You can send medical records electronically through patient portals, secure messaging systems, mobile health apps, or HIPAA-compliant file transfer services. The method you use depends on whether you’re a patient requesting your own records or a provider sharing them with another office, but in all cases, the transfer must be encrypted to protect sensitive health information.
Request Records Through Your Patient Portal
The simplest route for most patients is your healthcare provider’s patient portal. Nearly all electronic health record systems now offer a portal where you can log in, view your records, and either download or transmit them. When you export your records, they’ll typically come in one of a few standard formats: a Continuity of Care Document (C-CDA), which is a structured file that other health systems can read and import, or a PDF, which any computer or phone can open but can’t be automatically imported into another provider’s system.
If you need records sent to a new doctor, many portals let you authorize a direct transfer. Call or message your provider’s office and ask them to send records electronically to the receiving provider. You may need to sign a release form, but the actual transmission happens through secure channels on the back end.
How Providers Send Records to Each Other
When one doctor’s office sends your records to another, the most common method is Direct Secure Messaging. This looks like email but is far more secure. Each sender and receiver has a unique Direct address, and a system called public key infrastructure encrypts every message and attachment so only the intended recipient can open it. Both the message body and any attached files stay encrypted the entire way from sender to receiver.
Direct Secure Messaging was developed in 2010 as a public-private partnership specifically to create a low-cost way for different health technologies to talk to each other. A Health Information Service Provider (HISP) manages the servers and handles all the encryption and digital signing behind the scenes. You don’t need to understand the technical details, but if a provider tells you they’ll “send it through Direct,” this is what they mean.
For larger health systems, a newer standard called FHIR (Fast Healthcare Interoperability Resources) allows different electronic health record systems to exchange data at a granular level using web-based tools. FHIR is what powers many of the app-based connections patients now use to pull their records into a single place.
Using Mobile Health Apps
Apps like Apple Health Records let you pull medical data from multiple providers into one place on your phone. The process is straightforward: you search for your healthcare organization within the app, select it from a list of participating providers, then log in using your patient portal credentials. You choose which categories of data to share, and the app pulls in your records automatically. From there, you can share that data with a new provider or specialist.
These apps use the FHIR standard to connect to your provider’s system, which means they can access specific pieces of clinical data (lab results, medications, immunizations) rather than downloading one massive file. The connection stays active, so new results appear in your app as they’re added to your medical record.
Sending Imaging Files Like MRIs and CT Scans
Medical images require special handling because the files are large and use a specific format called DICOM, the international standard for medical imaging. DICOM governs how images from CT scans, X-rays, and MRIs are stored, searched, and retrieved.
Many imaging centers now use cloud-based sharing platforms. These systems use web protocols that let a receiving provider search for your study, pull up specific images or series, and view them in a browser without needing special software. When you get an MRI or CT scan, ask the imaging center for a link or access code to share your study electronically. Some centers still offer CDs, but cloud sharing is faster and avoids compatibility problems with disc drives.
HIPAA-Compliant File Transfer Services
When records don’t fit neatly through a patient portal or Direct Messaging, providers sometimes use dedicated secure file transfer platforms. These services are built specifically for sensitive health data and must meet several requirements: encryption during transmission and storage, detailed audit logs with timestamps for every transfer, access controls that limit who can open the files, and a signed Business Associate Agreement (BAA) between the platform vendor and the healthcare organization. The BAA is mandatory under HIPAA and makes the vendor legally responsible for protecting your data.
If someone asks you to upload records to a third-party platform, verify that the service is HIPAA-compliant before sending anything. Regular email, consumer cloud storage, and standard file-sharing services do not meet the security requirements for health information.
Your Legal Right to Electronic Records
Federal law gives you a clear right to your records in electronic form. Under HIPAA, a provider must act on your request within 30 calendar days. If they can’t meet that deadline, they can take up to an additional 30 days, but only if they notify you in writing during the initial period with a reason for the delay and a date you can expect your records.
The 21st Century Cures Act goes further by prohibiting “information blocking,” which means providers, health IT developers, and health information networks cannot unreasonably prevent you from accessing or sharing your electronic health information. If a provider denies your request, they must give you a written explanation within 10 business days. The law covers most of what’s in your medical record, with narrow exceptions for psychotherapy notes and information compiled for legal proceedings.
What Electronic Records Should Cost
Providers can charge you for electronic copies, but the fees are capped. For electronic records maintained in an electronic system, a provider can charge a flat fee of no more than $6.50 per request. That $6.50 covers all labor, supplies, and any postage. Alternatively, a provider can calculate the actual cost of fulfilling your specific request or use a schedule based on average labor costs, but the flat fee option exists specifically so neither you nor the provider has to deal with itemized cost calculations. If you’re being charged significantly more than $6.50 for an electronic copy, push back and reference the HHS guidance on allowable fees.
Steps to Get Your Records Sent
- Identify the destination. Get the name, fax number, Direct address, or portal information for the provider or facility that needs your records.
- Submit a written request. Most offices have a records release form. Specify that you want electronic delivery and note the format if you have a preference (C-CDA for importing into another health system, PDF for personal use).
- Confirm the method. Ask whether records will be sent through Direct Secure Messaging, a patient portal transfer, or a secure file transfer link.
- Follow up at 30 days. If you haven’t received confirmation that records were sent, contact the office. The legal clock started when they received your request.
- Check the receiving end. Confirm with the new provider that the records arrived and are readable. Electronic transfers occasionally fail due to system incompatibilities, and catching this early prevents delays in your care.