Skip to Content

Privacy & Data

Getting Your Medical Records

Patients have a legal right to obtain and correct medical records about themselves, but many patients have reported difficulty in doing so. While health information technology can make it easier for patients to access and correct their data, patients still need to know the steps to take to obtain copies of their health records, what to do if a provider or plan refuses a request to obtain or correct a record, and how patients should protect their health records once they have them. The Center for Democracy & Technology (CDT) is releasing this Frequently Asked Questions page as a basic resource to help patients exercise their rights and protect their data.

Why would I want my records?

Having copies of your medical records can help you manage your health care as you wish, according to your own health goals and on your own schedule.You can use the information in your records to conduct research online, consult with other patients and health care professionals, and use a variety of computer applications – like programs that can track your blood pressure over time or help you reach your health goals. You can also use the information to make it easier to keep track of when you are due for preventive visits.

Reduce errors and redundancy

You can review the copies of your medical records to spot errors. You have the right to request corrections to your record (although your provider can deny your request in some circumstances). [See Do I have the right to request a correction to my medical record?]If you change providers or use multiple providers, bringing a copy of test results can save time and reduce duplicate tests.You can give other caregivers – such as at-home care specialists – access to your records on your behalf.

Getting your records

Do I have the right to obtain a copy of my medical records?

Yes! Patients have a legal right to access and get a copy of their medical records.

Sometimes a health care worker will mistakenly argue that they cannot release your own medical records to you due to privacy laws. This is a common misconception, and you should not accept this as an answer. In nearly all cases, your health care provider or health plan is obligated to grant your request for access or copies. You do not have to give them your reasons for making the request, even if they ask. Your provider may ask that you put your request in writing. They may also charge a fee. [See How much will it cost me to obtain a copy of my records?]

In what format can I get the records?

You should at least be able to get a paper copy. You should also be able to get an electronic copy as long as your provider or plan keeps the record electronically. You might also consider asking your provider or plan if you can access your records online or if you can download it to a CD or memory stick. [See How should I protect medical information on a flash drive or other portable media?]Ask your provider if it will cost more to get a copy of your records on paper than electronically. [See How much will it cost me to obtain a copy of my records?]You may be able to have your provider email your records to you. However, you should ensure the email services you and your provider use are secure. You can do this by checking whether the URL begins with “https”, which means you are on a site that uses encryption. [See How should I protect information I access through the Internet?] Some providers let patients view their medical records over the Internet, so you might want to ask your provider if they offer online access. If the provider only allows patients to view their records online, ask your provider if they have a download capability, so you can obtain your own copy of your records. If you ask for a digital copy of your medical records, check the format the copy will come in. Make sure the file format is one you can open with your computer. For example, if your medical record comes in DOC format, you may need software like Microsoft Word or Microsoft Word Viewer to read the file. (Microsoft Word Viewer is available here as a free download.) You may also need software that can read a PDF file, like Adobe Acrobat (which is available free, here). If you have a personal health record (PHR) account, you should see if your provider or plan can send your information directly to your PHR. A PHR is a service that lets you store and use your health information from a variety of sources, like some doctor’s offices. Most PHR services give patients a lot of control over what data goes in and out of the PHR. [Click here for more information about PHRs.]

What kind of records can I obtain?

You should be able to get stored records that identify you and relate to your physical or mental health (called “protected health information”). That includes medical records, billing records, claims adjudication records, and other records your provider or health plan use to make decisions about you. There are some exceptions to this. For example, you don’t have a right to get copies of psychotherapy notes or information your provider is compiling as part of a lawsuit.

Who do I have to ask to get a copy?

Providers and health plans are supposed to have someone designated to answer record requests. Ask your provider or plan who this person is and how to contact him or her.Remember that different records are held by different entities. Your health care provider should give you a copy of any record they have on you – but these are most likely related to treatment they have given to you. If you are looking for a claims adjudication record – like a record of your claim submitted by your provider to your insurance – then you may want to talk with your health plan.If your plan or provider does not have the record but knows where the record is located, then the plan or provider must tell you where to look for the record. For a complete set of your records, you probably must file requests with all your providers and your health plan.

How much will it cost me to obtain a copy of my records?

