Accessing your medical records

You have a clear, federally protected right to your own medical records. The framework — HIPAA's right of access plus the 21st Century Cures Act's information blocking rule — covers most situations and provides specific complaint paths. This page is the legal and procedural detail behind transferring medical records between providers, focused on the rights themselves.

The short version

• HIPAA gives individuals the right to access their protected health information held by covered entities, including in electronic form when readily producible.
• Covered entities generally must respond within 30 days, with one 30-day extension permitted with notice.
• Fees must be reasonable and cost-based; retrieval fees are not allowed.
• The 21st Century Cures Act prohibits information blocking by providers, EHR developers, and information networks.
• Psychotherapy notes — narrowly defined — are excluded from the standard right of access; the rest of the mental health record is not.
• Complaints about access denials go to the HHS Office for Civil Rights (OCR); information blocking complaints go to the Office of the National Coordinator (ONC).

The HIPAA right of access

The HIPAA Privacy Rule grants individuals the right to inspect and obtain copies of their protected health information held by covered entities. Covered entities include healthcare providers (almost all clinicians and practices that bill electronically), health plans, and healthcare clearinghouses. The right applies to information in the "designated record set" — medical records, billing records, and information used to make decisions about you.

The right is broad and includes records from prior providers if the current entity holds them. It includes electronic and paper records. It is enforced by the HHS Office for Civil Rights (OCR), which has issued substantial guidance and has taken enforcement actions against covered entities that violated the right of access.

How to request

HIPAA does not specify a particular form. Many covered entities use a standard authorization form for release of information; you can use that or write a clear request that includes:

• Your identifying information.
• The records you want (specific documents, date ranges, types).
• The format you want (paper, fax, electronic).
• Where you want them sent (your address, an email, a portal, another provider).
• Your signature and the date.

The 30-day clock generally starts when the covered entity receives the request. Date-stamp your copy.

Timelines

Covered entities must act on a request within 30 days. They may extend the response time once by 30 days, but only with written notice to the individual that includes the reason and the date by which the entity will provide access. They cannot extend indefinitely. Any state law that provides a shorter timeline applies if it is more protective than HIPAA.

In practice, requests handled through patient portals are often fulfilled almost immediately; release-of-information department requests can take longer; older paper records take longest.

Fees

HIPAA permits only "reasonable, cost-based" fees for the patient's right of access. OCR has clarified what this means:

• Fees may include the labor of copying, the cost of supplies (paper, electronic media), and postage if the records are mailed.
• Fees may not include retrieval costs, search costs, or the cost of maintaining records.
• For electronic copies of records that are already maintained electronically, some state per-page paper fee schedules may not apply.
• OCR has issued guidance on a "flat fee" approach as an alternative — typically not exceeding $6.50 — for electronic copies, although covered entities can elect a different cost-based approach.

Where covered entities use third-party release-of-information vendors, the fees still must comply with HIPAA's right-of-access rules. Some practices have improperly tried to charge per-page fees that exceed what HIPAA allows; OCR has taken action on this.

The 21st Century Cures Act and information blocking

The 21st Century Cures Act, with implementing rules from the Office of the National Coordinator for Health IT (ONC), addresses "information blocking" — practices that interfere with the access, exchange, or use of electronic health information. The rules apply to providers, EHR developers, and health information networks.

The information blocking provisions require, in plain terms, that providers and developers not impose unreasonable barriers between patients and their electronic health information. Specific exceptions exist (privacy, security, infeasibility, and others) but they are narrow. The Cures Act has reshaped patient access in practical ways: clinical notes appear in patient portals quickly after they are signed; lab results are released without delay in many systems; access through standardized application programming interfaces (APIs) is being implemented over time.

The ONC accepts information blocking complaints from patients, providers, and others through a public portal at oncprojectracking.healthit.gov.

What you can request

The right of access covers the designated record set. In practice, this includes:

• Visit/progress notes, consultation notes, operative reports, discharge summaries.
• Lab results.
• Imaging reports and the underlying images (DICOM) where maintained.
• Pathology reports.
• Medication lists and prescription histories.
• Problem lists and active diagnoses.
• Allergy lists.
• Immunization records.
• Letters from outside providers incorporated into the chart.
• Billing records.
• Patient-uploaded photos and documents that are part of the chart.

