How to Access and Request Your Medical Records

Federal law gives every patient in the United States the right to see and obtain copies of their own medical records — a right that is more specific, more powerful, and more frequently misunderstood than most people realize. Knowing how to exercise it correctly can affect everything from insurance appeals to second opinions to simply understanding what happened during a hospitalization. This page explains what that right covers, how the request process actually works, the situations where it matters most, and where the boundaries of access fall.

Definition and Scope

The right to access medical records is anchored in the Health Insurance Portability and Accountability Act of 1996, specifically the Privacy Rule codified at 45 CFR §164.524. Under that rule, covered entities — hospitals, physician practices, labs, health plans, and most other healthcare providers — must provide patients with access to their own "designated record set" upon request. That phrase matters: it is broader than just clinical notes. It includes billing records, insurance information, and any other data used to make decisions about care.

The scope of HIPAA patient privacy rights extends to both paper and electronic records. Since the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, patients have the specific right to request electronic copies of records held in electronic health record (EHR) systems — and the provider must deliver them in the electronic format the patient prefers, if it is readily producible. That is not a courtesy. It is a regulatory requirement.

How It Works

The mechanics are more straightforward than most people expect, though the friction varies significantly by institution.

  1. Identify the record custodian. Each facility has a designated Health Information Management (HIM) department or medical records office. Large hospital systems may have a centralized release-of-information function separate from individual clinics.
  2. Submit a written request. Providers may require a specific authorization form, though HIPAA does not mandate a particular form for patient self-requests. A written request with the patient's name, date of birth, record number (if known), date range, and the specific records wanted is sufficient at most institutions.
  3. Verify identity. The provider will confirm identity — typically via government-issued ID — to prevent unauthorized disclosure.
  4. Specify the format and delivery method. Patients can request paper copies, a CD or USB drive, a secure email, or direct transmission to another provider.
  5. Wait out the response window. Under 45 CFR §164.524(b)(2), covered entities have 30 days to fulfill the request. One 30-day extension is permitted if the records are stored off-site, bringing the maximum to 60 days — with written notice required.

Fees are permitted but regulated. The Office for Civil Rights (OCR) at HHS has clarified that fees must be limited to the reasonable cost of labor for copying, postage if applicable, and preparing a summary if the patient requests one. Flat fees that bear no relationship to actual copying costs have been cited in OCR enforcement actions. The health data portability for patients framework reinforces that cost should not become a practical barrier to access.

Electronic records transmitted to the patient or to a designated third party must be provided at no greater cost than labor for copying — a standard that effectively makes many electronic transmissions very low cost or free.

Common Scenarios

Transitioning to a new provider. Moving care from one physician or system to another is the single most common reason patients request records. In this case, the patient can authorize direct provider-to-provider transmission, which bypasses the patient entirely and is often faster. The care coordination services framework encourages this approach as a way to reduce gaps in the care continuum.

Seeking a second opinion. Before a major procedure or diagnosis, patients frequently need to send imaging, pathology slides, or specialty consultation notes to another institution. Requesting those records — including the actual DICOM image files, not just radiology reports — is within scope. Second opinion services often have dedicated intake staff who can assist with what specific record types are needed.

Insurance appeals and billing disputes. Medical records are frequently the only way to substantiate or challenge a claim. Hospital billing patient services departments and insurers both rely on documentation to adjudicate disputes, and patients who obtain their own records before an appeal are in a materially stronger position.

Following a hospitalization. Discharge summaries, operative reports, and medication reconciliation records are critical for continuity. Discharge planning services and transitional care services depend on this documentation being in the right hands at the right time.

Decision Boundaries

Not everything in a medical record is automatically releasable under a standard self-request. Psychotherapy notes — defined narrowly as a therapist's private session notes kept separate from the rest of the record — are excluded from the standard access right under 45 CFR §164.524(a)(1)(i). They require separate authorization and are distinct from general mental health records, which are accessible.

Providers may also deny access when a licensed professional has determined that access is reasonably likely to cause serious harm to the patient or another person. This is a reviewable denial — meaning the patient can request a review by a licensed health professional not involved in the original decision.

Minors present a layered situation: in most states, parents or legal guardians hold access rights, but exceptions exist for conditions where minors may consent independently — reproductive health, substance use treatment, and behavioral health in states that permit adolescent self-consent. Patient rights and responsibilities outlines where those state-level variations typically emerge.

Records held by non-covered entities — certain wellness apps, fitness trackers, and direct-to-consumer genetic testing services — fall outside HIPAA entirely. Access to that data is governed by the company's terms of service, not federal patient rights law. That distinction is increasingly consequential as health data portability for patients becomes a more active regulatory conversation at both the federal and state level.

References

📜 1 regulatory citation referenced  ·   · 

Read Next

HIPAA and Patient Privacy Rights: What Your Health Information Protections Mean ANA › Life Services Authority › National Patientservices HIPAA and Patient Privacy Rights: What Your Health Information Protections Mean... Health Data Portability for Patients: Sharing Records Across Providers ANA › Life Services Authority › National Patientservices Health Data Portability for Patients: Sharing Records Across Providers Health... Care Coordination Services: Connecting Patients Across Providers ANA › Life Services Authority › National Patientservices Care Coordination Services: Connecting Patients Across Providers Care...