You have a legal right to your medical records, and a written request is the most reliable way to get them. Under the HIPAA Privacy Rule, health care providers and health plans must give you copies of your health information when you ask. A simple letter with the right details can get the process moving, and providers generally have 30 days to respond.
What You’re Entitled To
Federal law gives you access to a broad set of health information, not just doctor’s visit notes. Your right covers what HIPAA calls the “designated record set,” which includes medical records, billing and payment records, insurance information, clinical lab results, medical images like X-rays, wellness and disease management program files, clinical case notes, and any other records used to make decisions about your care. If a provider or health plan used it in connection with your treatment or coverage, you can request a copy.
You can also request records in an electronic format. If the provider maintains your records electronically, you can ask for a digital copy, such as a PDF sent by email or made available through a patient portal.
What to Include in Your Letter
Most providers have their own release-of-information forms, but you’re not required to use them. A letter you write yourself works as long as it contains the right information. Here’s what to include:
- Date of your letter.
- Recipient details: the facility or provider name, mailing address, and “Attn: Release of Information” or the medical records department.
- Patient identification: your full legal name and date of birth. If you have a medical record number or patient ID, include that too.
- Specific records requested: list exactly what you want. You can request everything, or narrow it to specific types: treatment plans, physician notes, therapy records, emergency records, progress notes, lab work, prescriptions, consultation reports, referrals, imaging, discharge summaries, and correspondence.
- Date range: specify the dates of service you’re interested in, or state that you want all records on file.
- Preferred format: paper copies mailed to your address, electronic copies via email, or another method.
- A deadline: include a reasonable date by which you’d like the records. This gives the provider a clear expectation, though they’re legally required to respond within 30 days regardless.
- A note about fees: ask the provider to notify you in advance of any copying fees and the number of pages involved before they process the request.
- Your contact information: mailing address, phone number, and email address.
- Your signature.
Send the letter by certified mail with return receipt if you want proof of delivery. This creates a paper trail that becomes important if there’s a dispute later. You can also fax or email the request, depending on the provider’s preferred channels.
Requesting Records for Someone Else
If you’re requesting records on behalf of another person, you’ll need additional documentation. Parents requesting records for a minor child typically need to provide proof of their parental authority. For an incapacitated adult, you’ll need documentation showing you’re the legal guardian or hold power of attorney for health care decisions.
For a deceased family member, the executor or administrator of the estate can request records as a “personal representative” under HIPAA. The scope of access depends on the authority granted under state law and the relevant legal documents, so include a copy of the letters testamentary, court order, or other proof of your role. In your letter, clearly state your relationship to the patient and enclose the supporting documents alongside a signed HIPAA authorization form.
Identity Verification
Providers are required to verify your identity before releasing records, especially if you’re not personally known to the office. For a mailed request, this typically means including a copy of a government-issued photo ID. Some providers may also ask for additional verification, like your Social Security number or answers to security questions. If you’re submitting a request electronically, the provider may verify your identity through their patient portal login or by calling you at the phone number on file.
The 30-Day Response Window
Once a provider receives your request, they have 30 days to provide the records or give you a written explanation for any delay. In some cases, they can extend this by an additional 30 days, but they must notify you in writing of the extension and the reason for it before the first 30 days expire. If you haven’t heard anything after 30 days and haven’t received an extension notice, follow up in writing and reference the date of your original request.
Fees You Might Be Charged
Providers can charge a reasonable, cost-based fee for copies of your records. These fees are limited to the actual costs of labor for copying, supplies (paper, USB drives), and postage if you want them mailed. They cannot charge you for the time it takes to search for or retrieve your records. Many states set their own per-page limits that are lower than what federal law allows, so the fee you’ll see depends on where you live. Electronic copies sent by email or through a portal are typically cheaper than paper. If cost is a concern, requesting an electronic copy is almost always the better option.
When a Provider Can Say No
Denials are uncommon, but there are a few situations where a provider can legally refuse your request. Psychotherapy notes, which are a therapist’s personal process notes kept separate from the medical record, are generally excluded from your right of access. A provider can also deny access if a licensed health care professional determines that releasing the information would be reasonably likely to endanger your life or physical safety, or that of another person.
If your request is denied, the provider must give you the reason in writing and inform you of your right to have the denial reviewed. You can request that another licensed health care professional at the same organization review the decision, and the provider is required to honor that review.
Filing a Complaint if Records Are Withheld
If a provider ignores your request, charges excessive fees, or denies access without a valid reason, you can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights (OCR). Your complaint must be filed within 180 days of when you became aware of the violation, though OCR may extend that deadline if you can show good cause.
You can file through the OCR Complaint Portal online, or submit a written complaint by mail, fax, or email. Include your name, full address, phone number, and email. Identify the provider or facility by name, address, and phone number. Describe what happened, when it happened, and why you believe your access rights were violated. Sign and date the complaint. OCR will not investigate anonymous complaints, so contact information is required.
HHS has made enforcing the right of access a priority in recent years, and providers that fail to comply have faced significant penalties. Knowing this process exists gives your written request more weight, especially if you reference your rights under HIPAA in the letter itself.