Your Right to Request

Overview: Your Right to Get Your Medical Records

Before the The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) was passed into law on of August 21, 1996, there was no federal right for patients to be given access to their medical records. HIPAA requirements and security rules have given patients more control over their health information, set limits on the use and release of their medical records, and established a series of privacy standards for health care providers which provides penalties for those who do not follow these standards with regard to making copies of those records available to patients.

    Under HIPAA, healthcare providers are required to provide copies of medical records. This includes

  • Doctors
  • Hospitals
  • Pharmacies
  • Health Insurers

HIPAA requires that records be sent to you (or someone else at your direction) within 30 days of your request (with one 30-day extension if there is a written statement explaining reasons for the delay). While the Federal Law sets minimum standards, there is some-to-state variability.

Healthcare providers are required to keep medical records for 10 years (sometimes less) after your last visit, but specific periods vary considerably from state to state.

HIPAA requirements grants patients several key privacy rights over their medical records, which impose obligations on health care providers. Note that in all cases, health care providers must provide these records, even if you have not paid your medical bills or have billing or insurance disputes outstanding.


Patients do not have the right to access a provider’s psychotherapy notes or to any other information that a healthcare provider reasonably believes may cause harm or impair treatment, but these limitations are narrowly defined, and are the exception rather than the rule. Human Immunodeficiency Virus (HIV) and Sexually Transmitted Disease (STD) records may be released, but in some states this may require explicit requests for this disclosure to be made.


While healthcare providers may charge fees for producing copies of your medical records, these fees must be related to the costs of copying or printing your records; maximum clerical and production fees are regulated on a state-by-state basis and there is substantial variability.

A provider cannot deny you a copy of your records because you have not paid for the services you have received.


If you think the information in your medical or billing record is incorrect, you can request a change, or amendment, to your record. The health care provider or health plan must respond to your request. If it created the information, it must amend inaccurate or incomplete information.

If the provider or plan does not agree to your request, you have the right to submit a statement of disagreement that the provider or plan must add to your record.

A provider cannot deny you a copy of your records because you have not paid for the health services you have received. If you believe that your doctor or other health care provider violated your health information privacy right by not giving you access to your medical record, you may file a HIPAA Privacy Rule Complaint with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights. The easiest way to file a complaint is to go through the HHS Office for Civil Rights


Sometimes a healthcare provider will mistakenly argue that they cannot release your own medical records to you due to privacy laws. This is a misconception.

In most cases, you can demand a review of the provider’s decision to refuse giving you a copy of the records. If you demand a review, the healthcare provider must designate a licensed healthcare professional to review your request, and that person must not have been involved in the original decision.

If you feel your provider is withholding your medical records from you without a legitimate reason, can file a complaint with the federal or state government.


Healthcare providers release a patient’s records to someone else as long as the patient has signed a direct authorization. This is the easiest and most straightforward way to retrieve those medical records.

If the patient is incapacitated or deemed incompetent, specific legal documents are required before another person can access the records. There are several types, depending on the situation, and you should consult with a lawyer if you are seeking to get medical records for someone who is not currently able to sign a release.


HIPAA electronic medical records privacy rules allow healthcare providers to use or disclose patient health information, such as diagnostic images, laboratory tests, diagnoses, and other medical information for treatment purposes without the patient’s authorization. This includes sharing the information to consult with other healthcare providers to aid in the treatment of a different patient, or to refer the patient to a specialist. Formal HIPAA regulations are quite complex and are summarized in greater detail here.

In general, health insurance companies do not have the right to inspect your medical records other than for purposes of determining eligibility for health care coverage. Most insurance companies in the United States belong to the Medical Information Bureau (MIB), which operates an information exchange between member insurance companies of brief, coded health information of underwriting significance taken from the underwriting of previous applications for life and health insurance coverage. MIB does not access an individual’s medical records. MIB information is consented to by the applicant and is used to protect insurers from errors, omissions and misstatements in an applicant’s health statement. Under the Fair Credit Reporting Act (FCRA), consumers can obtain one free disclosure annually of their MIB record. Unless you have applied for life and health insurance in the past seven years, you will not have an MIB record. For more information visit MIB’s website.

In addition, HIPAA provides employers with the right to review limited portions or summaries of your medical information in some circumstances, like for obtaining bids for insurance plans for the company or in reviewing workers compensation claims. If the health information your employer receives goes beyond a basic summary, then your employer must take steps to protect and limit viewing of this information. HIPAA limits the use of medical information for employment purposes.

Larger corporations may offer “self-insured” health care plans where the employer itself assumes the risk of health care costs and has the responsibility for paying healthcare claims, effectively acting as an insurer. Claims may be processed by company personnel or contracted out to other companies that process and maintain the records. HIPAA rules apply to medical records used in this situation, including how information is shared and the requirement for written consent to share information in most situations.

In all cases, access to medical records is granted if you sign a written consent which meets HIPAA requirements for disclosure of details and time period the consent is in place. This means it is very important that you read any such forms carefully and ask any questions before signing a consent form.


Most insurance companies in the United States belong to the Medical Information Bureau (MIB), which operates an exchange of health information of underwriting significance used by its member insurance companies to assess risk for life and health insurance coverage.

The information contained in a typical MIB record is limited to short descriptions of specific medical conditions which might impact an applicant’s health or longevity. The information is obtained with the applicant’s consent and is used to help protect insurers against errors, omissions and misstatements in the health statements taken on an application for insurance coverage. Insurance companies must use MIB information as an alert only; the information is not determinative and must be verified. A decision on whether to issue or rate health or life insurance to you cannot be based solely on information in a Medical Information Bureau report.

The Medical Information Bureau is subject to the Fair Credit Reporting Act (FCRA), and as such, must provide access to your record annually at no cost, should you have such a record. For information on how to access information that MIB may have about you, access MIB’s website. MIB’s member health insurers members are subject to HIPAA compliance, and accordingly MIB complies with HIPAA privacy and security regulations as a “Business Associate.”

For further information about the MIB, and to review and correct any misinformation that Medical Information Bureau may have about you, visit the MIB’s website.