hospital and ask to be connected to the Billing or Medical Records department. If they do honor requests over the phone, they’ll generally ask you to confirm your identity by asking for your name, home address, date of birth, and account or guarantor number. From there, ask for the specific record you’re requesting, and whether you’d like it emailed, faxed or mailed to you. 

Written Request

Generally, a written request looks like a brief letter that includes the following information, faxed or emailed to the hospital’s billing department:

  • The record you’re requesting
  • Name
  • Home address
  • Date of birth
  • Account or guarantor number
  • Signature
  • Your preferred method of delivery: Email, fax, postal mail

Online Request

Some hospitals also accept these requests through an online form. If your hospital has one, you can usually find it in the “Medical Records” section of their website. 

Can I Designate A Third Party?

Third parties are allowed to receive your information on your behalf, as long as your request is in writing and signed by you. 

This means you can specify in your request that the hospital send your information to a company like Goodbill to help negotiate your hospital bill, or a family member, for example. Just remember to include your third party’s contact information for receiving the records.

How Long Does It Take?

Hospitals are legally required to send your records within 30 days of receiving your request.

In practice, we’ve found that hospitals can take anywhere from a few days to a few months. That’s because the definition of when a hospital “receives” your request is murky. Some hospitals take several weeks just to see your request, and count the 30 days from the time a hospital employee first scans your request into the system. From there, your request may get routed to a different department for processing. 

It doesn’t hurt to call your hospital’s billing department periodically, to check in on the status of your request. 

How Can I Speed Up the Process?

Calling the hospital’s billing department is the best way to ensure that your request was received, and that it’s being prioritized for processing. Best practice is to call a few days after you’ve sent your request to ask if they see it in their system. Then, check in once weekly to ensure it’s being processed.

As you near the 30-day mark, it may help to give hospitals a more forceful reminder that they’re legally obligated to fulfill your request within 30 days, using the sample script below.

Sample script

“Hi, I’m [name] and I’m a patient who received a bill from your hospital. 

I sent in a HIPAA right of access request for my [record] on [date], and I still haven’t received it. We’re now coming up on 30 days since my request, and HIPAA legally requires you to comply within 30 days. When should I expect to receive it?”

What If My Hospital Doesn’t Comply?

If your hospital doesn’t fulfill your request within 30 days, we recommend always calling the hospital’s billing department first to remind them of your rights under HIPAA, using the script in the previous section.

If you still feel like you’re not making headway, or that you’re being asked to jump through hoops that violate HIPAA, you can file a formal complaint online with the Office of Civil Rights in the U.S. Department of Health and Human Services.

The Office of Civil Rights regularly investigates these complaints and, if they find evidence of wrongdoing, will either require the hospital to take corrective action or pay a penalty.

Will I Get Charged for My Records?

Generally speaking, hospitals are allowed to charge you or your designated third party a fee. If you request the records for your own purposes, it’s usually about $6.50. If you want the records sent to a third party, it may be more, sometimes as high as $50. This assumes that you’ve requested your records be sent electronically, and that the hospital also maintains those records electronically. In states that have laws requiring hospitals to provide you with free copies, state laws take priority.

In cases where the hospital will need to make paper copies, pay for postage, or create a version of the document that doesn’t exist, they may charge you for the cost of labor and materials — though they must let you know this fee in advance. 

Negotiating hospital bills has never been this easy.

Get started today.