Medical Records Access: Patient Rights Under HIPAA

Federal law gives every patient in the United States a legally enforceable right to see, copy, and request corrections to their own medical records — a right codified in the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations. Understanding how that right actually works in practice, where it applies, and where it stops is the difference between a patient who gets what they need and one who spends six months being told the records are "unavailable." This page covers the definition of access rights, the mechanics of making a request, the scenarios that come up most often, and the boundaries that genuinely limit what patients can obtain.

Definition and scope

HIPAA's Privacy Rule, codified at 45 CFR § 164.524, establishes the right of individuals to inspect and obtain a copy of their protected health information (PHI) held in a "designated record set." That phrase carries real weight: it covers medical records, billing records, and any other records used to make decisions about the individual — not just clinical notes from last Tuesday's appointment.

The rule applies to covered entities under HIPAA: health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically. A private physician's office, a large hospital system, and a health insurance company are all covered. A wellness app that does not bill insurance and is not affiliated with a covered entity generally is not — a gap that surprises people who assume "health data" and "HIPAA protection" are synonymous.

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS OCR) enforces these provisions and has pursued penalty actions specifically targeting right-of-access violations, with fines in completed cases ranging from $3,500 to $240,000 depending on the nature and duration of noncompliance.

How it works

A covered entity must act on an access request within 30 calendar days of receiving it. One 30-day extension is permitted if the entity notifies the individual in writing and explains the reason for the delay — but that single extension is the ceiling, not a rolling option that resets. The entity must provide records in the format requested if it is readily producible; if not, it must offer an alternative format the individual can agree to.

Fees for copies must be "reasonable" and cost-based. HHS guidance published in 2016 identified three permissible fee structures:

1. Actual cost method — labor, supplies, and postage calculated at real cost
2. Average cost method — a flat per-page fee based on documented average costs
3. Flat fee — a fee of no more than $6.50 for electronic copies delivered electronically, which HHS has identified as a straightforward safe-harbor option

Charging excessive fees — particularly for electronic records that cost functionally nothing to transmit — is among the most common HIPAA access violations the OCR investigates. For a deeper look at how advocacy organizations help patients navigate fee disputes and request mechanics, the patient advocacy frequently asked questions page addresses these scenarios directly.

Common scenarios

Requesting records from a former provider. Patients change doctors, move, or seek second opinions constantly. A covered entity must retain the ability to provide records for as long as it is required to maintain them under applicable state law — which ranges from 5 years post-treatment in some states to 10 years or longer for minors' records after they reach adulthood. Closing a practice does not extinguish access rights; it transfers responsibility to whoever assumes the records.

Accessing records on behalf of a minor. A parent or legal guardian generally has the right to access a minor child's records, acting as the child's "personal representative" under HIPAA. But state law governs certain exceptions — in 38 states, minors may consent to treatment for specific conditions such as substance use disorder or reproductive health without parental involvement, and in those cases the provider may withhold those specific records from the parent.

Mental health and psychotherapy notes. This is where the right narrows sharply. Psychotherapy notes — defined specifically as a therapist's private process notes kept separate from the medical record — are excluded from the standard right of access. Patients can access their formal mental health treatment records (diagnoses, medications, session summaries) but not the therapist's separate personal notes. This distinction confuses patients and providers alike, and it comes up frequently in the key dimensions and scopes of patient advocacy framework.

Third-party requests. An individual may direct a covered entity to send records directly to a third party — another provider, an attorney, a family member with written authorization. The entity must comply with a valid, properly directed request. This is distinct from an authorization under 45 CFR § 164.508, which governs disclosures to third parties without a patient's active access request.

Decision boundaries

Not every request results in full disclosure. HIPAA permits — and in some cases requires — entities to withhold specific categories:

• Psychotherapy notes (as described above)
• Information compiled in reasonable anticipation of litigation
• Research records subject to specific protections if access would be likely to impair the research
• Records held by correctional institutions where access would jeopardize health or safety

Notably absent from this list: "the records are old," "the system doesn't support that format," or "the billing department handles it." Those are process problems, not legal exemptions. When a covered entity denies access, it must provide a written denial specifying the basis — and in most cases the individual has the right to request a review of that denial by a licensed healthcare professional designated by the entity. The how to get help for patient advocacy page outlines what to do when that internal review process fails and a formal OCR complaint becomes the practical next step. Understanding the full scope of how it works in patient advocacy systems helps patients engage these mechanisms with realistic expectations rather than frustration at what feels like institutional indifference.