A medical record is the complete collection of documents and data that tracks your health history across every interaction with healthcare providers. It includes everything from your diagnoses and medications to lab results, imaging reports, surgical notes, and vaccination history. Whether stored on paper or digitally, your medical record serves as the running narrative of your health, used by providers to make treatment decisions and by you to understand your own care.
What a Medical Record Contains
Medical records follow a fairly standard structure, though the exact format varies between providers and hospitals. At the most basic level, every record starts with patient identification and biographical information: your name, date of birth, address, insurance details, and emergency contacts.
The clinical core of the record is much more detailed. It typically includes:
- Medical history: past illnesses, surgeries, chronic conditions, and family health patterns
- Physical examination notes: findings from each visit, including vital signs like blood pressure, heart rate, and weight
- Diagnoses: both current and resolved conditions
- Medications: active prescriptions, dosages, and past medications
- Allergies: drug allergies, food allergies, and reactions to materials like latex
- Lab and test results: bloodwork, imaging scans, pathology reports
- Immunization records: vaccines received and their dates
- Treatment plans: care instructions, referrals, and follow-up schedules
Beyond these basics, your record may contain consent forms you’ve signed, discharge summaries from hospital stays, therapy or rehabilitation notes, and correspondence between providers about your care. If you’ve had any surgeries, the operative reports detailing what was done are part of the record as well.
EMR, EHR, and PHR: Three Types of Digital Records
Most medical records today are digital, but the terminology around them can be confusing. Three abbreviations come up frequently, and they mean different things.
An Electronic Medical Record (EMR) is a digital version of your chart at a single practice or hospital. It’s managed by that specific institution and generally stays within their system. If you see a primary care doctor and a cardiologist at separate health systems, each one maintains its own EMR for you.
An Electronic Health Record (EHR) is broader. It’s designed to be shared across multiple authorized institutions using national interoperability standards, so your information can follow you between providers. When your primary care doctor pulls up notes from a specialist at a different hospital, that’s the EHR framework at work. In everyday conversation, people use EMR and EHR interchangeably, but the key distinction is that EHRs are built for sharing across organizations.
A Personal Health Record (PHR) is something you control directly. It’s a health-related electronic record that you manage yourself, potentially drawing information from multiple sources. Think of apps or patient portals where you can view your own data, add notes, track symptoms, or compile records from different providers into one place. Unlike EMRs and EHRs, a PHR isn’t maintained by a medical institution.
Your Right to Access Your Records
Under the HIPAA Privacy Rule, you have a legal right to access your own health information. When you submit a request, your provider must respond within 30 calendar days. If the records are archived offsite or otherwise difficult to retrieve, the provider can extend that window by an additional 30 days, but only if they notify you in writing during the initial 30-day period explaining the reason for the delay and when you can expect the records.
If a provider denies your request, whether in full or in part, they must also provide that denial in writing within the same timeframe. Denials can’t be arbitrary. HIPAA limits the reasons a provider can refuse access, and you generally have the right to have the denial reviewed.
Providers may charge a reasonable, cost-based fee for copying records, particularly for paper copies. Electronic copies delivered through a patient portal are often free or low cost. Many health systems now offer real-time access through online portals where you can view lab results, visit summaries, and medication lists without filing a formal request at all.
Who Else Can See Your Records
Your medical records are protected health information, and providers generally cannot share them without your written authorization. But HIPAA carves out several exceptions where disclosure can happen without your explicit consent.
Public health authorities can receive your information for purposes like tracking and controlling disease outbreaks, monitoring injuries, or investigating reports of child abuse and neglect. The FDA can access relevant records for adverse event reporting, product recalls, and post-marketing safety surveillance. If you’ve been exposed to a communicable disease, authorities may be legally permitted to notify you even though that involves accessing another person’s health data.
Employers can receive limited information when it relates to a workplace injury, illness, or medical surveillance required under occupational safety laws. This applies only to the specific work-related condition, not your full medical history.
Law enforcement access is more tightly controlled. Providers can share records with police when compelled by a court order, subpoena, or warrant. They can also disclose limited information to help locate a suspect, fugitive, or missing person, or when the provider believes a crime occurred on their premises. In a medical emergency, a provider may share information with law enforcement about the nature and location of a crime or its victims.
How Long Records Are Kept
There’s no single nationwide rule for how long medical records must be stored, because retention requirements vary by state. At the federal level, the Centers for Medicare and Medicaid Services requires providers to maintain records for at least 7 years from the date of service. Many states set their own minimums, which can range from 5 to 10 years for adult records.
Pediatric records often follow different rules. Several states require that records for minors be kept until the patient reaches a certain age (commonly 18 or 21) plus an additional retention period, which can push the total storage time well beyond what’s required for adults. If you need records from childhood, it’s worth checking your state’s specific retention law to see whether they may still be on file.
Even after the legal retention period expires, many institutions keep records longer, especially in digital systems where storage costs are minimal. But there’s no guarantee, so requesting copies of important records for your own files is a practical safeguard.
Correcting Errors in Your Record
Medical records aren’t always accurate. A wrong allergy, an incorrect diagnosis code, or a note attributed to the wrong patient can all end up in your chart. Under HIPAA, you have the right to request an amendment to your health information if you believe something is inaccurate or incomplete.
To start the process, you submit a written request to your provider specifying what you want changed and why. The provider must respond within 60 days. They can accept the amendment and update your record, or they can deny it if they believe the existing information is accurate and complete. If denied, you have the right to submit a written statement of disagreement that becomes a permanent part of your record, so future providers who review your chart can see your objection alongside the original entry.
Corrections don’t erase the original information. Instead, the record is typically appended with the corrected data and a note explaining the change. This preserves the integrity of the original documentation while ensuring the accurate information is visible going forward.