All health resources

Patients' Rights to Medical Records

Katie Crino
Katie Crino · September 23, 2022
5 min read · Sources Verified
Updated: April 17, 2023

Your personal health information (PHI) can be quite complicated to get into your own hands. You may find yourself on hold with your clinic, having to sign forms, having to verify your identity, and constantly checking the mail to see if your provider finally sent your records. Of course, most of these regulations are put into place to protect your medical records from getting into the wrong hands, but still, the process can be quite frustrating. This article will help you navigate record requests, understand your rights, and help you find an easier way to get your records.

Records Request and Verification

graphic representing the merging of medicine and technology through new legislations

First and foremost, it’s important to understand that, according to the HIPAA Privacy Rule, providers must share all personal health information with the patient at the patient's request. This includes but is not limited to, all medical, billing, enrollment, payment, and any other records used to make decisions surrounding the patient.

Before your doctor hands over your medical records, they will probably ask for a records request. Your provider has the right to require a written records request (this can be by paper or electronically, like via email) from you if they so wish. However, there are several other ways your doctor may allow this request. They could allow this request via email, a secure web portal, or a form created by the provider. Most doctors will also require some form of verification, as long as the verification process does not impede or delay the patient's ability to access their records.

It’s important to keep in mind that these requirements are to protect your medical records and health confidentiality, even if the process seems overly complicated.

That being said, your doctor does not have the legal right to require an in-person request or verification. They also do not have the right to only allow requests through a web portal or by mail. In addition, the E-Sign Act allows you to sign important documents electronically instead of only on paper. What this means for you is that you have the legal right to sign their authorization form on your computer, even if your provider requests you to sign it in person or on paper.

Lastly, your doctor can charge you for a copy of your medical records. That said, there are many limitations to how much a doctor can charge. If you get charged an excessive amount, ensure they are following HIPAA law before agreeing to the payment.

Smaller clinics may not be familiar with these newer laws; therefore, it's important to be patient and understanding while standing firm on your rights. If your doctor refuses to comply with these laws, you may file a complaint through HIPAA.

Ways Your Doctor May Send Your Records

graphic displaying all methods available for sending records
Methods Providers Can Use to Send Your Records

As the patient, you have the right to request to receive your records in whichever format you would like. If your provider has that format readily available or easily convertible (such as electronic records already in an electronic health record system), then federal law says they must use that format. This means they cannot print out records and mail them if you requested digital records.

There are many HIPAA-compliant secure digital transfer methods, including secure email (providers include Protonmail, Zoho Mail, and Mailbox) or drive-sharing services (it’s important they are HIPAA compliant).

Your doctor is legally obliged to fulfill your request even if you request your records are sent through an insecure unencrypted email. However, this is not advised due to the limited security these email providers may offer, which could lead to your medical records being compromised.

Many doctors still use fax machines, paper mail, CDs and DVDs, and in-person pickup as the main delivery method for medical records. However, as insistent as they may be, if you want your original electronic records, you can politely remind them of your legal rights.

To read more about the process of accessing your medical records, refer to Guava's “How to Get Your Medical Records” article.

Records Your Doctor May Not Be Required to Send

1. Psychotherapy notes or records used in proceedings

Alex Green // Pexels

Like almost everything else in life, there are exceptions to the HIPAA Privacy Rule. For better or for worse, psychotherapy notes can be withheld from the patient if the provider feels they could be a danger to your mental health or if sharing them would do more harm than help. If you are trying to get records from a mental health professional, you may be unable to see personal doctor's notes from your counseling sessions. That said, mental health providers must provide you with information regarding medication prescriptions, the start and stop times of sessions, summaries of diagnoses and treatment plans, and several other pieces of information.

You may also be denied access to information that is being used in civil, administrative, or criminal proceedings.

2. Your minor’s records

Laws regarding health records and minors are dependent on a combination of state and federal legislature. If you are retrieving records for your child, some information may be kept from you depending on the age of your child, your state’s laws, and if relevant, what your child is deciding to keep confidential. For example, in California, providers are not permitted to tell a minor’s parents about medical care relating to pregnancy or child abuse. This law is to protect children who may refuse medical treatment out of fear of their parents.

3. Destroyed Records

Another reason you may be unable to access your records is in the unfortunate event that your provider has disposed of them. The HIPAA Privacy Rule does not require providers to hold on to your records for a certain period of time. Instead, it’s decided by your state government. Each US state's medical record retention rate varies (usually between 5-10 years), so depending on where you live, your medical provider could no longer be obligated to hold on to your records and may have disposed of them. HIPAA does, however, impose many restrictions on how these medical records must be destroyed to prevent your health information from being breached.

There is also the possibility that your records were accidentally destroyed or lost. Depending on how they were destroyed or lost, this could be a breach of HIPAA law and there are certain measures you can take to be compensated.

Therefore, you should take the time to request your own records so you don’t find yourself in a situation where your records have been intentionally or accidentally destroyed. You can store these records securely in your own computer, a secure cloud drive, or a secure personal health app like Guava.

Need a Place to Keep All Your New Records?

Try Guava! Guava is a modern and secure personal health app that allows you to connect to all your health information and compile it into one place. You can sync with providers and fitness devices while also uploading your medical records manually if needed. We work to display and summarize health information in a manageable and easy-to-access way. Through Guava, you can log symptoms, food, medications, exercise, etc., and draw correlations and insights from your health data.

Guava's records page
Guava's Records Page

You can access your records through the Guava app by connecting to your provider’s patient portal (e.g. MyChart) or by uploading digital copies of your records manually!


More by Guava