HIPAA sets a national baseline for privacy and patient access, but medical record laws by state often add stricter rules for retention, release deadlines, fees, authorizations, minors, and sensitive data. Healthcare organizations need to understand which state statutes apply to their operations and prove compliance.
If you’re managing health information systems for a healthcare organization, you’ve likely operated under a dangerous assumption: “We follow HIPAA, so we’re compliant.” While HIPAA establishes critical baseline protections, it’s designed as a floor, not a ceiling.
In this article, we’ll discuss:
- When state medical records laws override HIPAA
- State retention requirements by provider and patient type
- State-specific release deadlines and turnaround requirements
- Medical record copying fees and state fee schedules
- Authorization rules and special consent requirements
- Minors’ records and age-of-majority variations
This article provides educational information about medical records compliance requirements. It is not legal advice. Healthcare organizations should consult qualified legal counsel regarding their specific compliance obligations.
HIPAA vs. State Medical Records Laws: When Does State Law Override Federal?
The fundamental principle is deceptively simple: when a state law is “more stringent” than HIPAA, the state law applies. But “more stringent” has a specific legal meaning: it provides greater privacy protection or gives individuals stronger access rights.
Here’s what makes this challenging: HHS does not make “more stringent” determinations for you. Your compliance team must assess whether each state requirement falls into this category, and your intake and routing logic must be flexible enough to apply different rule sets based on jurisdictional determinations.
The federal Office for Civil Rights (OCR) enforces HIPAA violations, but state attorneys general can also bring HIPAA enforcement actions under HITECH Act authority. State AGs also enforce state-specific privacy laws that exist alongside HIPAA.
A common starting point is the law of the state where treatment occurred, but telehealth and cross-border disclosures can complicate jurisdiction. When unclear, escalate to compliance and counsel.
If a patient received services at your Florida clinic, Florida medical records laws govern retention, release deadlines, fees, and authorization requirements, even if the patient now lives in California. However, telehealth, multi-state integrated systems, and cross-border disclosures create gray areas. When jurisdiction is unclear, escalate to compliance and legal counsel.
Medical record laws by state are typically found in health and safety codes, occupational codes, or professional licensing regulations. The examples below illustrate the types of statutory provisions that govern medical record retention, deadlines, and fees, and why tracking these variations across jurisdictions requires systematic attention.
State Medical Record Retention Laws
HIPAA does not require specific retention periods for medical records; medical record laws by state do. State requirements typically consider provider type (physicians, hospitals, imaging centers), patient age (adult vs pediatric), and record type (imaging films, obstetrical records). Many states extend retention periods for records created when the patient was a minor.
When researching medical record laws by state for retention requirements, start with your state’s health and safety code, medical board regulations, or professional licensing statutes. The variations are significant:
New York: Records must be retained for at least six years, with obstetrical records and records of minor patients retained for at least six years and until one year after the minor reaches age 21, whichever is longer under 8 NYCRR 29.2.
Massachusetts: Physicians must retain records for seven years from the date of last patient encounter, and pediatric records for seven years or until the patient reaches age 18, whichever is longer under 243 CMR 2.07.
California: Many licensed facilities must retain patient health records for at least seven years, retain minor records until at least one year after age 18 (and not less than seven years total), and retain exposed X-ray film for seven years, under 22 CCR 72543.
Texas: Physicians must retain medical records for at least seven years from the date of last treatment, and if the patient was a minor at last treatment, records must be retained until the patient reaches age 21 or seven years, whichever is longer, under 22 TAC §163.2.
These variations mean your data lifecycle automation must accommodate different rules simultaneously. For IT Directors, your data lifecycle policies must accommodate the longest applicable retention period in any state where you operate, or you need state-specific retention automation. For more detail, see our medical records retention explainer.
State Medical Record Release Deadlines
Under HIPAA’s right of access provisions, covered entities must provide patients with access to their medical records within 30 days of the request, with one possible 30-day extension. However, medical record laws by state frequently impose significantly faster deadlines. The compliance trap: designing ROI workflows around HIPAA’s 30-day timeline creates a system that’s non-compliant in states requiring faster turnaround.
HIPAA’s patient right of access applies specifically to requests from patients or their personal representatives. Requests from attorneys, insurance companies, and other third parties fall under different provisions, and medical record laws by state often apply different timelines to these requests.
