Accessing Your Medical Records?>

Accessing Your Medical Records

by Health After 50

Your medical records give your healthcare providers a comprehensive view into the past state of your health, which helps guide them in managing your future health. You, too, can take advantage of the medical story your records can tell. Having access to your health information allows you to:

  • Manage chronic health conditions by reviewing what your doctor has told you
  • Follow your treatment plans and consider other options
  • Ensure that your records are accurate
  • Supply new providers with your health history, which can prevent duplicating medical tests and imaging procedures each time you consult a new doctor
  • Monitor your health progress

People with ready access to their medical records have the advantage of being empowered to make more informed decisions about their health. The increased adoption of secure patient portals and electronic medical records are making it easier for individuals to get this information. But obstacles remain, and too often people are still finding it hard to get their hands on their own health records.

Understanding your rights

As a patient, you have a right to your medical records and X-rays or other diagnostic images, regardless of how old the data are. Since 1996, the Health Insurance Portability and Accountability Act (HIPAA) has provided patients with the right to access their health information from healthcare professionals, pharmacies, health plans, and medical facilities, including hospitals and nursing homes. HIPAA also requires health entities to protect and secure this information from others.

Recently, the U.S. Department of Health and Human Services (HHS) issued guidance designed to help patients understand their rights to these records and better navigate the process of obtaining them. HIPAA’s Privacy Rule requires health plans and healthcare providers to provide you, or a third party designated by you, with your protected health information in what’s called a “designated record set.”

This set includes:

  • Medical and billing records, such as clinical laboratory and imaging test results; wellness or disease-management program files; and clinical case notes
  • Insurance information, payment records, claims decisions and case- or medical-management record systems
  • Other records used to make care decisions

Entities not required to follow the Privacy Rule include life insurers, most law enforcement agencies, and many state agencies, such as child protective services. Moreover, you do not have the right to access certain types of information, such as:

  • Information that’s not used to make care decisions (for example, provider performance evaluations or quality-control records)
  • The personal notes of a mental healthcare provider documenting or analyzing a counseling session
  • Information compiled for (or in reasonable anticipation of) a civil, criminal, or administrative proceeding
  • Information that a provider reasonably deems a threat to the patient’s or another person’s life or physical safety, such as information that may lead a suicidal person to take his or her own life or information that a provider feels may cause emotional or psychological harm, such as notes that a patient may be upset by or not able to understand

Where to start

While some practices or organizations simply allow you to request access to your records via fax, email, or online through a secure web portal, others may require you to formally request your records in writing or complete a form to do so. Your providers must verify your identity, but they can’t require you to come to the office physically to request records or provide proof of identification. They also can’t require you to mail in your request, as this causes undue delay in obtaining your records. You don’t have to give a specific reason for your request, nor can records be denied because of an outstanding bill.

After receiving your request, the entity must provide access to your records within 30 calendar days—although the HHS encourages healthcare professionals and organizations to do so as quickly as possible.

If the information isn’t easily accessible—for instance, older files may be archived offsite—the entity may request a one-time 30-day extension but must inform you of both the reason for the delay within the initial 30 days and the date by which you’ll receive access.

You can specify the format in which you’d prefer to receive the records (for example, paper copies or digital files such as a PDF, provided the organization can reasonably produce an electronic format). Some providers allow you to access an online patient portal, where you can view your health records and download them to your personal computer. If you’ll be using an application or special computersoftware to analyze or organize your information, you’ll typically need your records in a structured data format, sometimes called CCDA files, which some organizations can supply.

The doctor’s office or facility may charge a “reasonable fee” for labor to copy the files, supplies or devices such as a CD or a USB drive, postage, and, if you request it, preparation of an explanation or summary of your information. Any other fees, such as for time spent searching for records, are prohibited. The provider must also inform you in advance of the approximate fee you’ll be charged.

If you don’t want to pay for copies, you have the right to view your records privately on the provider’s premises without charge. While there, you can freely take notes or use your smartphone or anotherdevice to make copies of your files.

Getting a Loved One’s Medical Records

In addition to providing your right to your own medical information, the HIPAA Privacy Rule recognizes the rights of personal representatives—those who are legally authorized to make healthcare-related decisions on another’s behalf.

Obstacles you may face

An organization’s ignorance of the law isn’t an excuse for noncompliance, but you may encounter some resistance to your request. It’s best to be prepared in advance for dealing with challenges, including these:

  • Your provider tells you HIPAA prevents sharing any information, even with the patient. Under federal law, you have the right to your records. You can point the organization to this Health and Human Services (HHS) web page for more information about the requirement.
  • You’re told only paper records are available. If you prefer electronic copies, you can request that they be scanned in a digital format. However, you may be charged a fee for scanning the files.
  • The organization says it can’t send records via email. Email may not always be secure, but as long as you accept the risks associated with email transmission (namely that a third party might be able to obtain the files), the organization must send them, if requested.
  • You’re told you must visit in person to verify your identity. The provider can’t require an in-person visit. Ask to have your identification verified over the phone, such as by confirming your address or providing other personal information.
  • You’ve received your records, but they contain errors. You can request that errors be fixed or missing information be added. If your provider believes the records are correct, you have the right to have your disagreement noted in your file.
  • You don’t receive a response to your request. If you don’t receive a response or access, you can file a complaint with the HHS Office for Civil Rights.

Your rights at a glance

In summary, you have a right to:

  • View and receive copies of your health records
  • Receive electronic copies in the format requested (if the format is unavailable, you and the organization must agree on an alternative)
  • Receive your records (or a response requesting a one-time 30-day extension) within 30 days of submitting your request
  • Request files be sent via email
  • Request files be sent to a third party of your choice, such as a caregiver or a mobile health application

If your request is denied, you must receive a written notice of denial in easy-to-understand language within 30 days of your request. If you believe you’ve been wrongly denied, you can file a complaint with your provider, health insurer, or HHS. To file a complaint with HHS, go to this web page.

This article was adapted from

Also see The Case for Electronic Medical Records (EMRs).