It depends on state law, how many records you request, and the format you request the records to be in.Many states have their own rules on what providers or plans can charge for giving you a copy of your records. Lists of the states and the fees they charge can be found here and here. Paper copies can average between $.50 and $1.00 per page. Electronic copies should be cheaper, but some states may charge similar rates for electronic copies and paper copies.

How long would I have to wait to receive my copy?

Up to 30 days after sending your request to your provider or plan. However, if the provider or plan does not store the records on site, then you may have to wait up to 60 days after sending your request. Some providers will give you electronic copies of your records in three business days. Providers who offer you access to your records over the Internet might be able to give you access that same day.If the provider or plan cannot give you access to or copies of the records in 30 days, then the provider or plan can extend the time for another 30 days. They can get only one extension, however. If the provider or plan does use the extension, they must give you a written statement with the reasons for the delay and an estimated date of completion.Some care providers and health plans are obligated to give you an electronic copy of your medical records within three business days. The U.S. Department of Health and Human Services is considering whether to make this a requirement for all care providers. In the meantime, check with your provider to learn how quickly you can get your records. Try to work with your provider to figure out how to get your records in a way that fits your schedule, your budget, and your expectations.

Can my provider refuse to give me a copy of my records?

Yes, but only under limited circumstances – and they have to tell you why. The most common basis for denial is when a licensed health care professional has determined that giving you access to the records is reasonably likely to cause harm to you or another person.If the provider denies you access to your records, then the provider must put the denial in writing. The writing must explain why the provider denied you access. The writing must also tell you if you have a right to review the denial and how you can file a complaint – you usually have the right to a review, unless you’re asking for records the provider cannot give you by law (such as psychotherapy notes or records they are compiling for a lawsuit).Sometimes a health care worker will mistakenly argue that they cannot release your own medical records to you due to privacy laws. This is a common misconception, and you should not accept this as an answer. In nearly all cases, your health care provider or health plan is obligated to grant your request for access or copies. You do not have to give them your reasons for making the request, even if they ask.

What can I do if my provider refuses?

In most cases, you can demand a review of the provider’s decision to refuse giving you a copy of the records. If you demand a review, the provider will designate a licensed health care professional who was not involved in the original decision to refuse your request. The professional will review the decision and make a final judgment on whether to grant you access to your records.If you feel your provider is withholding your medical records from you without a legitimate reason, you can file a complaint with your health plan or the provider. Providers and health plans to document complaints, review them, and penalize employees who don’t follow the law or the provider’s policies. You can also file a complaint with your state’s medical board.Lastly, you can file a complaint with the federal or state government. To file a complaint to the federal Department of Health and Human Services (HHS), you must file it in writing (on paper or electronically) within 180 days of being denied access to your records. Your complaint must describe what happened and name the person or provider involved. HHS may or may not investigate your complaint.

Correcting your records

Do I have the right to request a correction to my medical record?

Yes! Patients have a legal right to ask health care providers and plans to correct errors or make amendments to their medical records. Such requests do not have to be automatically granted, however. [See Can my provider refuse my request to correct my records?]

Why would I want to correct an error on my medical record?

Some errors may be small and insignificant. However, you should ask to correct errors to any information that you think will affect your future diagnoses and treatment. You should review your contact information, such as name and address, to make sure your provider or plan can reach you if necessary. Also, you should consider reviewing your billing and payment information to ensure you have not been overcharged and that you are not a victim of medical identity theft.

How should I request a correction to my medical information?

A health care provider or plan can require you to submit your request in writing, so contact your provider or plan and ask if they have any forms they will need you to fill out to request the correction. The provider or plan can also ask you to give your reasons for wanting a correction.Get a copy of your medical records. [See Who do I have to ask to get a copy?]For relatively small errors, you can hand write a correction on a copy of your medical records. For more complex errors, you can write a letter explaining how they should be corrected. Try to be as specific as you can – if possible, include dates of treatment and the names of the health care providers involved. It’s a good idea to make a photocopy or a scan of the erroneous record and your completed request before you send it back to your provider or plan. This way you don’t have to start from scratch if your provider does not receive your request. Ask your provider or plan how they would like to receive your record and request, such as through mail or fax. If your provider or plan gave you paperwork to fill out, then the paperwork may specify a way to send the provider or plan your request.

