What are my rights to access my own medical records under HIPAA?

What the Law Says

The HIPAA Privacy Rule, codified in federal law, gives individuals the right to access their protected health information (PHI) held by covered entities such as doctors, hospitals, and health plans.

Your right to access your medical records is guaranteed under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. This rule applies to 'covered entities' — including healthcare providers, health plans, and healthcare clearinghouses — that electronically transmit health information.

You may request to inspect or receive a copy of your PHI in the form or format you request, if it’s readily producible in that form. Covered entities must act on your request no later than 30 calendar days after receiving it. They may extend this deadline by one additional 30-day period, but only if they provide you with a written statement of the reasons for the delay and the new completion date.

Covered entities may charge a reasonable, cost-based fee for copying and postage — but not for search or retrieval. As of 2024, the maximum fee for electronic copies is $6.50 per request, regardless of the number of records. For paper copies, fees are limited to the actual cost of labor, supplies, and postage.

Certain information may be excluded from access, such as psychotherapy notes, information compiled for civil or criminal proceedings, or information subject to certain other legal restrictions.

Statutory Text

A covered entity shall, upon request of an individual, provide the individual with access to the protected health information about the individual maintained by or for the covered entity.

— 42 U.S.C. § 1320d — Health information privacy

What to Do

Sources