In most U.S. states, the private practice physician or practice entity owns the physical medical record, whether it’s a paper chart or an electronic file. The patient, however, has a separate and federally protected right to access, obtain copies of, and control the sharing of the health information contained in that record. This distinction between owning the container and owning the contents is the core of how medical record ownership works in the United States.
The Provider Owns the Record, the Patient Owns the Data
No single federal law declares who owns a medical record outright. HIPAA, the main federal health privacy law, intentionally sidesteps the ownership question and leaves it to individual states. What HIPAA does establish is a strong, legally enforceable right for patients to see and receive copies of their protected health information. That right applies regardless of whether the records are on paper or in an electronic system, stored on-site or archived off-site, and no matter when the information was originally created or who created it.
The practical effect is a split system. The practice owns the physical or digital chart as a business asset. It paid for the paper, the software, the storage, and the staff time to create and maintain those records. But the information inside, your diagnoses, lab results, treatment notes, imaging reports, belongs to you in the sense that you can demand access to it and direct where it goes. Most state laws reinforce this arrangement explicitly. Michigan’s medical records statute, for example, includes a provision stating that nothing in its record-keeping requirements “shall be construed to create or change the ownership rights to any medical records,” effectively preserving the traditional rule that the record belongs to the provider while the patient retains access rights.
What You Can and Can’t Access
Your right to your own health information is broad, but it isn’t unlimited. HIPAA carves out a few narrow exceptions where a provider can legally deny you access to portions of your record.
- Psychotherapy notes. A therapist’s personal notes from counseling sessions, if they are kept separately from your main medical chart, are not included in your HIPAA access rights. These are distinct from standard progress notes or treatment summaries, which you can access.
- Information that could reveal a confidential source. If a family member or another non-provider shared information about you under a promise of confidentiality, that information can be withheld if releasing it would reasonably reveal who provided it.
- Situations where access could cause harm. In limited circumstances, a licensed professional can determine that giving you access to certain information could endanger you or another person. This is a narrow, reviewable exception, not a blanket right to withhold records.
Outside of these exceptions, a practice cannot refuse to give you your records because you have an unpaid balance, because you’ve switched to a different provider, or because the information is old.
How Long the Practice Must Keep Your Records
Retention requirements come from a patchwork of state laws and federal program rules, so the exact timeline depends on where you live and what kind of insurance is involved. At the federal level, HIPAA requires Medicare fee-for-service providers to retain documentation for at least six years from the date it was created or last in effect, whichever is later. Providers in Medicare managed care programs face a longer window of 10 years. CMS also requires providers who submit cost reports to keep patient records for at least five years after the cost report closes.
State requirements often layer on top of these. Massachusetts, for example, requires physicians to maintain adult patient records for a minimum of seven years from the date of the last patient encounter. For minors, the retention period extends to either seven years from the last visit or until the patient turns 18, whichever is longer. Many other states follow a similar seven-to-ten-year framework, though the specifics vary. If you need records from a decade or more ago, it’s worth checking your state’s rule, because the practice may have legally destroyed them.
Timelines for Getting Your Records
When you submit a request for your records, the practice has 30 calendar days to respond. If it can’t meet that deadline, it can take up to an additional 30 days, but only if it notifies you in writing within the first 30 days, explains the reason for the delay, and gives you a specific date by which you’ll receive your records. In practice, many offices fulfill requests much faster, especially for electronic records that can be exported from a patient portal in minutes.
The practice can charge you a reasonable, cost-based fee for copies. This fee can cover labor for copying, supplies like paper or USB drives, and postage if you’ve asked for mailed copies. It cannot include costs for searching for or retrieving the records. Many states cap these per-page fees by statute, and electronic copies delivered through a portal or email are typically cheaper or free.
The 21st Century Cures Act and Electronic Access
Since 2016, the 21st Century Cures Act has pushed the system further toward patient access by making the sharing of electronic health information the expected default. The law created the concept of “information blocking,” which essentially makes it illegal for healthcare providers, health IT developers, and health information exchanges to engage in practices that interfere with patients accessing, exchanging, or using their electronic health data.
This means a private practice using a certified electronic health record system generally cannot require you to jump through extra hoops to get your data electronically. For instance, a practice cannot insist on vetting or approving a third-party health app you’ve chosen to receive your records through a standard patient-facing portal. The law recognizes a limited set of exceptions for things like privacy protection and system security, but the overall intent is clear: practices should not create unnecessary barriers to electronic access.
What Happens When a Practice Closes or Is Sold
If your physician retires, dies, or sells the practice, the records don’t just disappear. State laws impose specific obligations to ensure continuity. In Michigan, a provider who closes a practice must notify the state licensing department of who will have custody of the records and how patients can request access. The provider then has to either transfer records to a successor provider, send them to a provider or storage company under contract, or deliver them directly to the patient if requested.
If the provider wants to destroy records instead, Michigan law requires written notice to each patient’s last known address, giving them 30 days to request copies or designate where their records should be transferred. Records less than seven years old cannot be destroyed even if the patient doesn’t respond. Massachusetts similarly requires a retiring physician or their successor to maintain records for seven years from the last patient encounter.
When a practice is sold, records typically transfer to the purchasing provider as part of the business assets. The selling practice generally must notify patients and give them the option to have their records sent elsewhere. The new practice assumes the same obligations, both for record retention and for honoring patient access requests, that the original provider had.
State-by-State Differences Matter
Because HIPAA deliberately leaves ownership to the states, where you live shapes the details. A handful of states, including New Hampshire, have passed laws declaring that the patient owns the medical record itself, not just the right to access it. Most states follow the more traditional model where the provider owns the record and the patient owns the right to the information. Some states are silent on ownership entirely, in which case courts generally default to provider ownership based on longstanding legal tradition.
If you’re in a dispute with a practice over your records, your state medical board or health department is usually the right place to start. HIPAA complaints can also be filed with the U.S. Department of Health and Human Services Office for Civil Rights, which enforces the federal access rules regardless of who your state says owns the physical chart.