Accessing and Managing Your Medical Records in the US

Federal law grants patients in the United States a defined right to access, obtain copies of, and request amendments to their own medical records — a right enforced primarily through the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations. This page covers the legal framework governing medical records access, the mechanics of submitting and fulfilling records requests, the most common practical scenarios patients and authorized representatives encounter, and the boundaries that determine when access may be limited or denied. Understanding this framework matters because delayed or denied access to records can affect continuity of care, insurance appeals, disability determinations, and legal proceedings.

Definition and Scope

A medical record, in the regulatory sense, is the designated record set maintained by a covered entity — hospitals, physician practices, health plans, and their business associates — that contains information used to make decisions about an individual's care or payment. The U.S. Department of Health and Human Services (HHS) defines the right of access under 45 CFR § 164.524 as the patient's right to inspect and obtain a copy of protected health information (PHI) held in a designated record set.

The scope of what qualifies as a designated record set is broader than most patients assume. It includes:

Medical and billing records maintained by a healthcare provider
Enrollment, payment, and claims adjudication records held by a health plan
Any other records used to make decisions about the individual, including case management and utilization review files

Records that fall outside this definition — such as psychotherapy notes maintained separately from the general medical record, quality assurance documents, and peer review records — carry different access rules. Psychotherapy notes, specifically, are excluded from the standard right of access under 45 CFR § 164.524(a)(1)(i) and require separate written authorization under 45 CFR § 164.508.

For a broader orientation to the regulatory environment governing patient interactions with the healthcare system, the patient rights in healthcare and HIPAA and medical privacy pages provide complementary reference material.

How It Works

The HIPAA Privacy Rule establishes a structured process with defined timelines and permissible fees. Covered entities must respond to a records request within 30 calendar days of receipt. A single 30-day extension is permitted if the entity notifies the individual in writing of the reason for the delay (HHS, 45 CFR § 164.524(b)(2)).

The standard request process follows this sequence:

Submission — The patient (or authorized representative) submits a written request to the covered entity's designated privacy officer or records department. Verbal requests are permissible but entities may require written form.
Verification — The entity verifies the requester's identity. For authorized representatives — such as legal guardians, holders of healthcare power of attorney, or personal representatives under state law — documentation of authority is required.
Fulfillment format — Under the 2021 HHS Office for Civil Rights (OCR) enforcement guidance on the right of access, covered entities must provide records in the format requested by the individual if readily producible, including electronic format when records are maintained electronically.
Fee limits — Entities may charge a reasonable, cost-based fee covering labor for copying, supplies, and postage. HHS has clarified that flat per-page fees for electronic records are impermissible; fees must reflect actual costs (HHS OCR Right of Access guidance).
Denial and appeal — If access is denied in whole or part, the entity must provide a written denial with the basis, the individual's right to have the denial reviewed, and complaint pathways.

The transition to electronic health records has altered fulfillment logistics significantly. Certified EHR systems under the Office of the National Coordinator for Health Information Technology (ONC) must include patient access functionality, and the 21st Century Cures Act (Pub. L. 116-255) prohibits information blocking practices that restrict patient access to electronic health information.

Common Scenarios

Routine care transitions — When a patient moves between providers or seeks a second opinion in medicine, the receiving provider typically needs records including diagnostic imaging, laboratory results, and visit notes. The patient may request direct release to the new provider by specifying the recipient in the authorization.

Insurance and disability claims — Social Security Disability Insurance (SSDI) determinations through the Social Security Administration (SSA) require documented medical evidence spanning at least 12 months in most cases. Patients must authorize release to SSA Disability Determination Services.

Correcting errors — HIPAA grants patients the right to request amendment of PHI under 45 CFR § 164.526. The covered entity has 60 days to act and may deny the amendment if the record was not created by the entity, is accurate and complete, or falls outside the designated record set. A denial must be in writing with an explanation.

Minor patients and parental access — Access rights for records of minors are governed by a combination of HIPAA and state law. In states where minors may consent to specific services — such as substance use disorder treatment or reproductive health — parental access to those records may be restricted. This creates a direct interaction between federal privacy rules and state medical licensing and consent frameworks.

Deceased patients — For records of deceased individuals, the personal representative (typically the executor or administrator of the estate) holds HIPAA access rights for 50 years following the date of death, per 45 CFR § 164.502(f).

Decision Boundaries

Not all records access requests are straightforward approvals. Covered entities apply defined criteria when evaluating scope, format, and whether denial is permissible.

Permitted denials without review rights:

Psychotherapy notes (45 CFR § 164.524(a)(1)(i))
Information compiled in anticipation of civil, criminal, or administrative proceedings
Research records subject to participant agreement

Permitted denials subject to review:

Access that would endanger the life or physical safety of the individual or another person — a licensed health professional must make this determination
Reference to another person that would cause harm to that third party

Authorized representative versus patient access — A covered entity must treat an authorized representative identically to the individual for access purposes, but must verify authority. The threshold for verification differs between a parent seeking a minor child's non-sensitive records (generally presumed) and a third party claiming power of attorney (documentation required).

Distinction: Authorization versus Right of Access — These are two separate legal mechanisms. The HIPAA right of access (45 CFR § 164.524) applies to requests by the individual for their own records. A HIPAA authorization (45 CFR § 164.508) is required when releasing PHI to third parties for purposes outside treatment, payment, or healthcare operations — such as release to an employer or attorney. Confusing these pathways is a common source of access delays.

The healthcare regulation federal agencies page covers the broader enforcement architecture within which HHS OCR operates, including complaint filing procedures and civil monetary penalty structures.

References

📜 3 regulatory citations referenced · ✅ Citations verified Feb 26, 2026 · View update log

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Bmi Health Metrics Calculator