In almost every U.S. state, patients do not own their medical records. The physical or electronic file belongs to the healthcare provider or facility that created it. However, you have strong legal rights to access the information inside those records, control who else can see it, and obtain copies whenever you want. The distinction between owning the record and owning the information matters more than it might seem, especially when it comes to getting copies, switching doctors, or understanding what happens to your data.
Who Legally Owns the Record
All 50 states agree that the medical provider, not the patient, owns the tangible record itself. This applies whether the record is a paper chart in a filing cabinet or data stored in an electronic health record system. The hospital, clinic, or private practice that created the documentation holds it as their property.
New Hampshire is a notable exception when it comes to the information inside the record. State law there explicitly declares that medical information contained in records at licensed facilities is the property of the patient. Most other states don’t go that far, but courts have recognized that patients hold a property right in the information contained in their records, even when the provider owns the file. Think of it like renting an apartment: the landlord owns the building, but the contents inside are yours.
Your Right to Access and Copy Records
Federal law under HIPAA gives you the right to inspect your health information and obtain copies of it. This applies to virtually all healthcare providers, health plans, and clearinghouses. You can request your records in paper or electronic form, ask that they be emailed or mailed to you, and even direct that copies be sent to a third party like a new doctor, a lawyer, or a family member.
Providers cannot require you to pick up records in person or purchase a specific type of media. If you want your records emailed, they must accommodate that. If you want them on a USB drive, they can provide that too, but they can’t force you to buy the drive from them.
There are a few categories of information providers can withhold. Psychotherapy notes, which are a therapist’s personal process notes kept separate from the main medical record, are not subject to the same access rights. Providers can also deny access if a licensed professional determines that releasing certain information would pose a genuine safety risk to you or someone else. These situations are uncommon, and you have the right to have a denial reviewed.
What Providers Can Charge You
Providers are allowed to charge a reasonable, cost-based fee for copies of your records, but the rules on what counts as “reasonable” are specific. The fee can only cover four things:
- Labor for copying: The time spent actually creating and delivering the copy once the records have already been gathered and are ready to go.
- Supplies: Paper, toner, or electronic media like a CD if you request a physical format.
- Postage: If you ask for records to be mailed.
- Summary preparation: If you specifically request a summary instead of full records and agree to the fee in advance.
Importantly, providers cannot bill you for the time spent searching for your records, retrieving them from storage, reviewing the request, or maintaining their systems. They also cannot charge fees to recoup the cost of their data storage infrastructure. Even if state law authorizes higher fees, federal rules cap what can actually be charged. If a provider quotes you hundreds of dollars for a straightforward records request, that likely exceeds what HIPAA allows.
Electronic Access and Information Blocking
The 21st Century Cures Act, passed in 2016, went further than HIPAA by making the free flow of electronic health information the expected standard in healthcare. Under this law, providers, health IT companies, and health information networks are prohibited from engaging in “information blocking,” which means any practice that interferes with or discourages access to electronic health information.
This has real consequences. A provider who drags their feet on releasing your records, a software company that makes it unnecessarily difficult to export your data, or a health network that restricts which apps can connect to its system could all be violating the law. The rule even extends to automated tools: blocking access by technologies like patient-facing apps is considered interference. If your provider’s patient portal lets you view lab results and visit notes, that access exists partly because of this law.
What Happens to Your Data After It’s De-Identified
Here’s where the ownership question gets more complicated. When providers strip your name, address, birth date, and other identifying details from your health information, the resulting data is no longer considered protected health information under federal law. That means HIPAA’s privacy protections no longer apply to it, and the provider or institution holding that data can use or share it freely for research, commercial analysis, or sale to third parties.
You have no legal right to control or profit from de-identified data derived from your records. Hospitals and health systems routinely share this kind of data for comparative effectiveness studies, public health research, and pharmaceutical development. While the risk of someone re-identifying you from de-identified data is small, it is not zero. Researchers have demonstrated that combining de-identified health data with other publicly available datasets can sometimes link records back to specific individuals.
How Long Providers Must Keep Your Records
There is no single federal law dictating how long all providers must retain medical records. Requirements vary by state, by the type of provider, and by the patient’s age. A common baseline is seven years from the date of the last patient encounter. For pediatric records, many states require retention for seven years or until the patient turns 18, whichever is longer.
When a physician retires or closes a practice, they or a designated successor are still responsible for maintaining records for the required retention period. After that period expires, records can be destroyed. This is one practical reason to request copies of your own records periodically, especially if you’re changing providers or if your doctor is nearing retirement. Once the retention window closes and records are destroyed, there is no obligation to recreate them.
How to Actually Get Your Records
You can submit a records request to any provider in writing, and most now accept requests through their patient portals. You don’t need to give a reason for wanting your records, and you don’t need to go through a lawyer. Providers generally must respond within 30 days, with the possibility of a one-time 30-day extension if they notify you in writing and explain the delay.
If a provider refuses your request, charges excessive fees, or takes unreasonably long to respond, you can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights. HHS has actively enforced patients’ right of access in recent years, settling cases against providers who delayed or denied legitimate requests. The short version: you may not own the file, but the law is firmly on your side when it comes to getting what’s inside it.