Under federal law, you have the right to access, copy, and control your health information. Here's everything you need to know about HIPAA and your patient rights.
Get Started FreeLast updated: May 22, 2025
Many patients don't realize they have significant legal rights over their own medical information. Whether you need records for a new doctor, an insurance claim, a legal matter, or simply to understand your health history, federal law guarantees your access.
The Health Insurance Portability and Accountability Act (HIPAA), passed in 1996, establishes your fundamental right to access your protected health information (PHI). According to the U.S. Department of Health and Human Services, this right applies to nearly all healthcare providers, health plans, and healthcare clearinghouses.
Despite these clear legal protections, many patients encounter obstacles when trying to obtain their records. A 2022 study published in Health Affairs found that patients frequently face delays, excessive fees, and even outright denials when requesting their medical records — many of which violate federal law.
The Health Insurance Portability and Accountability Act (HIPAA) gives you powerful rights over your medical information. These aren't suggestions — they're federal law. Every healthcare provider, hospital, clinic, and insurance company must comply.
You can request and receive copies of your medical records, including doctor's notes, test results, imaging, and billing records.
If you find errors in your records, you can request corrections. Providers must respond within 60 days.
Your health information cannot be shared without your consent, except for treatment, payment, or healthcare operations.
You can receive your records in paper or electronic format. Many providers now offer digital downloads or patient portals.
Under HIPAA, you have the right to access your "designated record set" — the medical and billing records your healthcare provider uses to make decisions about your care. This includes:
There are very few situations where a provider can legally deny you access to your records:
Call your doctor's office, hospital, or clinic and ask for the medical records or health information department. Many now have online request forms through patient portals.
Most providers require a signed authorization form. Specify what records you need, the date range, and how you want to receive them (mail, email, pickup, or fax). Be specific to avoid delays.
By law, providers must respond within 30 days (up to 60 with written notice of extension). Electronic records from patient portals are often available immediately.
Providers can charge reasonable fees for copying and mailing paper records. Electronic copies must be provided at low or no cost. They cannot charge for searching or retrieving records.
While providers can charge for copying records, HIPAA limits these fees to "reasonable, cost-based" amounts. Many states have additional laws capping medical records fees.
Source: HHS HIPAA Access Guidance
Your medical records contain a comprehensive history of your healthcare. You have the right to access all of it.
Denials are rare and can only happen in specific circumstances — like if releasing records would endanger you or someone else. If you believe you've been wrongly denied:
Providers must explain in writing why your request was denied and inform you of your right to appeal.
You can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights (OCR).
Many hospitals have patient advocates who can help resolve disputes and ensure you receive your records.
Some providers may try to discourage you from obtaining records through tactics that violate HIPAA:
Parents and legal guardians generally have the right to access medical records for minor children. However, state laws vary, and some give adolescents privacy rights for certain types of care (mental health, reproductive health, substance abuse treatment).
If you're a caregiver for an elderly parent or disabled adult, you'll need a valid authorization or legal documentation (healthcare power of attorney, guardianship) to access their records. Learn more about managing health records for elderly parents.
If your doctor has retired or a practice has closed, records should have been transferred to another provider or a medical records storage company. Contact your state medical board or health department for help locating records from closed practices.
State medical boards typically require that deceased physicians' patient records be maintained and accessible. Contact your state medical board for specific procedures.
Yes. Under HIPAA (Health Insurance Portability and Accountability Act), you have the legal right to access and obtain copies of your medical records. This includes records held by doctors, hospitals, clinics, pharmacies, insurance companies, and other healthcare entities covered by HIPAA.
Healthcare providers must respond to your request within 30 days. They can extend this by an additional 30 days (60 days total) if they provide written notice explaining the delay. Electronic records through patient portals are often available immediately.
Providers can charge reasonable, cost-based fees for copying and mailing paper records. They cannot charge for searching or retrieving records. Electronic copies must be provided at no charge or minimal cost. Many states cap medical records fees, typically ranging from $0.25-$1.00 per page.
Denials are rare and only permitted in specific circumstances, such as if releasing records would endanger you or someone else, or for psychotherapy notes. If denied, providers must give you a written explanation and inform you of your right to appeal or file a complaint.
First, request a written explanation for the denial. Then, you can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights (OCR). You can also contact a patient advocate at the healthcare facility.
Generally yes. Parents or legal guardians can access medical records for minor children. However, some state laws give adolescents privacy rights for certain types of care (like mental health or reproductive health). Once a child turns 18, they control access to their own records.
Retention periods vary by state and record type, but most states require providers to keep adult records for 5-10 years after the last treatment. Pediatric records are typically kept until the child reaches age 18-21 plus several years. Medicare records must be kept for 5 years.
Once you have your medical records, where do you put them? Scattered across email attachments, patient portals, and filing cabinets isn't practical. MyMedicalCabinet gives you a single, secure location to store, organize, and access all your health information — whenever you need it.
Stop chasing down paperwork. Store everything in one secure place — free.
Get Started Free.png)