Medical Records and Health Data: Your Rights and Access

Federal law gives patients specific, enforceable rights over their own medical information — rights that most people don't know they have until they need them. This page covers what those rights include, how the access process actually works, where the rules get complicated, and what happens when a provider or insurer pushes back. The stakes are real: health data influences insurance eligibility, employment decisions, and the quality of care a patient receives across different providers.

Definition and scope

A medical record is a documented account of a patient's health history — diagnoses, medications, lab results, imaging, treatment notes, surgical reports, vaccination history, and communications between providers. The scope is broader than most people expect. It includes billing records tied to clinical encounters, mental health session notes (with some carve-outs), genetic test results, and increasingly, data generated by wearable devices when that data is transmitted to a covered provider.

The governing federal framework is the Health Insurance Portability and Accountability Act of 1996 — HIPAA, enforced by the HHS Office for Civil Rights. Under 45 CFR § 164.524, individuals have a right to access their protected health information (PHI) held by any HIPAA-covered entity — hospitals, clinics, health plans, and most healthcare clearinghouses.

What HIPAA does not cover is worth noting: fitness apps, direct-to-consumer genetic testing services like 23andMe, and many digital health platforms that operate outside the clinical billing relationship are not covered entities. Their data practices are governed primarily by their own privacy policies and, in some states, by consumer privacy statutes.

How it works

The mechanics of requesting records are more standardized than they used to be, thanks in part to the 21st Century Cures Act of 2016, which required certified electronic health record systems to support open APIs and prohibited "information blocking" — a practice where providers or vendors obstruct access to data without a legitimate reason.

The basic sequence works like this:

  1. Submit a written request to the provider's designated health information management or medical records department. Most providers now accept requests through a patient portal.
  2. Specify the records needed — date ranges, types of documents, and preferred format (electronic or paper).
  3. Receive acknowledgment — covered entities must respond within 30 days. A one-time 30-day extension is permitted with written notice, putting the outer limit at 60 days (45 CFR § 164.524(b)(2)).
  4. Review and pay fees — providers may charge a reasonable, cost-based fee. As of a 2016 HHS guidance update, that fee cannot reflect overhead or profit; it covers only labor for copying, supplies, and postage.

Under the Cures Act's information blocking rules, the Office of the National Coordinator for Health Information Technology (ONC) can impose civil monetary penalties up to $1,000,000 per violation on health IT developers and networks (ONC Information Blocking Rule, 45 CFR Part 171).

The broader landscape of patient rights and protections includes these access rights alongside protections around consent, grievances, and nondiscrimination — all of which intersect when records disputes arise.

Common scenarios

Transferring care to a new provider. This is the most routine use case. A patient moving from one primary care physician to another needs records forwarded directly or released to themselves for hand-delivery. Providers cannot refuse this, though they can ask that the request be in writing.

Correcting an error. HIPAA also grants a right to amend records under 45 CFR § 164.526. If a record contains an inaccurate diagnosis or wrong medication entry, a patient can request a correction. The provider may deny the amendment if they determine the record is accurate — but must document the denial, and the patient can submit a written statement of disagreement that becomes part of the record.

Requesting mental health notes. Psychotherapy notes held separately from the rest of the medical record carry additional protections under HIPAA and are not subject to the standard access right. A provider can decline to release them. State laws vary significantly here — some states extend broader access, others add further restrictions.

Deceased patient records. A personal representative — typically an executor or next-of-kin with legal authority — can access the records of a deceased individual under HIPAA's personal representative provisions.

Decision boundaries

The distinction between a covered entity's records system and a third-party data aggregator determines which legal framework applies. A hospital's EHR is HIPAA-governed; a health data broker that purchased de-identified records and re-linked them to identifiers may not be. The Federal Trade Commission has taken enforcement action against health app companies for sharing sensitive health data without adequate disclosure, operating under Section 5 of the FTC Act rather than HIPAA.

The other critical boundary is state law preemption. HIPAA is a federal floor, not a ceiling. States may — and do — impose stronger protections. California's Confidentiality of Medical Information Act (Cal. Civ. Code §§ 56–56.37) gives patients rights that exceed federal minimums in specific areas, including reproductive and mental health data. When state law is more protective, state law governs.

For anyone navigating the broader healthcare system for the first time, understanding records access is less a bureaucratic concern than a practical power — the ability to carry your own health history, correct what's wrong, and make informed decisions across every encounter with care.

References