⚖ The Advocate
Health Rights

Doctor Refuses Patient Access to Medical Records

Your Medical Records Belong to You — The Law Requires Access Within 30 Days

Premium foundational 7 minutes
The Situation

What They Said

“Those are the doctor's records. We don't have to give them to you.”
Patients across the United States regularly encounter resistance when they try to access their own medical records. Doctors' offices, hospitals, and health systems sometimes operate on the assumption — incorrect under federal law — that medical records are the property of the provider, to be disclosed at the provider's discretion. This creates serious problems for patients who need their records to get a second opinion, transfer to a new provider, apply for disability benefits, manage a chronic condition, or simply understand what happened to their own body. The HIPAA Privacy Rule established a federal right of patient access to medical records in 2003, and subsequent regulatory updates have strengthened and accelerated that right. Providers must respond to access requests within 30 days and may charge only a reasonable cost-based fee. They cannot routinely deny access, delay indefinitely, or make access conditional on paying outstanding balances. The 21st Century Cures Act, enacted in 2016 and implemented through regulations effective 2021, went further — prohibiting 'information blocking,' a term that covers practices by health IT developers and healthcare providers that unreasonably restrict a patient's access to their own electronic health information. Many patients give up when a medical office says 'we don't have to give them to you,' because they assume the office knows the law. In fact, federal penalties for HIPAA violations and information blocking are substantial, and the Office for Civil Rights at HHS actively enforces patient access rights. Note: State law may provide additional protections beyond the federal baseline described here.
The Fallacy

The 'Provider Ownership' Medical Records Fallacy

The claim that medical records 'belong to the doctor' reflects an outdated and legally inaccurate understanding of healthcare information. While healthcare providers may physically maintain medical records and retain custody of them, the information contained in those records belongs to the patient. Federal law gives patients the right to access, inspect, and obtain copies of their own protected health information — not as a discretionary courtesy extended by the provider, but as an enforceable legal right. The HIPAA Privacy Rule, 45 C.F.R. § 164.524, is explicit: covered entities must permit a patient who is the subject of protected health information to inspect and obtain a copy of that information. There are narrow exceptions — psychotherapy notes, information compiled for legal proceedings, and a few others — but these are limited exceptions to a broad right, not the other way around. A blanket claim that patients have no right to their records is simply wrong. Furthermore, the 21st Century Cures Act introduced a new category of violation called 'information blocking,' which includes any practice that interferes with, prevents, or discourages access to electronic health information when there is no applicable exception. Healthcare providers who routinely deny or delay patient access requests face significant civil monetary penalties under this framework — up to $1 million per violation for health IT developers and, following rule implementation, potential disincentives for healthcare providers as well.

What the Law Says

Your Legal Foundation

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, 45 C.F.R. § 164.524
§ 164.524(a)(1) — Right of Access to Protected Health Information
“Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set.”
This regulation establishes the patient's enforceable right to access their own medical records held by any HIPAA-covered entity, including physicians, hospitals, clinics, and health plans. The provider must respond within 30 days of receiving the access request and must provide the records in the format requested by the patient where feasible. Refusal to comply with a valid access request is a HIPAA violation reportable to the HHS Office for Civil Rights.
21st Century Cures Act, Pub. L. 114-255; 45 C.F.R. § 171.100 et seq. (ONC Information Blocking Rule)
§ 3022 — Information Blocking Prohibition
“It shall be considered information blocking if a health information technology developer of certified health information technology, health information network, health information exchange, or health care provider knowingly and unreasonably interferes with, prevents, or materially discourages access, exchange, or use of electronic health information.”
Healthcare providers who routinely deny, delay, or create unnecessary barriers to patient access to electronic health information may violate the information blocking prohibition of the 21st Century Cures Act, enforced by the ONC and the Office of Inspector General. This law complements HIPAA by targeting systemic practices — not just individual incidents — of restricting patient information access, and it carries significant civil monetary penalties.
What Scripture Says

God's Word on This

Hosea 4:6 (NIV)
“My people are destroyed from lack of knowledge. Because you have rejected knowledge, I also reject you as my priests; because you have ignored the law of your God, I also will ignore your children.”
God's lament that his people perish for lack of knowledge has a direct application here: a patient who cannot access information about their own health may make worse decisions, miss diagnoses, or be denied the ability to seek better care. Knowledge of your own medical condition is foundational to informed decision-making and to the stewardship of the body God has given you. The law's guarantee of record access is the mechanism through which that knowledge is protected.
Proverbs 18:15 (NIV)
“The heart of the discerning acquires knowledge, for the ears of the wise seek it out.”
Wisdom, in the biblical framework, actively seeks knowledge — it does not passively accept gatekeepers who say 'you don't need to know.' Seeking access to your own medical records is an act of wisdom and self-stewardship. The law supports this pursuit, and a patient who insists on their right to know their own health information is acting in alignment with both the spirit of Scripture and the letter of federal law.
🔒
You Know the Law — But Do You Know What to Say?
Reading your rights is one thing. Using them under pressure — calmly, correctly, in the right words — is what actually protects you. Members get the scripted rebuttal for this exact situation: what to say first, what to say if they push back, the tone to use, and the constitutional provision to cite. Practise out loud with audio until it's automatic.
Unlock This Scenario — R89/month
Identity & Dignity and Gender & Equality are free · All 17 domains from R89/month · Cancel anytime
Not ready to subscribe? Get the free checklist first.
10 South African rights scenarios — what to say, what to cite, what to refuse. Free, no card needed.
What They'll Say Next

Common Counter-Arguments

After you respond, they may push back with these arguments. Members get the full rebuttal for each.

They might say: “We can charge you whatever we want for copies — processing medical records is expensive.”
🔒 Subscribe to see the full rebuttal and legal counter-argument.
They might say: “We don't have to give you the raw records — we can just have the doctor summarise them for you.”
🔒 Subscribe to see the full rebuttal and legal counter-argument.
Know Your Rights. Know Your Word.
149 South African rights scenarios — exact rebuttals, constitutional law, and Scripture. Practise out loud with audio. Free to start with 2 full domains.
Try Free — Identity & Dignity
No credit card · Upgrade anytime for all 17 domains
Think you know your rights? 5 real SA law scenarios — find out where you’re at risk.
Take the Quiz →