Medical Records Access and Management: Patient Rights and Processes

Federal law gives patients a legally enforceable right to see, copy, and correct their own medical records — a right that predates the smartphone but has become dramatically more consequential in the era of electronic health records. This page covers how that right works in practice, what HIPAA actually requires of healthcare providers, and where the process tends to break down. Understanding the mechanics matters, because the gap between a patient's legal entitlement and what a hospital's front desk tells them can be surprisingly wide.

Definition and scope

Medical records access refers to the right of a patient — or their authorized representative — to inspect and obtain copies of their protected health information (PHI) held by a covered entity. Under the HIPAA Privacy Rule, specifically 45 CFR §164.524, covered entities must provide access to designated record sets, which include medical and billing records used to make decisions about the individual.

The scope is broad. Lab results, physician notes, imaging reports, discharge summaries, prescription records, and billing documentation all fall within what a patient can request. The scope is not unlimited: psychotherapy notes kept separately from the main record, information compiled for legal proceedings, and certain laboratory results subject to Clinical Laboratory Improvement Amendments (CLIA) restrictions carry different rules.

HIPAA applies to covered entities — healthcare providers, health plans, and healthcare clearinghouses — as well as their business associates. Providers who are not covered entities (a small-scale cash-only practice that transmits no electronic claims, for instance) fall outside HIPAA's jurisdiction, though state law may still govern them.

How it works

The mechanics follow a defined sequence under federal regulation:

  1. Submission: The patient submits a written request to the provider's designated contact — typically a Health Information Management (HIM) department. Many covered entities now accept requests through patient portals.
  2. Verification: The provider verifies the requestor's identity. This step is required; it is not bureaucratic gatekeeping.
  3. Format selection: The patient may request records in a specific format — paper, electronic, or direct transmission to a third party. Under the 2021 HHS Interoperability rules, providers using certified electronic health record technology must respond to electronic requests through standardized application programming interfaces (APIs), per ONC's 21st Century Cures Act Final Rule.
  4. Timeline: Covered entities must act on a request within 30 days. One 30-day extension is permitted if the provider notifies the patient in writing of the reason and the new deadline — 45 CFR §164.524(b)(2).
  5. Fees: Providers may charge a reasonable, cost-based fee for copying, but not for the labor of locating records. The HHS Office for Civil Rights has clarified that flat fees cannot be imposed for electronic copies delivered to the patient directly — only actual labor, supply, and postage costs apply (HHS Guidance on Access, 2016).

If a provider denies a request, the patient has the right to a written explanation and, in most cases, the right to request a review of that denial by a licensed healthcare professional designated by the covered entity.

Common scenarios

Three situations account for the overwhelming majority of records access questions:

Transitioning care to a new provider. A patient moving from one health system to another needs records transferred directly. Providers must honor requests to transmit records to a third party — including another physician or health system — under the same 30-day timeline. This intersects with the broader framework of health data portability for patients, which has expanded significantly under the 21st Century Cures Act.

Reviewing records after a hospital stay. Discharge summaries, operative notes, and nursing records from an inpatient stay are all accessible. Patients reviewing these records for billing accuracy — cross-referencing them against a hospital bill — are exercising a right that directly reduces billing errors. The hospital billing patient services process and records access are closely linked.

Requesting records for a second opinion. Imaging studies (CT scans, MRIs, pathology slides) are among the most frequently requested items when patients seek second opinion services. Providers must release these in a usable format — a low-resolution PDF of a radiology report does not satisfy the requirement if a higher-resolution version exists in the designated record set.

Decision boundaries

Not every records request follows the same rules, and the distinctions matter.

Patient request vs. third-party request: A patient requesting their own records operates under §164.524. A third party — an insurer, an employer, a law firm — requesting records about a patient operates under §164.512 and requires either a valid authorization signed by the patient or a specific regulatory exception. These are fundamentally different legal pathways.

Amendment requests: Separate from access, patients have the right to request amendment of their records under 45 CFR §164.526 if they believe information is incorrect or incomplete. Providers may deny amendments — for example, if the record was not created by the covered entity — but must document the denial and allow the patient to submit a written disagreement.

Minors and representatives: The rules shift when the patient is a minor. In most states, parents are the personal representatives of minor children, but exceptions exist for adolescents seeking treatment for substance use, mental health, or reproductive health, where state law may grant the minor independent authority over their records — independent of parental access rights. The patient rights and responsibilities framework addresses representative authority in detail.

Deceased patients: HIPAA protections for deceased individuals extend for 50 years following death (45 CFR §164.502(f)). Personal representatives of a deceased patient — typically an executor or administrator of the estate — may access records, subject to provider verification of representative status.

The HIPAA patient privacy rights framework that governs all of this is part of a broader ecosystem of patient protections catalogued across the National Patient Services Authority.

References

📜 1 regulatory citation referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Read Next

Health Data Portability for Patients: Sharing Records Across Providers Federal rules finalized between 2020 and 2021 transformed what was once a paper-heavy favor granted at a provider's discretion... Hospital Billing Patient Services: Understanding and Disputing Medical Bills This page covers how hospital billing works, what can go wrong, and the specific steps patients can take to challenge charges... Second Opinion Services: How and When to Seek Another Medical View This page covers how those services are structured, when seeking one is clinically warranted, and how to distinguish...