How long would I have to wait until the correction is made?

Your provider or plan must act on your request for correction within 60 days of receiving your request. The provider or plan must inform you of the denial or acceptance of your request within that time period.

Can my provider or plan refuse my request to correct my records?

Yes. Your provider or plan can deny your request if they believe the record is actually accurate and complete. This is a common reason for denying a correction request.The provider or plan can also deny your request if they did not create the record you want to correct. However, if you can demonstrate that the provider or plan that DID create the record is no longer available to make the correction, then your current provider or plan must make the correction.If your provider or plan refuses to make the correction you request, the provider or plan must put the denial in writing. The writing must explain the reason for the denial. The writing must also inform you that you have the right to file a statement disagreeing with the denial, and that statement can be included in future disclosures of the record you tried to correct. Finally, the writing must describe how you can file a complaint. [See What can I do if my provider or plan refuses to make the correction I requested?] If your provider or plan denies your request, the provider or plan must include your request for correction – or an accurate summary of your request – when the provider or plan discloses the record in the future.

What can I do if my provider or plan refuses to make the correction I requested?

You have the right to submit a statement that disagrees with the denial of your request for correction. Your statement should include a description of why you disagree with the reasons your provider or plan refused to make the correction you requested. However, your provider or plan can limit the length of your statement. Your provider or plan must include this statement – or an accurate summary of the statement – when the provider or plan discloses the record in the future.If you feel your provider is refusing to make the correction without a legitimate reason, you can file a complaint with your health plan or the provider. Providers and health plans are required to document complaints, review them, and penalize employees who don’t follow the law or the provider’s policies. You can also file a complaint with your state’s medical board.Lastly, you can file a complaint with the federal or state government. To file a complaint to the federal Department of Health and Human Services (HHS), you must file it in writing (on paper or electronically) within 180 days of being denied the correction to your records. Your complaint must describe what happened and name the person or provider involved. HHS may or may not investigate your complaint.

Keeping your records private and secure

Why do I need to protect my medical information?

If your medical information falls into the wrong hands, it could cause you embarrassment or lead to identity theft. Always do what you can to keep your information safe and verify who you’re sharing your information with.

How should I protect hard copies of my medical information?

Keep your copies in a secure place. Preventing unauthorized access is the best protection. Use your judgment, don’t share your records carelessly, and do what you can to prevent unauthorized people from accessing your records.Be careful what you throw away. It’s not a good idea to leave your medical or identity information intact in a trash bin or dumpster because someone may pick through your garbage. Try shredding or destroying your records before you throw them out.If possible, avoid accessing your information on public or strange computers. If you do so, however, remember to delete your records from the computer when you’re finished with them. This means you need to put the files into the computer’s trash or ‘recycling bin’ and then empty the trash or ‘recycling bin.’ Also try to check if the computer’s antivirus software is up to date.

How should I protect medical information in a PHR?

Read the privacy policy of the PHR service before joining. Remember that just because a business has a privacy policy doesn’t automatically mean your privacy is protected. Before sending your information to an application or external website, verify that they are a legitimate business. Make sure you read their privacy policies too. Oftentimes, the privacy policies of a PHR service are different than the policies of related, but separate services, like applications.Check the privacy settings of the services you use and, if you can, adjust the privacy settings to match up with your needs and expectations.

How should I protect medical information on a flash drive or other portable media?

As with paper records, the best protection is prevention. Keep your records in a safe place, avoid losing your memory stick or disc, and try to keep unauthorized people from accessing your records.Protect the disc or drive holding the records with a password or encryption.If possible, avoid accessing your information on public or strange computers. If you do so, however, remember to delete your records from the computer when you’re finished with them. This means you need to put the files into the computer’s trash or ‘recycling bin’ and then empty the trash or ‘recycling bin.’

How should I protect information I access through the Internet?

Check to see if the site is secure when you are sending or accessing your personal information. Look for an icon of a lock in the browser status bar at the bottom right corner of the browser window. Also check if the URL begins with “https”, which means you are on a site that uses encryption. If you choose to download your information, make sure you take note of the name of the download service and how to contact the service for questions.