Key takeaways:
Per the Health Insurance Portability and Accountability Act (HIPAA), you have the right to request and access your medical records or private health information (PHI) — either on paper or electronically.
Your provider may deny your request for records but only under limited circumstances.
You may request someone else’s medical records if applicable laws consider you the patient’s personal representative and you help them with their care or help pay for their care.
Getting your medical records is a great way to take charge of your health, and it shouldn’t be complicated. It should be as simple as asking a waiter for your tab or your credit card company for your monthly statement. Unfortunately, it’s not always that easy. That’s why the Health Insurance Portability and Accountability Act (HIPAA) protects your rights to access your records.
In fact, privacy laws allow you to get your protected health information (PHI) from your healthcare provider, pharmacy, or health plan upon request. But you may not know exactly what you’re allowed to ask for and how to ask for it.
Read on to learn how to request your health information, what to do if your provider denies your request, and how to get someone else’s records.
What information is available in my medical records?
Your medical records may contain a wealth of personal health information, including notes on your diagnosis, treatment, and follow-up care.
Here’s a list of some of the items you may find in your medical records:
Notes from your annual physical exam
Notes from a visit due to illness or injury
Reports from specialists
Test results, such as blood tests, urinalysis, and biopsies
Medical imaging results, such as X-rays, MRIs, and CT scans
List of current (and possibly past) medications
Results from procedures, such as a mammogram and colonoscopy
Surgery results
Discharge summary if you were hospitalized
How far back do my medical records go?
State law determines how far back a provider or hospital is required to keep your records. For instance, a provider in Florida must hang on to records for 5 years from the last time a patient made contact with them. In Georgia, it’s 10 years.
To further complicate things, these requirements may also differ depending on the setting. For example, healthcare providers often have different record-keeping requirements than hospitals within the same state.
Check with your state’s medical boards by using the search terms “medical record retention laws,” or look for your state on this PDF created by HealthIT.gov, the government’s office for health information technology.
Read more like this
Explore these related articles, suggested for readers like you.
What happens if something is wrong in my medical records?
You have the right to ask your provider to correct any errors in your medical records. You may want to focus on errors that may impact your future health, such as a misspelling of your name or incorrect contact information. These errors may prevent you from getting your records in the future or may keep your health plan from making payments.
If you find errors in a diagnosis or treatment plan, ask your provider to correct these mistakes as well. For example, if your records say you have Type 1 diabetes, but you’ve been diagnosed with Type 2 diabetes, you should ask your provider to correct the error.
Make sure you ask your provider for their process for requesting corrections. They may want you to mail your request in writing or send them a message via their patient portal. No matter how you send in your request, your provider typically has 60 days to respond.
How do I request medical records from my healthcare provider?
There was a time when medical records were kept under lock and key in your provider’s office. Today, access is still guarded due to privacy laws, but there are more ways to get your hands on your records.
You could start by visiting your provider’s website and looking for a page or link that says something like “request medical records.” You can also check your patient portal if your provider uses one. If you don’t find what you’re looking for, call or visit your provider’s office and tell them you’d like a copy of your medical records.
You will more than likely have to fill out a form or an “authorization to release.” The form will ask for personal information such as your full name, date of birth, and Social Security number. It will also tell you how to turn it in. You may be able to scan and email a copy, or your provider may require an original signature. If that’s the case, you will need to deliver it in person or mail it.
Authorization-to-release forms may vary by provider. Your healthcare provider can tell you specific instructions for how they prefer these forms to be accessed, filled out, and submitted.
However, providers aren’t allowed to put requirements in place that create barriers or unreasonably delay your request. For example, not everyone is able to access the internet to submit a request, so this would create a barrier if it was the only way a provider accepted requests. Instead, they should offer you a few options.
Your records will be available in one or both of the following formats:
Electronic: According to HIPAA, you have the right to ask for electronic or paper copies of your records, even if they aren’t readily producible in that format. For example, if your provider only files paper copies, and you want electronic copies, they may have to scan them and email them to you or give you electronic access to a digital location. If your provider isn’t able to give you electronic copies, you can agree to an acceptable format.
Paper: You can ask your provider for paper copies even if they only store electronic copies, per federal privacy laws. They can print out your records and give them to you in person or mail them to you.
After you submit a request, your provider has 30 calendar days to give you access to your requested records. If they’re unable to meet this deadline, they’re required to notify you in writing and give a new date — but it shouldn’t take any longer than an additional 30 days.
Does it cost anything to access my medical records?
HIPAA gives providers the right to charge you a reasonable fee to make copies of your health information to cover their cost of paper, ink, and postage. However, they may not charge you for the labor involved in searching for your records and making them available.
Can a provider refuse my request to access medical records?
Yes, there are circumstances in which a provider may deny your request for medical records, but they are limited. The reason for a denial typically involves your safety, the safety of others, or a legal situation. Depending on what you’re asking for, they may deny all or part of your request.
For instance, your provider may refuse your request if your records include:
Mental health or psychotherapy notes
Information that will be used in a court case or lawsuit
Data from a research project or clinical trial that’s currently in progress
Information that may cause you to harm yourself or someone else
Details that may reveal the identity of someone who should remain anonymou
If your request for records access is denied, you should receive a written response — that also includes the basis for denial — within 30 calendar days (if there wasn’t an extension). In some cases (but not all), you can request to have the denial reviewed. If this is an option, the written response should explain how that process works.
To learn more about request refusals, visit the Individuals’ Right under HIPAA to Access their Health Information webpage.
Am I able to request access to someone else’s medical records?
Yes, you can request someone else’s records if you meet certain criteria. You must be considered the other person’s personal representative under state law or other applicable law and authorized to make healthcare decisions on the other person’s behalf. Similarly, other people can be your personal representative as well.
Further, a provider is legally able to share your medical records with a family member if you:
Don’t object to the person requesting your records, and they’re also involved in your care
Pass away or are incapacitated (not capable of normal functioning), and your provider believes it’s in your best interest to share your records
Request that the records be sent to the other person
The bottom line
You have the right to request your medical records, and, in most cases, your provider should comply. You may ask to get your records either in paper format or electronically. There are only a limited number of reasons why your provider may refuse your request. You can also request someone else’s medical records if the other person agrees, or if their provider believes it’s in the patient’s best interest.
To learn more about your rights to medical records, visit the Department of Health & Human Services HIPAA page.
Why trust our experts?
References
HealthIT.gov. (n.d.). Check it.
HealthIT.gov. (n.d.). Home.
HealthIT.gov. (n.d.). How to get it.
HealthIT.gov. (n.d.). State medical record laws: Minimum medical record retention periods for records held by medical doctors and hospitals.
U.S. Department of Health and Human Services. (2013). Personal representatives.
U.S. Department of Health and Human Services. (2020). Individuals’ right under HIPAA to access their health information 45 CFR § 164.524.
U.S. Department of Health and Human Services. (2020). Under HIPAA, when can a family member of an individual access the individual’s PHI from a health care provider or health plan?
U.S. Department of Health and Human Services. (2022). Your rights under HIPAA.
