Yes. Under federal law, you have a legal, enforceable right to see and receive copies of your medical records. This right comes from the HIPAA Privacy Rule, which applies to virtually all healthcare providers and health plans in the United States. With only a few narrow exceptions, no provider can refuse to give you your own health information when you request it.
What the Law Actually Guarantees
The Health Insurance Portability and Accountability Act (HIPAA) has protected patient access to health records since 1996. The Privacy Rule within HIPAA gives you the right to inspect your records in person and to request copies in paper or electronic form. This covers everything in your “designated record set,” which includes medical charts, billing records, insurance enrollment information, lab results, imaging reports, and clinical notes.
A separate federal law, the 21st Century Cures Act, strengthened this right further. It made “information blocking” illegal, meaning healthcare providers and electronic health record companies cannot unreasonably prevent you from accessing your health data electronically. In practice, this is why most hospitals and clinics now offer patient portals where you can view lab results, visit notes, and other records shortly after they’re created.
A Few Types of Records Can Be Withheld
The right of access is broad, but it isn’t absolute. Providers can legally withhold:
- Psychotherapy notes. These are a therapist’s personal notes from counseling sessions, kept separately from your main medical chart. Your regular mental health treatment records (diagnoses, medications, treatment plans) are still accessible to you.
- Information compiled for legal proceedings. If records were gathered in anticipation of a lawsuit or legal action, they may be excluded.
- Confidential source information. If a family member or other non-provider shared concerns about you under a promise of confidentiality, the provider can withhold that information if releasing it would reveal who provided it.
Outside of these categories, a provider cannot cherry-pick which parts of your record to share. You are entitled to the full contents of your file.
How to Request Your Records
Most providers have a standard process. You typically submit a written request, either on paper or through an online portal. The provider must act on your request within 30 days. If they need more time, they can extend the deadline by an additional 30 days, but only once, and they must notify you in writing with the reason for the delay and the expected completion date.
You can request records in the format you prefer. If you want an electronic copy and the provider’s system can produce one, they must accommodate that. You can ask for records to be emailed to you, saved to a CD or USB drive, or mailed as paper copies. If the provider cannot produce the exact format you request, they must offer a readable alternative you can agree on.
You can also ask that your records be sent directly to a third party, such as another doctor or a family member, as long as your request is in writing and clearly identifies the recipient.
What Providers Can (and Cannot) Charge
When you request copies of your own records, the provider can charge a reasonable, cost-based fee, but only for a narrow set of expenses: the labor involved in copying the records, the cost of supplies like paper or a USB drive, and postage if you ask for mailed copies. That’s it.
Providers cannot charge you for searching for your records, retrieving them from storage, verifying your identity, or maintaining the systems that store the data. Many states have their own fee schedules for medical records, but those state rates apply to third-party requests (like from lawyers or insurance companies). When you request your own records, the stricter HIPAA cost-based limits apply, even if state law would otherwise allow higher fees.
Your Right to Correct Errors
Access is only part of the picture. If you review your records and find something inaccurate or incomplete, you also have the right to request an amendment. The provider may ask you to submit the request in writing and explain why you believe the information is wrong.
The provider must respond within 60 days. They can extend this by 30 days if they notify you in writing, but only one extension is allowed. If the provider agrees with your correction, they must update the record and notify anyone who previously received the incorrect information. If they deny your request, they must give you a written explanation, and you have the right to submit a statement of disagreement that becomes a permanent part of your file.
When Someone Else Can Access Your Records
HIPAA allows a “personal representative” to access your records on your behalf. Who qualifies depends on state law, but it generally includes anyone with healthcare power of attorney, a court-appointed legal guardian, or the executor of a deceased person’s estate. For these individuals, the provider must treat them as if they were you for purposes of record access.
Parents generally have the right to access their minor child’s medical records, even in situations where the parent did not consent to the child’s treatment. There are exceptions when state law gives the minor control over certain types of care (like reproductive health in some states), and in cases where a provider reasonably believes the personal representative may be subjecting the patient to abuse or neglect. In those situations, the provider can refuse access if they judge it would not be in the patient’s best interest.
What to Do If Your Request Is Denied
If a provider refuses to release your records or fails to respond within the required timeframe, you can file a complaint with the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services. The OCR investigates HIPAA violations and has the authority to impose penalties on providers who don’t comply. You can file online at the HHS website or by mail. There is no cost to file a complaint, and the provider is prohibited from retaliating against you for doing so.
Before filing a formal complaint, it can help to put your request in writing again, reference your rights under HIPAA, and ask to speak with the provider’s privacy officer. Many denials result from administrative confusion rather than intentional obstruction, and a clear, documented request often resolves the issue.