fb tracking

Medical Records: Q & A

Getting Access to Your Medical Records

Public Citizen Health Letter

March 2008

What is a medical record?

A medical record is a compilation of your medical history; your family medical history; information about your lifestyle; physical examination and laboratory results; medications prescribed; diagnoses and prognoses; results of treatment and procedures undergone; allergies and other risk factors; disabilities and limitations; and participation in research projects. Medical records may also include results of genetic testing used to predict future health. Because of the private, personal nature of this information, access to medical records is restricted.

If you have a primary physician who has provided you with health care over time, orchestrates your care and refers you to other health care practitioners when needed, this person should have your complete medical record, including a summary of hospital events. Otherwise, this information can be quite scattered and difficult to locate, as it is likely to be in different medical offices, clinics, hospitals, laboratories, pharmacies, etc. For this reason, it is wise for you to keep a record of your own medical history, and you should request a copy of your hospital records. Your medical history should include major illness episodes; surgeries and procedures; results of screening and other tests; major prescriptions filled; allergic reactions or adverse effects of medication or treatment; accidents or falls; and pregnancies, miscarriages and births.

Why should I have my medical record?

Having your medical record will make you a more involved and better informed patient, and will help you be more in control of your own care. It will also facilitate keeping providers informed when you switch physicians or visit a new doctor for the first time. As we become more mobile as a society, having all your medical information together can enhance continuity of care. Your medical record will also provide a good summary of information that you may wish to communicate to others.

Am I entitled to my medical record?

Yes, you are now entitled to your medical record regardless of which state you reside in. The request should be made in writing. In some cases, providers ? hospitals or doctors ? may require you to fill out a special form requesting the record. They may charge you for copying and handling the record. There may also be an extra charge for providing a copy of an x-ray.

Having an outstanding medical bill should not preclude access to your record.

Who has access to my medical record?

Despite the private nature of much of the information contained in your medical record, this is shared by a number of people, including health care providers and institutions. While you must agree to let others see your record, you may have to share your health information if you want to obtain care and qualify for insurance coverage. Insurance companies usually require you to release your records before issuing you a policy or paying you under an existing policy. Government agencies may also request your medical records to verify claims made through Medicare, Medicaid, Social Security Disability, and Workers Compensation. Employers can obtain medical information about their employees by asking employees to authorize disclosure of medical records. If your employer is self-insured, the human resources department is likely to have access to your health-related claims.

What is HIPAA?

HIPPA refers to the Health Information Portability and Accountability Act (HIPAA), which went into effect in 2003. This law gives consumers the right to see, get a copy of, and amend and supplement their medical records. Consumers’ requests must be answered within 30 days, although the deadline may be extended for an additional 30 days under certain circumstances.

HIPAA sets national standards for privacy of health information. But the law applies only to medical records maintained by health care providers, health plans, and health clearinghouses, and only if the facility maintains and transmits records in electronic form. Much health-related information exists outside health care facilities and the files of health plans, and is thus not covered by HIPAA.

Can a provider deny me access to my record?

The provider petitioned may deny access to all or part of the record, but must give you a written denial within 30 days. Information that may be denied includes the following:

  • Psychotherapy notes that are separate from the medical record;
  • Information compiled in reasonable anticipation of or for use in a civil, criminal or administrative action or proceeding;
  • Private health information maintained by an entity covered under the Clinical Laboratory Improvements Amendments of 1988, which seek to ensure quality in laboratory testing;
  • Under certain circumstances, information requested by an inmate;
  • Information obtained in the course of research that includes treatment, if the consumer has agreed to the denial of access while consenting to participate in the research;
  • Information contained in records subject to the Privacy Act, which regulates the collection, maintenance, use and dissemination of personal information by federal executive branch agencies; and
  • Information obtained by the provider from someone other than a health care provider under the promise of confidentiality and access to which would be likely to reveal the source of that information.

Can I ask for someone else’s record?

