In all 50 U.S. states, the healthcare provider or facility owns the physical medical record, not the patient. But ownership of the record itself is only part of the story. Patients have strong legal rights to access, copy, and control the information inside those records, creating a split that confuses many people.
The Provider Owns the Record Itself
Whether it’s a paper chart in a filing cabinet or an entry in an electronic health system, the tangible medical record belongs to the provider who created it. More than 20 states have statutes explicitly saying so, including California, Florida, Texas, New York, and Virginia. The remaining states reach the same conclusion through case law or regulation. No state gives the patient outright ownership of the physical record.
This makes practical sense when you think about it. A hospital maintains thousands of records, invests in storage and software, and needs those files to coordinate care across departments. The record is a business document as much as it is a clinical one. Providers are also legally required to retain records for set periods (often seven to ten years, depending on the state), which would be hard to enforce if patients owned and could destroy the originals.
You Own the Right to Your Information
While providers hold the record, federal law gives you a robust set of rights over what’s in it. Under the HIPAA Privacy Rule, you can inspect your health information, request copies in paper or electronic form, and direct your provider to send records to a third party of your choosing. Providers must respond to your access request within 30 days and can take a one-time 30-day extension if they notify you in writing.
New Hampshire is the only state that goes further, explicitly granting patients ownership of the information contained in the medical record. Everywhere else, you don’t technically “own” the data, but your access rights function a lot like ownership in practice. Providers can charge a reasonable fee for copying and mailing records, but they cannot refuse to hand over your information simply because you haven’t paid an outstanding medical bill.
The 21st Century Cures Act strengthened these protections further. Healthcare providers and health IT companies are now prohibited from “information blocking,” meaning they cannot unreasonably delay or obstruct your access to electronic health information. Violations can result in financial penalties, which gives providers a strong incentive to respond promptly.
You Can Request Corrections
If you spot an error in your medical record, you have the right to request an amendment. You’ll typically need to submit the request in writing and explain why the information is wrong. Your provider has 60 days to act on the request, with the option to extend that deadline once by an additional 30 days if they explain the delay in writing.
Providers can deny an amendment request if they believe the existing record is accurate, if the information was not created by that provider, or if the record is not part of the set you’re entitled to access. If your request is denied, you have the right to submit a statement of disagreement that gets attached to your record going forward, so future readers see your objection alongside the original entry.
What Happens When You Share Records With an App
This is where ownership gets genuinely tricky. When your health information sits with a hospital or doctor’s office, HIPAA protections apply. But the moment you direct a provider to send your records to a third-party health or wellness app, those protections disappear. The app is not a “covered entity” under HIPAA, so it can use your data under its own privacy policy, which may allow sharing with advertisers, data brokers, or researchers.
The Department of Health and Human Services has been clear on this point: once a covered entity discloses information to an app at your direction, the provider is not liable for what the app does with it. HIPAA places no restrictions on how you or your chosen app may use health information obtained through your right of access. This means the practical “ownership” of your data shifts dramatically depending on where it lives. Before sending records to any app, it’s worth reading its privacy policy carefully to understand who else might see your information.
Who Controls Records After Someone Dies
A deceased person’s health records remain protected under HIPAA for 50 years after death. During that period, control passes to the decedent’s “personal representative,” which is the legal term for an executor of the estate, an administrator, or anyone else authorized under state law to act on the deceased person’s behalf.
That personal representative steps into the patient’s shoes. They can access the records, authorize disclosures to insurance companies or attorneys, and exercise all the same rights the patient would have had while alive. Without a personal representative’s written authorization, providers generally cannot release a deceased patient’s health information to family members, even close relatives, unless another HIPAA exception applies (such as a coroner’s investigation or a public health purpose).
The Short Version
The provider owns the container. You own the right to what’s inside. In practice, that right to access, copy, correct, and direct your health information gives you meaningful control over your records even though you don’t hold title to the physical or electronic file. The gap between record ownership and information rights narrows further each year as federal rules push providers toward faster, more complete electronic access. The one area where your control weakens is when you voluntarily move health data outside the HIPAA-protected ecosystem into consumer apps, where different rules apply.