A medical record is the complete collection of documents and data that tracks your health history, diagnoses, treatments, test results, and interactions with healthcare providers. It can exist as a paper chart, a digital file, or both, and it follows a structured format designed to give any treating clinician a reliable snapshot of your health at any point in time. Whether you’ve visited a single doctor or dozens of specialists over decades, each encounter generates documentation that becomes part of this record.
What a Medical Record Contains
A medical record is more than a list of past appointments. It typically includes your demographic information (name, date of birth, contact details, insurance), a running medication list with doses and frequencies, known allergies, immunization history, vital signs from each visit, lab results, imaging reports, and clinical notes written by your providers. It also documents the reasoning behind major treatment decisions, including the risks and benefits your clinician weighed when choosing a course of action.
For each visit, clinicians often write what’s called a SOAP note, structured into four parts. “Subjective” captures what you reported: your symptoms, your social history, your concerns. “Objective” records measurable findings like blood pressure, physical exam results, and lab values. “Assessment” is where the clinician synthesizes all of that into a diagnosis or problem list, ranked by priority. “Plan” outlines next steps: tests to order, referrals to make, treatments to start. This format keeps documentation consistent so that any provider reading the note later can quickly understand what happened and why.
Behind the scenes, your record also contains standardized codes that translate diagnoses and procedures into a universal language used for billing and insurance. Diagnosis codes (called ICD-10 codes) describe your condition, while procedure codes describe what was done during your visit, from a routine evaluation to a surgical procedure. You’ll rarely interact with these codes directly, but they’re embedded in every claim your insurance processes.
EMR vs. EHR: Two Different Scopes
You’ll often see the terms “electronic medical record” (EMR) and “electronic health record” (EHR) used interchangeably, but they describe different things. An EMR is essentially a digital version of the paper chart in a single doctor’s office. It holds your treatment history within that one practice, but the information doesn’t travel easily to other providers.
An EHR is broader. It’s designed to follow you across multiple healthcare organizations, sharing your information with specialists, labs, hospitals, and pharmacies involved in your care. EHRs are built for interoperability, meaning they can send and receive data between different systems. They’re also designed to be accessed by you, the patient, not just your clinicians. The federal government now requires participating healthcare providers to meet specific standards for electronic prescribing, health information exchange between providers, and provider-to-patient data sharing.
Who Owns Your Medical Record
This is one of the most commonly misunderstood aspects of healthcare documentation. In all 50 U.S. states, the healthcare provider or facility owns the physical or digital record itself. Twenty-one states have explicit statutes confirming this. However, the information contained in that record is a different matter. Courts have recognized that patients hold a property right in their health data, even when they don’t own the file it’s stored in. Some state laws explicitly declare that the medical information within the record is the property of the patient.
In practical terms, this means your doctor’s office owns the chart, but you have legal rights to the information inside it, including the right to access it and to control who else can see it.
Your Right to Access Your Records
Under federal privacy law (HIPAA), you have the right to request and receive a copy of your health information. A healthcare provider must respond to your request within 30 calendar days. If the records are archived offsite or otherwise hard to retrieve, the provider can extend that deadline by an additional 30 days, but only once, and they must notify you in writing with a reason for the delay and a new expected date.
If your request is denied in whole or in part, the provider must explain why in writing within that same timeframe. Denials are limited to specific circumstances, such as records created for legal proceedings or situations where access could endanger someone’s safety.
Most providers now offer patient portals that give you direct digital access to portions of your record. Through a portal, you can typically view visit summaries, test results, immunization records, allergy lists, and current medications. Many portals also let you send secure messages to your care team, schedule appointments, and request prescription renewals.
How Your Information Is Protected
HIPAA’s Privacy Rule governs who can see your health information and under what circumstances. The law defines “protected health information” (PHI) broadly: it’s any health data that can be linked to you as an individual. To strip that link, 18 specific identifiers must be removed, including your name, address, birth date, phone number, email, Social Security number, medical record number, health plan ID, photographs, biometric data like fingerprints, and even IP addresses or device serial numbers. If all 18 identifiers are scrubbed, the data is considered de-identified and no longer falls under HIPAA’s restrictions.
For data that hasn’t been de-identified, your provider can share it with other clinicians involved in your care, with your insurance company for payment purposes, and for certain public health functions. Sharing it for most other purposes requires your written authorization.
How Long Records Are Kept
Retention requirements vary by state, but industry guidelines recommend keeping adult medical records for at least 10 years after the most recent encounter. When no specific state law exists, the standard minimum is five years from the date of discharge or last service. For children, the rules are more protective: records are generally retained until the child reaches the age of majority (18 in most states) plus the applicable statute of limitations period, which often adds several more years.
Long-term care facilities follow their own rules, typically retaining records as required by state law or for five years from discharge if no state law applies. For minors in long-term care, records are kept for at least three years after the resident reaches legal age. These minimums exist so that records remain available for continuity of care, legal proceedings, and insurance disputes long after the original treatment.