To understand your state’s specific requirements, check your state’s occupations code (for physician requirements) or public health law (for facility requirements).
A few examples that show how widely timelines vary:
Texas: Physicians must provide the requested information no later than the 15th business day after receiving the request under Texas Occupations Code § 159.006(d).
Washington: Providers must make records available (and provide a copy if requested) no later than 15 working days after receiving the request under RCW 70.02.080(1).
California: Providers must ensure copies are transmitted within 15 days after receiving the request under California Health & Safety Code § 123110(b)(1).
Nevada: Custodians must make records available for inspection within 10 working days (in-state) under NRS 629.061(1)(a).
Maryland: Providers may not refuse to disclose records beyond 21 working days after the request under Md. Code, Health–General § 4–309.
New York: Providers must offer the opportunity to inspect patient information within 10 days of a written request under New York Public Health Law § 18(2)(a).
These faster state deadlines mean HIPAA’s 30-day standard becomes operationally irrelevant in many jurisdictions. For context on how access violations trigger regulatory attention, see our article about right of access violations.
State Medical Record Copying Fee Laws
Few areas of ROI compliance generate more patient complaints and regulatory scrutiny than fees. Under HIPAA’s right of access, covered entities may charge only a reasonable, cost-based fee that is limited to specific categories of labor, supplies, and postage under 45 CFR § 164.524(c)(4).
HHS is also explicit that you cannot charge for search and retrieval (or other excluded activities) even if a state law would otherwise allow it, as reflected in HHS’s right of access guidance on permissible fees and its FAQ on state fee schedules.
The operational catch is that many states publish statutory fee schedules that look like they “set the rule,” but those amounts do not automatically apply to right-of-access requests when they would exceed HIPAA’s limits. That mismatch shows up quickly in multi-state workflows:
New York: New York permits a reasonable charge for copies, but caps paper copy charges at 75 cents per page under New York Public Health Law § 18.
California: California caps the per-page fee for paper copies at 25 cents per page (and 50 cents per page for microfilm) under California Health & Safety Code § 123110.
Florida: Florida’s Board of Medicine rule allows $1.00 per page for the first 25 pages and $0.25 per page thereafter for patients and certain governmental entities under Fla. Admin. Code R. 64B8-10.003.
Illinois (common third-party example): Illinois sets a detailed fee framework (including a handling charge and tiered per-page rates, with special rules for electronic/digital retrieval) under 735 ILCS 5/8-2001, which is why organizations often need separate “patient access” vs “third-party production” billing logic.
For detailed state-specific fee information, see our state-by-state medical record copying fees guide.
When You Can’t Charge for Medical Records: Kentucky and Wisconsin Limitations
Kentucky and Wisconsin are useful examples because they highlight a specific category of copying-fee risk that gets missed in multi-state ROI operations: situations where state law (or state-court interpretation of state law) effectively prohibits charging for the record copy itself in common scenarios.
Kentucky: Upon the patient’s written request, a hospital or health care provider must provide one copy to the patient without charge. The same statute allows a copying fee (capped at $1 per page) for furnishing a second copy. The practical challenge: your intake workflow needs to distinguish patient right-of-access requests that qualify as the patient’s written request under Kentucky law, follow-on requests that are “second copy” scenarios, and third-party requests where a different fee framework may apply.
Wisconsin: Wisconsin’s medical-record copying fee rules are easy to misapply because the statute’s fee caps are format-specific. Wis. Stat. § 146.83(3f) authorizes maximum charges for enumerated formats such as paper copies, microfilm/microfiche, and X-ray prints, and DHS publishes the CPI-adjusted maximums each year in its Schedule of Health Care Provider Records Fees (July 1, 2025–June 30, 2026).
However, that schedule should not be treated as a blanket authorization to charge for electronic delivery. In Banuelos v. University of Wisconsin Hospitals and Clinics Authority, 2023 WI 25, the Wisconsin Supreme Court held that Wis. Stat. § 146.83(3f) does not permit providers to charge fees for copies of patient health care records provided in an electronic format.
Authorization Rules and Sensitive Records
A valid HIPAA authorization must include:
- Description of the information to be disclosed
- Reason for the disclosure
- Identity of persons authorized to disclose and receive information
- Expiration date or event
- Individual’s signature and date
- Notice of the right to revoke
- Notice about potential redisclosure.