In general, only a patient can authorize the release of his or her own medical records. But there are some exceptions, including the following:

Parents of minor children

There are some sensitive services, however, for which minors are entitled to consent on their own and can therefore expect their records to remain confidential. Although federal regulations allow parents access to their children’s records, these are usually tempered by provider judgment and long-standing principles of medical ethics guiding the delivery of confidential care to minors. The American Academy of Pediatrics has long dictated that teens’ records be kept confidential when teens seek sensitive services. Some states (e.g., Colorado, New York) have laws specifying that parents may not access the medical records of their minor child who has obtained certain services, such as treatment for sexually-transmitted diseases, drug addiction or abortion. Other states have not addressed the issue, giving health care providers discretion in the matter.

A legal guardian

This is a person who has the authority and duty to care for the personal and property interests of another person, most often called a ward. Usually a ward is not capable of acting on his or her own behalf due to young age, incapacity or disability. A legal guardian of a minor usually has parental rights over the child, in which case the situation described above applies.

An agent

This is someone you have chosen to act on your behalf in a Health Care Power of Attorney. This person acts as your representative with respect to all health care matters in the event that you are incapacitated. The person you so designate has the same access to your records as you have, including the right to disclose the contents to others.

Do HIPAA regulations override state laws?

HIPAA regulations usually pre-empt state laws, and laws that were contrary to HIPAA were therefore superseded. Nevertheless, states may request an exception to pre-emption from the Department of Health and Human Services. Because HIPAA establishes a floor for the protection of privacy, state laws that are more stringent than the federal rule remain in effect. “More stringent” laws are those that provide individuals greater access to information.

Because there are variations from state to state, patients should check to see the laws that apply within their jurisdiction. State-specific differences include whether or not entities can charge consumers fees for copies of their medical records, and the amount charged. Other differences relate to restrictions on the disclosure of information.

What if I change health care providers, or my provider has moved or gone out of business?

You must make a written request if you want a provider to furnish a copy of your record to another provider. When you decide to change providers, you should ask for a copy of your health records. In the case of physicians who retire or move, or other providers who go out of business, you should get your medical records whenever possible. Providers who retire or move usually place advertisements or notify their patients beforehand. If that is the case, you should request a copy of your medical records. A health care institution that ceases operation must usually provide the local oversight entity (e.g., the local Department of Public Health) with a certified document specifying where its patients’ health records will be stored and the procedure for patients, former patients or their authorized representatives to access their records. This may vary from one state to another, so you should check what the “rules of the game” are in the state where you live.

How long are providers required to keep medical records?

Some states require health care providers to keep medical records for six or seven years, but this varies by state. Professional licensure laws regulate how health care is practiced in each state; these may include dispositions on record-keeping and disclosure. You will therefore have to find out what the requirements are in the state where you live or where you received care.

As a practical matter, some practitioners sort their records as “active,” “less active” and “inactive.” Level of activity refers to the elapsed time since the patient’s last visit to the specific provider. The system used will vary from one provider to another.

What happens to my record if my provider dies?

When a provider dies, his or her executor or responsible relative must keep possession of patients’ records. In some states, the executor must inform all patients seen within a given time span by notice published in a local newspaper and a letter sent to each patient. The patients’ medical records must be kept for a set number of days after the notice. You should use this period to request your medical records. Again, the disposition of records varies by state, so inform yourself of the laws that govern medical records in your state.

What trends should I be aware of?

Two major trends are affecting the way in which medical information is kept, transmitted and stored. The first is the movement away from paper medical records to electronic records. This has raised many issues on access to information and protection of privacy. A second major trend is the increased diversity of venues through which patients obtain health care. The rise of retail health clinics associated with large chain stores or pharmacies, disease-specific providers, ambulatory surgical centers, and companies facilitating access to care in other countries have complicated the maintenance of a comprehensive personal medical record.


The Center on Medical Record Rights and Privacy at Georgetown University has compiled a state-by-state summary of the prevailing legislation. This is available at http://hpi.georgetown.edu/privacy/records.html