Your Right to Access Your Own Medical Records

Federal law gives patients the right to see, obtain copies of, and in some cases correct their own medical records — a protection that exists largely because of the Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA. This right applies across most healthcare settings in the United States, from hospital systems to solo practitioners, and it carries real enforcement teeth. Understanding how the right works, what it covers, and where it stops is useful long before a dispute ever arises.

Definition and scope

The federal right of access to medical records is anchored in the HIPAA Privacy Rule, specifically 45 CFR §164.524. Under that provision, patients have a legally protected right to inspect and receive a copy of their "protected health information" (PHI) held in a "designated record set" — which includes medical and billing records used to make decisions about the individual.

The scope is broader than most people expect. Lab results, physician notes, imaging reports, medication histories, and billing records all typically fall within what a patient can request. Mental health records deserve a separate mention: they are protected by both HIPAA and, in most states, additional state laws that layer extra restrictions on top of federal minimums — a point covered in more depth at mental health patient rights.

What HIPAA covers, and what it doesn't, matters enormously here. HIPAA applies to "covered entities" — health plans, healthcare clearinghouses, and most healthcare providers — as well as their business associates. A fitness app that collects health data but is not affiliated with a covered entity sits largely outside HIPAA's reach. The Federal Trade Commission has noted this gap explicitly, though federal legislation to address it has remained incomplete as of 2024.

The HHS Office for Civil Rights (OCR) is the primary federal enforcer. OCR can impose civil monetary penalties that range from $100 to $50,000 per violation, with an annual cap of $1.9 million per violation category (HHS Civil Money Penalties).

How it works

The process is more standardized than most patients realize. A covered entity must act on a records request within 30 days of receiving it. One 30-day extension is permitted if the records are stored offsite — but the entity must notify the patient of the delay in writing before the original deadline passes.

Providers may charge a "reasonable, cost-based fee" for copies. The OCR has clarified that this fee should reflect only the labor for copying, postage if applicable, and the cost of supplies for paper copies — not fees for searching or retrieving the records. When records are requested in electronic format, and the covered entity maintains them electronically, the fee is generally expected to be lower still.

A structured look at the required steps:

  1. Submit the request — typically in writing, though providers may not require a specific form. A signed, dated letter describing the records requested is sufficient.
  2. Verify identity — the provider may confirm the requester's identity, but cannot require notarization as a precondition.
  3. Receive confirmation — the provider must acknowledge the request and indicate the expected timeline.
  4. Receive the records — within 30 days (or 60 days with written notice of extension).
  5. Review charges — fees must be cost-based; a patient may ask for an itemized breakdown.

The right extends to a personal representative — someone with legal authority to act on a patient's behalf, such as a holder of healthcare power of attorney or a parent of a minor child.

Common scenarios

Switching providers. A patient moving from one practice to another has the right to request that records be sent directly to the new provider. The covered entity must comply with this "right to direct" the records to a third party designated by the patient.

Billing disputes. Billing records fall within the designated record set. Patients who suspect incorrect charges can request itemized billing statements under the same HIPAA access right — a point that intersects with the grievance and appeals process when insurance denials are involved.

Deceased patients. The personal representative of a deceased person — typically the executor of the estate — can exercise access rights for records relevant to that role. This makes records access relevant to estate administration and to understanding end-of-life care decisions, an area addressed more fully at end-of-life patient rights.

Telehealth records. Records generated during virtual visits carry the same access rights as in-person records. The platform used may differ, but the legal obligation on the covered entity does not. More on how telehealth settings handle these obligations appears at telehealth patient rights.

Decision boundaries

The right is real, but it is not absolute. HIPAA permits covered entities to deny access in a defined set of circumstances:

When a provider denies access on reviewable grounds, the patient is entitled to a written denial explaining the reason, and the right to request a review by a licensed healthcare professional designated by the covered entity.

State law sometimes expands these rights further. California's Confidentiality of Medical Information Act, for example, provides patients rights that exceed HIPAA minimums in certain respects. A full picture of how state laws interact with federal floors is available at state patient rights laws. For the full landscape of what patient rights cover across settings and populations, the National Patient Rights Authority home offers a structured entry point into connected topics including HIPAA patient rights and the broader patient bill of rights.

References