Patient Right to Access Medical Records

The right to access medical records is a federally protected entitlement that governs how patients obtain copies of their own health information from covered healthcare entities across the United States. This page covers the regulatory foundation of that right, the procedural mechanics through which access requests are fulfilled, the common circumstances in which the right is exercised, and the boundary conditions that determine when access may be limited or denied. Understanding this framework is essential for patients navigating health information portability, dispute resolution, and care coordination.

Definition and scope

Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Privacy Rule — codified at 45 CFR § 164.524 — establishes an individual's right to inspect and obtain a copy of their protected health information (PHI) maintained in a designated record set. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces this rule against covered entities, which include hospitals, physician practices, health plans, and healthcare clearinghouses, as well as their business associates.

The scope of a designated record set includes medical and billing records maintained by a covered healthcare provider, enrollment and claims records held by a health plan, and records used by or for the covered entity to make decisions about individuals. It does not encompass psychotherapy notes (which are held to a separate, stricter standard), information compiled for civil, criminal, or administrative proceedings, and laboratory results that are exempt under the Clinical Laboratory Improvement Amendments (CLIA) in specific circumstances.

Patients who want to explore how this right connects to broader protections should review the patient privacy rights under HIPAA framework and the foundational patient rights overview that contextualizes federal and state-level entitlements.

How it works

The access request process under HIPAA follows a defined sequence of steps that covered entities must observe. HHS OCR has published guidance clarifying each phase.

1. Submission of request. Patients submit a written request to the covered entity, though entities may not require a specific form. Verbal requests are permissible unless the entity has established a written-request policy disclosed in its Notice of Privacy Practices (NPP).
2. Verification of identity. The entity verifies that the requestor is the individual named in the record or a personal representative with documented legal authority (e.g., a healthcare proxy or guardian).
3. Response deadline. Under 45 CFR § 164.524(b)(2), the covered entity must act on the request within 30 calendar days of receipt. A single 30-day extension is permitted if the entity provides written notice of the reason and the expected completion date before the original deadline expires.
4. Format of access. If the entity maintains records electronically, it must provide the records in the electronic format requested by the individual, or in an alternative readable electronic format if the requested format is not readily producible.
5. Fee limitations. Covered entities may charge a reasonable, cost-based fee. Following HHS guidance issued in 2016, the fee must reflect only labor costs for copying, supplies for physical media, and postage. Flat fees capped at $6.50 are recognized by HHS as a safe harbor for patient-directed electronic copies (HHS Right of Access Guidance, 2016).
6. Denial and appeal. If access is denied, the entity must provide a written denial with the basis, the individual's right to request review of the denial, and how to file a complaint with HHS OCR.

Entities that transmit records directly to a third party at the patient's direction (as permitted under 45 CFR § 164.524(c)(3)) must apply the same fee standards and timelines.

Common scenarios

The right to access medical records arises across a predictable range of circumstances.

Continuity of care transitions. Patients transferring from a hospital to a specialist or rehabilitation facility request records to ensure the receiving provider has complete diagnostic history, imaging, and medication records. This overlaps with rights during hospitalization, particularly around discharge planning.

Second opinion preparation. A patient seeking an independent evaluation of a diagnosis assembles records — including pathology reports, imaging studies, and clinical notes — to bring to a consulting physician. The right to a second opinion depends structurally on the ability to transfer this documentation.

Billing dispute resolution. Patients disputing charges review itemized billing records alongside clinical notes to verify that documented services match billed procedures. This intersects directly with medical billing rights.

Legal and insurance proceedings. Records are requested for personal injury litigation, workers' compensation claims, and insurance appeals. Personal representatives — including attorneys with valid authorization — may exercise access rights on behalf of the individual under 45 CFR § 164.502(g).

Telehealth encounters. Records generated during virtual visits are subject to the same access requirements as in-person records. The specific considerations for patient rights in telehealth settings apply to how electronic records from those encounters are stored and disclosed.

Mental health records. General psychotherapy notes are excluded from the designated record set and are not subject to the standard access right. However, summary information in a clinical chart — such as diagnoses, medications, and treatment plans — does fall within the access right even for behavioral health patients. Separate considerations apply under mental health patient rights.

Decision boundaries

Not every access request results in unrestricted production of records. HIPAA defines specific grounds for denial, categorized by whether the denial is reviewable.

Non-reviewable grounds for denial include:
- Psychotherapy notes (always excluded from mandatory access)
- Information compiled in anticipation of civil, criminal, or administrative action
- PHI subject to the Privacy Act of 1974 where access would be prohibited under that Act
- Laboratory results exempted under CLIA

Reviewable grounds for denial — where the patient may request that a licensed professional review the decision — include:
- A licensed healthcare professional's determination that access is reasonably likely to endanger the life or physical safety of the individual or another person
- Information that references another person (not a healthcare provider) where access could cause substantial harm to that third party
- Access requested by a personal representative where a licensed professional believes it could cause substantial harm

When a denial is issued on reviewable grounds, the covered entity must designate a licensed healthcare professional to review it. That reviewing professional must not be the person who made the original denial decision, per 45 CFR § 164.524(d)(4).

State law layering. HIPAA establishes a federal floor, not a ceiling. State laws that provide stronger patient access rights — shorter response windows, lower fee caps, or broader record scope — preempt the federal standard under HIPAA's preemption analysis at 45 CFR § 160.203. California's Confidentiality of Medical Information Act (CMIA) and New York's Public Health Law § 18, for example, impose additional requirements on covered entities operating in those states. A state-by-state breakdown is covered under state patient rights laws.

Enforcement. Patients who believe their access rights have been violated may file a complaint with HHS OCR at hhs.gov/ocr. Civil money penalties under HIPAA range from $100 to $50,000 per violation, with an annual cap of $1.9 million per violation category (45 CFR § 160.404), though penalty tiers are adjusted periodically for inflation. Agencies that handle complaints and their jurisdictional boundaries are outlined under patient rights enforcement agencies.

References

• 45 CFR § 164.524 — Access of Individuals to Protected Health Information (eCFR)
• HHS Office for Civil Rights — HIPAA Right of Access
• HHS OCR — HIPAA for Individuals
• 45 CFR § 160.203 — General Rule and Exceptions (Preemption)
• 45 CFR § 160.404 — Amount of Civil Money Penalty (eCFR)
• HHS Office for Civil Rights — File a Complaint
• Centers for Medicare & Medicaid Services — CLIA Overview