What is excluded or limited

Psychotherapy notes

HIPAA defines psychotherapy notes narrowly: "notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session" and that are kept separate from the rest of the medical record. These get heightened protection and are not part of the standard right of access. Importantly, this is a narrow category — it does not include diagnoses, treatment plans, medication notes, billing information, summary of session attendance, or most of the mental health record. See mental health telehealth.

Information for legal proceedings

Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding may be excluded from access.

Other narrow exceptions

Certain research records during research, certain inmate records, and a limited number of other categories may be excluded.

Substance use treatment records (42 CFR Part 2)

Records of federally assisted substance use disorder treatment are subject to additional protections under 42 CFR Part 2 — separate from HIPAA. Specific consent forms are usually required for disclosure to outside parties. Patients still have access to their own records.

Personal representatives

HIPAA recognizes "personal representatives" — people who, under state law, can act for the individual. For adults, this is typically a holder of durable power of attorney for healthcare or a court-appointed guardian. For unmarried minors, it is typically the parent or guardian, with state-specific exceptions for adolescent care of certain types. Personal representatives have access rights equivalent to the patient with respect to the relevant health information.

For deceased patients, the personal representative (executor of the estate) typically has access. State law and the practice's policies determine the specifics.

Filing a complaint

HHS Office for Civil Rights

The OCR enforces HIPAA. Complaints can be filed online at hhs.gov/ocr. The complaint should be filed within 180 days of the violation. Complaints can be filed for any violation — improper denial of access, excessive fees, breach of confidentiality, refusal to provide records in electronic form. OCR investigates and may resolve through corrective action plans, financial settlements, or formal enforcement.

ONC information blocking

The ONC's information blocking complaint portal accepts reports of practices that interfere with access, exchange, or use of electronic health information. The portal is open to patients, providers, and developers.

State agencies

Many states have parallel state-level health privacy laws and complaint mechanisms. State attorneys general also have authority in some cases.

Specific common situations

"We will only fax records"

If the records exist electronically, you have a right to electronic copies in a format the entity is capable of producing. The covered entity cannot refuse to provide records in electronic form when they are readily producible electronically. "We do not have a way to send PDFs" from a practice with an EHR is generally not a sufficient answer.

"We need you to come in and sign"

HIPAA does not require an in-person visit to make a request. Practices may have their own forms, but the rules do not require physical presence.

"That will be $200"

Reasonable cost-based fees are allowed; $200 for an electronic copy of an electronic record is unlikely to be cost-based. Ask in writing for a justification.

"You can have summaries but not the full notes"

The right of access generally extends to the underlying records, not just summaries. There are narrow exceptions for psychotherapy notes and certain other categories.

What to do, in order

• Try the patient portal first.
• If the portal does not have what you need, submit a release-of-information request in writing.
• Note the date you submitted; the 30-day clock starts then.
• If the response is delayed beyond 30 days without notice of extension, follow up in writing.
• If a fee seems excessive, ask for cost justification.
• If access is denied, ask for the legal basis in writing.
• If unresolved, file with OCR and/or ONC as appropriate.

When this is not enough

For records held outside HIPAA-covered entities — wellness apps, direct-to-consumer health services not acting as covered entities, certain employer wellness programs — HIPAA does not apply and access depends on the entity's privacy policy and applicable state law. For research records during a study, access may be limited until the study ends. For records in litigation, separate procedures apply.

Related reading

• Transferring medical recordsThe procedural counterpart to this page
• Your patient rights in a telehealth visitConsent, the doctor-patient relationship, and complaints
• Getting a second opinion remotelyRecords you need for a useful review
• Advocating for yourself in a remote visitAsking for the records you need

Not medical advice. This site provides general educational information about navigating remote healthcare. It is not legal advice. For personal medical questions, talk to a licensed clinician; for legal questions, consult an attorney.