Any authorization missing these required elements is invalid under federal law.
Even when an authorization meets HIPAA’s required elements in 45 CFR § 164.508(c), state law can add extra consent rules or require special language for particular record types. That means a “HIPAA-valid” authorization can still be incomplete for state compliance.
For example, Minnesota generally prohibits releasing a patient’s health records without a signed and dated consent (or another specific legal basis) under Minn. Stat. § 144.293, subd. 2, and it sets a default consent duration where, unless an exception applies, consent is valid for one year under Minn. Stat. § 144.293, subd. 4.
New York applies a stricter overlay for HIV-related information. When disclosure is made under the statute, it must be accompanied or followed by a specific written redisclosure warning, and it explicitly states that a general authorization is not sufficient for further disclosure under N.Y. Public Health Law § 2782(5)(a).
Massachusetts requires written informed consent to disclose HIV test results (or to release medical records containing that information), and the written consent form must state the purpose and be distinguished from other medical release consents under M.G.L. c. 111, § 70F.
Many states require additional elements beyond HIPAA’s baseline, and some mandate specific authorization language for particular record types. A HIPAA-valid authorization might still be invalid under state law. For multi-state practices, you need intake logic that verifies the authorization meets HIPAA requirements, identifies which state’s law applies, and confirms the authorization meets that state’s additional requirements.
Minors’ Records and Age-of-Majority Variations
While 18 is the age of majority in most states, some are higher. Alabama sets the age of majority at 19 under Ala. Code § 26-1-1, and Nebraska treats people under 19 as minors under Neb. Rev. Stat. § 43-2101. Mississippi is higher still in many contexts, defining “minor” as under 21 (with carve-outs) under Miss. Code § 1-3-27.
HIPAA generally treats a parent as a minor’s personal representative, but not in specific scenarios, including when the minor can consent to the care under applicable law and no other consent is required, as laid out in 45 CFR § 164.502(g)(3) and summarized by OCR in The HIPAA Privacy Rule and Parental Access to Minor Children’s Medical Records.
States then layer on the consent categories that trigger these exceptions. In California, minors can consent to pregnancy-related care under Cal. Fam. Code § 6925, STD prevention care at age 12+ under Cal. Fam. Code § 6926, and drug/alcohol diagnosis and treatment at age 12+ under Cal. Fam. Code § 6929. California also ties record access to that consent: a minor is entitled to inspect records for care they were authorized to consent to under Cal. Health & Safety Code § 123110, and a minor’s representative can be restricted in situations covered by Cal. Health & Safety Code § 123115.
Finally, custody status doesn’t always change access rights. Wisconsin provides that access to a child’s medical/dental/school records is available to a parent regardless of legal custody unless a court orders otherwise under Wis. Stat. § 767.41(7).
How to Use State Laws to Build a Policy You Can Operationalize
You should not be researching statutes for every request. The goal is to translate requirements into written ROI policies and procedures that drive consistent disclosure decisions, as AHIMA recommends in its Release of Information Toolkit and in Release of Information: the Basics.
To operationalize state-by-state variation, build your internal standard around a small set of routing inputs:
- Provider type (physician vs facility)
- Requester type (patient or personal representative vs third party)
- Record category (standard vs sensitive)
- Patient status (minor vs adult)
Then maintain a single “source of truth” library that your workflow can rely on:
- Controlling citation link
- What it applies to (state, provider type, request type, record category)
- Effective date and update trigger
Finally, set performance and workflow standards that match the law. AHIMA’s Management Practices for the Release of Information emphasizes oversight, continuous maintenance of authorization processes, and that operational standards like turnaround goals must conform to applicable state and federal requirements.
How ChartRequest Simplifies Compliance With State Medical Records Laws
HIPAA is the baseline, but it is not the whole rulebook. Every practice in the U.S. operates under state statutes that affect ROI decisions, including timelines, fees, authorization requirements, retention rules, and minors’ records.
That is a lot to manage, and it only gets harder when policies have to stay current as requirements change.
ChartRequest makes this easier. Our team of compliance experts fulfills requests with a 5-day average turnaround time guarantee, while helping you apply the right rules consistently, keep your workflow aligned with current requirements, and handle the edge cases that tend to trigger complaints and rework.
