Patient Right to Access Medical Records

Federal law gives patients the legal right to see, obtain copies of, and in some cases correct their own medical records — a right that hospitals, clinics, and insurers are required to honor within defined timeframes and cost limits. This page covers what that right includes, how the request process actually works, which situations test its limits, and where the rules draw hard lines between access and denial.

Definition and scope

Under the HIPAA Privacy Rule, specifically 45 CFR § 164.524, patients have the right to inspect and receive a copy of their "designated record set" — a term that covers medical records, billing records, and any other records used to make decisions about the patient's care. The rule applies to covered entities: health plans, healthcare clearinghouses, and most healthcare providers. A solo acupuncturist who keeps paper records and never transmits data electronically is technically outside HIPAA's scope; a multi-site hospital network absolutely is not.

The scope is broader than many patients realize. The designated record set includes lab results, imaging reports, clinical notes, medication lists, and insurance claims data held by a health plan. It does not automatically include psychotherapy notes (which carry separate protections), information compiled in anticipation of civil or criminal litigation, or records subject to the Clinical Laboratory Improvement Amendments (CLIA) — though CLIA labs may independently grant access depending on state law.

This right sits alongside a wider framework of patient rights dimensions that include informed consent, privacy protections, and the right to refuse treatment.

How it works

The process is more structured than most people expect, and the structure actually benefits patients.

1. Submit a written request. The covered entity may require a signed written request, though they cannot demand more than that. Verbal requests are permissible, but written documentation protects both sides.
2. The entity has 30 days to respond. Under 45 CFR § 164.524(b)(2), the provider or plan must act within 30 calendar days. One 30-day extension is permitted if the records are stored off-site, bringing the outer limit to 60 days — and the entity must notify the patient in writing that it is using the extension.
3. Fees must be "reasonable and cost-based." The HHS guidance on access fees clarifies that fees cannot include search and retrieval labor costs. Covered entities can charge for copying (including electronic copying), postage, and preparing a summary if the patient explicitly requests one instead of full records.
4. Electronic records require electronic delivery. If a patient requests records in electronic format and the records exist electronically, the covered entity must provide them that way — even if the format requested is not the entity's preferred system.

The HIPAA patient rights framework enforces these timelines, and the Office for Civil Rights at HHS is the federal enforcement body. Violations can trigger civil monetary penalties ranging from $100 to $50,000 per violation depending on culpability, with an annual cap of $1.9 million per violation category (HHS Civil Money Penalties).

For patients navigating denials or delays, the grievance and appeals process offers a parallel avenue beyond federal complaints.

Common scenarios

Requesting records after switching providers. This is the most straightforward case. A patient moving from one primary care physician to another requests the complete chart — visit notes, labs, immunization history. The original provider must respond within 30 days and cannot condition release on unpaid balances (withholding records for nonpayment is an HHS-identified violation).

Requesting records from a health plan. Patients sometimes overlook that insurers hold detailed records — explanation of benefits forms, prior authorization records, claims histories. Health plans are covered entities too, and the same 30-day rule applies.

Requesting a deceased person's records. A personal representative — typically an executor or administrator of the estate — may access the records of a deceased patient. State law governs who qualifies as a personal representative, which creates variation across jurisdictions. State patient rights laws frequently address this gap explicitly.

Mental health records. Psychotherapy notes — defined narrowly as a therapist's private session notes kept separate from the main medical record — can be withheld. General mental health treatment records (diagnoses, medications, treatment plans) cannot. This distinction matters significantly in mental health patient rights contexts.

Decision boundaries

The right of access is not absolute, and HIPAA specifies the grounds on which a covered entity may deny a request — grounds that are narrow and reviewable.

Reviewable denials are those a patient can challenge through a formal review process. These include situations where a licensed healthcare professional believes access would cause substantial harm to the patient or another person, or where the records were obtained from someone under a promise of confidentiality.

Non-reviewable denials cover records not in the designated record set (such as psychotherapy notes), records compiled for litigation, and records subject to the Privacy Act when held by certain federal entities.

The distinction between a covered entity denying access and simply delaying it is worth preserving. Delay without the required written notice and extension justification is itself a potential patient rights violation. A provider cannot simply go quiet for 45 days and later claim the extension applied.

Patients who believe their access rights were violated may file a complaint with the HHS Office for Civil Rights within 180 days of the alleged violation — though HHS may waive that deadline for good cause. The how to file a patient rights complaint process walks through what that submission requires in practice.