Accessing and Managing Your Medical Records in the US

Medical records sit at the center of nearly every healthcare decision a person will ever make — from a routine medication refill to a second opinion at a specialist three states away. Federal law gives patients the right to see, copy, and request corrections to their own health information, but the practical process of actually getting those records can involve more steps, more waiting, and more paperwork than most people expect. This page explains how medical record access works in the United States, what the law requires of providers, and how to navigate the most common situations where records matter most.

Definition and scope

A medical record is a collected account of a patient's clinical history held by a healthcare provider or health plan — lab results, imaging reports, physician notes, prescription histories, diagnoses, treatment plans, and discharge summaries, among others. The legal framework governing access to that information is built primarily on two statutes: the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and, for records held by federally funded programs, the Privacy Act of 1974.

Under HIPAA's Privacy Rule, patients have the right to inspect and receive a copy of what's called a "designated record set" — the medical and billing records a covered entity uses to make decisions about individuals (HHS HIPAA Privacy Rule, 45 CFR §164.524). That right extends to records held by hospitals, physician offices, pharmacies, health plans, and most other covered entities. It does not automatically extend to records held by employers, life insurance underwriters, or entities that are not "covered entities" under HIPAA — a distinction that trips up patients who assume all health-related data is equally accessible.

The scope of "medical records" has expanded considerably as healthcare technology and innovation has moved documentation into electronic systems. Electronic Health Records (EHRs) now hold structured data that can be exported in standardized formats, and since 2021, the 21st Century Cures Act's information blocking provisions have imposed additional obligations on health IT developers and providers to make data available through APIs — specifically the HL7 FHIR standard (ONC, 45 CFR Part 171).

How it works

Requesting medical records follows a fairly predictable sequence, though the timeline and format options vary by provider.

1. Submit a written request. Most providers require a signed authorization form — either their own form or a HIPAA-compliant release of information form. Verbal requests are sometimes honored internally but are not required to be.
2. Specify what you want. The request should identify the date range, record types (lab results, imaging, clinical notes, billing records), and the format — paper copy, electronic file, or direct transmission to another provider.
3. Wait up to 30 days. HIPAA allows covered entities 30 calendar days to fulfill a request, with one 30-day extension if written notice is provided. Many large hospital systems fulfill requests in 5 to 15 business days through online patient portals.
4. Pay the access fee (if any). Providers may charge a "reasonable, cost-based fee" for copies — covering labor for copying, supplies, and postage. Under HHS guidance, that fee cannot include costs for searching and retrieving the records (HHS FAQ on HIPAA fees). For electronic records sent to a patient-designated third party, the fee is typically limited further.
5. Request amendments if needed. Patients can ask a provider to correct inaccurate or incomplete records. The provider has 60 days to respond and may deny the request with written explanation — but patients can submit a written statement of disagreement that becomes part of the record.

Patient portals, now standard at most major health systems following Meaningful Use incentive programs, allow 24-hour access to lab results, visit summaries, and medication lists without a formal request. The practical contrast is stark: a portal delivers a CBC result within hours of sign-off; a formal records request for the same document may take two weeks.

Common scenarios

Understanding patient rights and protections in the abstract is less useful than knowing how they apply in specific situations.

Changing providers. When moving from one primary care physician to another, patients can either request records directly and hand-carry them or authorize the new provider to request them. The second path adds time. For patients managing chronic disease, a complete record transfer ensures medication continuity and avoids redundant diagnostic testing.

Seeking a second opinion. Specialty consultations — especially for cancer diagnoses, complex surgical decisions, or ambiguous imaging findings — require the consulting specialist to have the full record. Imaging studies are often the bottleneck; CD copies of MRI or CT scans involve radiology departments separately from the general records office.

Estate and deceased patient records. HIPAA permits access to a deceased patient's records by a personal representative — typically the executor of the estate or the next of kin — for up to 50 years after death (45 CFR §164.502(f)).

Mental health and substance use records. These carry additional layers of protection. Psychotherapy notes — the clinician's personal session notes — are excluded from the standard designated record set and require separate authorization. Substance use disorder treatment records at federally assisted programs are governed by 42 CFR Part 2, a stricter framework than HIPAA that limits redisclosure without explicit patient consent. This distinction matters for anyone navigating substance use disorder treatment or mental health services.

Decision boundaries

Not every request produces what the patient expected, and knowing where the limits fall prevents unnecessary frustration.

HIPAA permits a covered entity to deny access in specific, enumerated circumstances — for example, if a licensed healthcare professional determines that access would endanger the life or physical safety of the patient or another person. That denial can be reviewed by a designated reviewing official, and patients have the right to request such review. Psychotherapy notes, as noted above, sit outside the standard access right entirely.

Records older than the provider's retention period may simply not exist. Retention requirements vary by state — most states require adult patient records to be kept for a minimum of 7 to 10 years from the date of last treatment, though healthcare access and equity concerns often mean that patients from lower-income backgrounds disproportionately received care from smaller or closed practices where historical records were not transferred.

When a provider denies a request improperly, the enforcement path runs through the HHS Office for Civil Rights (OCR), which investigates HIPAA complaints. OCR can impose civil money penalties ranging from $100 to $50,000 per violation, with an annual cap of $1.9 million per violation category (HHS OCR HIPAA Enforcement). Filing a complaint costs nothing and requires only that the incident occurred within 180 days of the patient becoming aware of the violation.

For patients navigating healthcare costs and billing, one underused tool is the right to access billing records as part of the designated record set — which can surface itemized charges, diagnosis codes, and procedure codes that are essential for disputing incorrect bills or appealing insurance denials.