How to Access and Request Your Medical Records

Accessing medical records is a federally protected right for patients in the United States, governed primarily by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and enforced by the U.S. Department of Health and Human Services (HHS). This page covers the legal framework that defines that right, the step-by-step process for submitting a records request, the most common situations in which patients seek their records, and the boundaries that determine what can and cannot be released. Understanding this framework helps patients navigate delays, denials, and fee disputes without confusion.

Definition and Scope

The right to access medical records in the United States is codified under 45 CFR §164.524, the HIPAA Privacy Rule's "right of access" provision. Under this rule, covered entities — including hospitals, physician practices, health plans, and clinical laboratories — must provide individuals with access to their protected health information (PHI) held in a "designated record set." This set includes medical and billing records, as well as any other records used to make decisions about the individual's care.

The HHS Office for Civil Rights (OCR) enforces HIPAA compliance and has clarified through published guidance that covered entities cannot require patients to justify why they want their records, nor can they demand notarization of requests as a standard condition. The scope of accessible records extends to electronic health records (EHRs), paper charts, laboratory results, imaging reports, and prescription histories. Records held by healthcare provider types across the care continuum — from primary care to specialty and post-acute settings — fall under this framework.

Certain categories of information carry additional protections. Psychotherapy notes (defined separately from general mental health records), records related to substance use disorder treatment under 42 CFR Part 2 (enforced by the Substance Abuse and Mental Health Services Administration, SAMHSA), and HIV-related records may require separate authorization beyond a standard HIPAA access request.

HIPAA patient privacy rights and patient rights and responsibilities form the foundational context for understanding how records access intersects with broader federal patient protections.

How It Works

The records request process follows a defined federal timeline. Under 45 CFR §164.524(b)(2), covered entities must act on a request within 30 calendar days. A single 30-day extension is permitted if the entity notifies the patient in writing of the delay and the reason for it.

A standard records request typically involves the following sequence:

1. Identify the covered entity. Determine which provider or health plan holds the relevant records — this may require contacting multiple institutions if care was fragmented.
2. Submit a written request. Most facilities accept a signed authorization form or their institution-specific release form. Requests may be submitted in person, by mail, or electronically through a patient portal if one is available.
3. Specify the scope. The request should indicate the date range, record types (e.g., discharge summaries, imaging, lab results), and the intended recipient (self, another provider, or an insurer).
4. Pay applicable fees. Under 45 CFR §164.524(c)(4), entities may charge a reasonable, cost-based fee covering labor for copying, supplies, and postage — but not retrieval or processing overhead. HHS guidance caps electronic access fees at actual labor cost, which in practice is often below $6.50 per request per HHS's 2023 enforcement communications.
5. Receive records in the requested format. If a patient requests records in electronic format and the entity maintains them electronically, the entity must provide them electronically.
6. File a complaint if denied. Complaints about HIPAA access violations are filed with the HHS Office for Civil Rights at hhs.gov/ocr. Penalties for non-compliance range from $100 to $50,000 per violation, with an annual cap of $1.9 million per violation category (HHS Civil Money Penalty Structure).

The prior authorization process and medical billing and coding basics both rely on the same underlying medical record documentation — making accurate, timely access to records consequential beyond personal review.

Common Scenarios

Continuity of care transfers. When a patient changes primary care physicians or receives a referral to a specialist, transferring records ensures the receiving provider has complete clinical context. This is the most operationally frequent use case and is typically handled provider-to-provider via a release-of-information (ROI) form signed by the patient.

Insurance and legal proceedings. Patients requesting records for disability claims, personal injury litigation, or insurance appeals require a complete, certified copy of the medical record. In these cases, the receiving party — an attorney or insurer — may submit the request directly with a patient-executed HIPAA authorization form.

Second opinions. Patients seeking a second opinion in medical care must transfer diagnostic imaging (typically on CD or via DICOM transfer), pathology slides, and clinical notes. Radiology departments and pathology labs operate under the same 30-day HIPAA access timeline, though many honor urgent requests faster.

Personal review and error correction. HIPAA also grants patients the right to request amendments to their records under 45 CFR §164.526 if they believe information is inaccurate or incomplete. The covered entity has 60 days to act on an amendment request and may deny it with written justification — but must append the patient's disagreement statement to the record.

Mental health and substance use records. Requests involving mental health services access or substance use disorder treatment services require attention to the stricter disclosure requirements under 42 CFR Part 2 and applicable state law, which may impose narrower consent standards than HIPAA.

Decision Boundaries

Not all information is subject to the standard HIPAA right of access. The following distinctions govern what falls inside and outside a standard patient request:

Psychotherapy notes vs. general mental health records. HIPAA explicitly excludes psychotherapy notes — defined as a clinician's private session notes kept separately from the medical record — from the standard right-of-access provision (45 CFR §164.524(a)(1)(i)). General mental health treatment records, including medication logs and treatment summaries, remain accessible.

Designated record set vs. operational records. Only records in the "designated record set" are subject to access rights. Quality improvement files, peer review records, and incident reports are excluded under most state and federal frameworks.

Minor patients. When a minor is the patient, the right of access belongs to the parent or legal guardian in most circumstances under HIPAA and applicable state law. Exceptions exist for minors who legally consented to their own treatment (e.g., for contraception or substance use treatment in states permitting minor consent).

Deceased patients. A personal representative — typically an executor or next-of-kin depending on state law — may access the records of a deceased individual under 45 CFR §164.502(g). Protections apply for 50 years after the patient's death under the HIPAA Privacy Rule.

State law interactions. HIPAA establishes a federal floor; state laws that provide greater protections are not preempted. States including California (Confidentiality of Medical Information Act), Texas (Health & Safety Code Ch. 241), and New York (Public Health Law §18) each impose additional or stricter standards on records release timelines, fee caps, or category-specific disclosures. Patients are protected by whichever standard — federal or state — is more protective in a given situation.

The healthcare complaint and grievance process provides the formal channel when a records request is improperly denied, delayed beyond 60 days total, or accompanied by an excessive fee not supported by actual cost.

References

• U.S. Department of Health and Human Services — HIPAA Right of Access
• 45 CFR §164.524 — Access of Individuals to Protected Health Information (eCFR)
• 45 CFR §164.526 — Amendment of Protected Health Information (eCFR)
• 42 CFR Part 2 — Confidentiality of Substance Use Disorder Patient Records (eCFR)
• HHS Office for Civil Rights — Enforcement Process and Civil Money Penalties
• Substance Abuse and Mental Health Services Administration (SAMHSA) — 42 CFR Part 2 Overview
• HHS OCR — HIPAA Right of Access Initiative Enforcement Actions