Your Rights to Access Your Medical Records Under HIPAA

Obtaining access to your medical records is one of your rights as a patient. Under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, you also have the right to decide who gets to see your medical information and when.

Under HIPAA, your medical records must be delivered within a specific timeframe. Requests can also be made to change incorrect information.

Healthcare providers, in turn, have the right to request payment for making and delivering copies, to withhold certain pieces of information, and to share your records with other providers in specific situations.

This article explains how to request and obtain your medical records. It also describes your right to privacy—and exceptions to those rights—and what you can do to resolve disputes with a healthcare provider.

Doctor getting file in medical records room Doctor getting file in medical records room
Medioimages / Photodisc / Getty Images

May I See My Chart at My Doctor's Office?

HIPAA provides patients with a legal, enforceable right to see and receive copies of their medical information and other health records upon request from their healthcare providers. This includes seeing the “original chart review” instead of a photocopy or a summary page.

If you are in the provider's office and are reviewing lab test results, a pathology report, or radiology findings, you have the right to see the original chart review and request a copy of the report in its entirety.

Are My Medical Records Private?

Strictly speaking, healthcare providers must safeguard your medical records to ensure that your privacy and confidentiality are not breached. HIPPA has issued specific guidelines as to how this must be done (as well as penalties if safeguards are not in place).

In addition to this, you have the right to decide who gets to see your medical information and when.

However, there are exceptions. Under HIPAA regulations, a healthcare provider can share your medical records without your consent in specific situations, such as:

  • Health insurance: When enrolling in an insurance plan, your signature grants access to medical information associated with a paid or approved claim.
  • Disability benefits: For instance, the Occupational Safety and Health Administration (OSHA) can gain access to your medical records in the event of a workplace accident.
  • Shared medical care: If you are being treated by another specialist for the same condition, your primary provider has the right to share information specific to that condition only. Withholding the records may exclude important information vital to your diagnosis and treatment.
  • Designated parties: This includes any individual or group with whom you have allowed your medical information to be shared, either on an ongoing basis or when indicated (such as with a springing medical power of attorney).
  • Legal actions: A subpoena to access your medical records may be obtained if you are charged with a crime or when you are involved in a lawsuit for which your medical information is relevant.

Do I Have the Right to Get All of My Records?

HIPAA requires your healthcare provider to provide you with a complete copy of your medical records when requested. In most cases, the copy must be provided within 30 days. The time frame can be extended another 30 days if there is reasonable cause.

Even so, providers are encouraged to make the transfer as quickly as possible given the widespread use of patient portals and other electronic delivery systems.

Again, there are exceptions to the HIPAA rule. Healthcare providers can withhold or exclude certain pieces of information, such as:

  • Psychotherapy notes: These are the personal notes or impressions documented during a counseling session that may cause psychiatric harm or conflict if shared.
  • Information related to an impending action: This includes information compiled in anticipation of, or for use in, a civil, criminal, or administrative action. Unless a subpoena is granted, this information can be withheld.

New Laws and Protections

Under the 21st Century Cures Act (which went into effect on October 6, 2022), healthcare organizations must provide patients with immediate access to their health records in an electronic format. This includes all test results, medication lists, and clinical notes.

The Cures Act ensures that all reports are delivered to a patient portal and prevents "information blocking" (in which medical information may be withheld or limited). Under this new law, a patient may see their reports even before their provider.


Can My New Healthcare Provider Get My Medical Records?

If you are changing physicians, you can request that your medical records be transferred to a new physician. The request would need to be issued in writing. The process can vary but is usually straightforward.

In an ideal situation:

  1. You fill out an authorization form granting one provider permission to share your records with another provider.
  2. You mark on the form which records you want to be shared.
  3. You pay (or are billed) fees to cover the cost of the transfer.

In the best-case scenario, your records would arrive within a few days or earlier. If your records have not been digitized, it can take up to 30 days to complete the transfer under HIPAA regulations.

Can a Healthcare Provider Charge for Medical Records?

Your healthcare provider can charge you for the cost of making copies of your medical records. The cost must be reasonable and only include:

  • Labor for copying the records requested by the patient (whether in paper or electronic format)
  • Supplies for creating the paper copy or electronic media (such as a USB drive)
  • Postage or shipping requested by the patient (including special expedited services)

The costs need to be stated and agreed to upfront.

What Do I Do if I Find an Error in My Medical Records?

If you find an error in your medical records, you can request that it be corrected. You can also ask your healthcare provider to add information if the record is incomplete or to change something you disagree with.

Under HIPAA regulations, your healthcare provider is not required to make changes or omit information that they believe to be inaccurate, misleading, or untrue.

Even if your provider doesn't agree with you, you still have the right to have your disagreement noted in your records. In most cases, the file should be changed within 60 days, but it can take an additional 30 days if you're given reasonable cause.

Sample Letter to Request Medical Records

Many providers don't have prepared authorization forms to fill out (although this is starting to change). In the absence of prepared forms, you can make a written request by including the following information in a letter:

  • Date of correspondence
  • Your full legal name
  • Social Security number
  • Date of birth
  • Address
  • Phone number
  • Email address
  • The list of requested medical records with dates of service (covering certain dates or all dates you were under the provider's care)
  • Format of delivery (paper, USB drive, secure web portal)
  • Method of delivery (fax, post, email, in person)
  • Your signature
  • A copy of your government-issued ID

Resolving Problems

HIPAA, the same act that regulates how your health information is handled to protect your privacy, also gives you the right to see and obtain a copy of your records and to dispute anything you feel is erroneous or has been omitted.

If you have difficulty with either of these issues, simply asking the office staff personnel involved to review HIPAA regulations will usually be enough to resolve the situation.

This is, however, one of those areas where it's sometimes best to "choose your battles" wisely. At times, demanding a copy of your records or insisting that you disagree with something in your records isn't worth the time or stress involved.

If an error or omission in your records is minor, it might not be worth pursuing and risking a problem in the relationship with your healthcare provider and their staff.

Healthcare providers will usually send a copy of your records to a new practitioner at no charge, as a professional courtesy. This could be easier and far less stressful than obtaining a copy to give to your new healthcare provider.

These are considerations, but only you can make the final decision.

Summary

Requesting a copy of your medical records is one of your rights as a patient. The law guarantees you this right and protects you from unreasonably high fees when you request your medical records.

When you request your medical records, your doctor can only charge you what it costs to make and send the copies. You may have to wait for about 30 days while your request is being processed. If you find any mistakes in your medical records, you can request to have them amended.

New laws outlined in the 21st Century Cures Act require healthcare organizations to grant patients immediate access to their electronic medical records via a secure portal.

7 Sources
Verywell Health uses only high-quality sources, including peer-reviewed studies, to support the facts within our articles. Read our editorial process to learn more about how we fact-check and keep our content accurate, reliable, and trustworthy.
  1. U.S. Department of Health and Human Services. Individuals’ right under HIPAA to access their health information 45 CFR § 164.524.

  2. U.S. Department of Health and Human Services. Health information privacy.

  3. U.S. Department of Health and Human Services. Summary of the HIPAA privacy rule.

  4. U.S. Department of Health and Human Services. How timely must a covered entity be in responding to individuals’ requests for access to their PHI?

  5. HealthIT.gov. Information blocking.

  6. U.S. Department of Health & Human Services. If patients request copies of their medical records as permitted by the Privacy Rule, are they required to pay for the copies?

  7. U.S. Department of Health and Human Services. The HIPAA privacy rule and in a networked environment electronic health information exchange: correction.  

By Teri Robert
 Teri Robert is a writer, patient educator, and patient advocate focused on migraine and headaches.