OGC
Act Within 24 Hours

Patient Requesting Their Medical Records

A patient wants copies of their medical records.

Patients Have a Legal Right to Their Records

Under the HIPAA Privacy Rule (45 CFR § 164.524), patients have a fundamental right to access their own Protected Health Information. This right is broad and cannot generally be waived, restricted, or discouraged. When a patient requests their records, you are legally obligated to respond — and there are strict timelines.

The 30-Day Rule

You must provide access to the requested records within 30 calendar days of receiving the request. If you need more time (for example, the records are stored off-site), you may take one 30-day extension — but only if you:

  • Notify the patient in writing before the first 30-day period expires
  • Explain the reason for the delay
  • Provide a specific expected date by which you will fulfill the request

Missing the deadline without a documented extension is a direct HIPAA violation. Track your request dates carefully.

Step-by-Step Response Process

  1. Receive and log the request. Record the date received, the patient's name, what records they're requesting, and their preferred format/delivery method.
  2. Verify the patient's identity. Before releasing records, confirm the requester is who they say they are. Acceptable verification includes a government-issued ID, date of birth, last four digits of SSN, or other identifying information you have on file. For mailed or emailed requests, you can require a signed authorization form.
  3. Verify authorization if a third party is requesting. If someone other than the patient is requesting records (e.g., a parent, legal guardian, or personal representative), verify their legal authority to access the records.
  4. Locate and gather the records. This includes records across all systems — EHR, paper files, lab results, imaging reports, billing records, etc.
  5. Provide in the patient's requested format. If the patient requests records in electronic format and you maintain them electronically, you must provide them in that format. If they request paper, provide paper. You cannot force them to accept a different format solely for your convenience.
  6. Deliver securely. Use encrypted email, patient portal, certified mail, or in-person pickup based on patient preference and the sensitivity of the information.

What Formats Must You Provide?

Patients can request their records in the format that works for them:

  • Electronic (PDF, electronic health record export, structured data)
  • Paper copies (mailed or in-person pickup)
  • Sent directly to another provider or third party of their choice
  • Summary or explanation (if the patient agrees to receive a summary)

Fees: What You Can and Cannot Charge

You are permitted to charge a reasonable, cost-based fee — but only for:

  • Labor for copying (electronic or paper)
  • Supplies for paper copies (if applicable)
  • Postage (if records are mailed)
  • Preparing a summary or explanation (if the patient agreed to a summary)

You cannot charge for: searching for records, retrieving records, or overhead costs. Many states cap per-page fees, so check your state law as well. You can never deny access because a patient can't pay — you may waive fees or reduce them based on financial hardship.

What You Cannot Withhold

In general, you must provide everything in the designated record set. You cannot withhold records because:

  • The patient owes you money (access to records is separate from payment obligations)
  • You think the information might upset the patient
  • The records were created by another provider (if you maintain them)

There are very limited exceptions: psychotherapy notes (maintained separately from the medical record), information compiled for legal proceedings, and certain research records. Consult your Privacy Officer before denying any access request.

If You Deny the Request

If you deny access (for one of the permitted reasons), you must:

  1. Provide a written denial explaining the reason
  2. Inform the patient of their right to request a review of the denial
  3. Inform the patient of their right to file a complaint with HHS OCR

Documentation

Keep records of all access requests, your responses, any fees charged, and the date records were provided. Patients can request an accounting of disclosures, and OCR may ask for this documentation during an audit.

Related Guides

Plan Ahead

How Much PHI Can I Share?

Understanding the minimum necessary standard for PHI disclosures.

Read Guide
Plan Ahead

Annual HIPAA Compliance Review

It's been a year — here's what needs to be renewed and redone.

Read Guide
Act Within 24 Hours

A Patient Filed a HIPAA Complaint Against Us

A patient has filed a formal HIPAA complaint with HHS OCR.

Read Guide
Back to all guides