ProviderQuoHealth

Requesting Your Medical Records: A Step-by-Step Guide

By ProviderQuoHealthMay 25, 2026

Requesting Your Medical Records: A Step-by-Step Guide

You switched doctors, need records for a specialist, or just want to know what's in your file. Getting those records is your legal right — and knowing exactly how the process works makes it much harder for a provider's office to stall you.

Your right to access under HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) gives you a federal right to inspect and receive a copy of your own medical records. This applies to records held by most healthcare providers and health plans — doctors' offices, hospitals, labs, pharmacies, and insurers all fall under the rule.

The HHS Office for Civil Rights (OCR) is the federal office that enforces this right. Their guidance is clear: covered entities must provide you access to your records. They cannot require you to explain why you want them.

There are narrow exceptions — psychotherapy notes (the private notes a therapist writes for their own use, not the formal clinical record) and records compiled for legal proceedings can sometimes be withheld. But for the vast majority of records — visit summaries, lab results, imaging reports, medication lists — the right of access applies in full.

Step 1: Submit a written request

Most practices ask you to fill out their own access request form, but you are not required to use it. A written request on plain paper works. Include:

  • Your full name and date of birth
  • The dates of service or time range you want covered
  • The specific records you're requesting (or "all records" if you want everything)
  • Your preferred format — electronic or paper (more on this below)
  • Where to send the records (to you directly, to another provider, etc.)
  • Your signature and the date

Keep a copy of whatever you submit, and note the date you sent it.

Step 2: Understand the timeline

Under the HIPAA right of access rule, the provider has 30 calendar days to fulfill your request from the date they receive it. They can take one 30-day extension if they notify you in writing before the first deadline expires — but only once.

That 30-day clock starts when the request lands in their hands, not when they get around to reading it. If you mail it, sending it certified mail gives you a timestamp.

Step 3: Choose your format

You can request records in electronic form — a PDF, a secure patient portal download, a CD, or even a file sent over encrypted email — if the provider maintains them electronically. This applies to any provider or health plan that uses an electronic health records system.

If you want paper copies, you can ask for those too. The format decision is yours to make, within what's technically feasible on the provider's end. If they maintain your records electronically and you ask for an electronic copy, they can't charge you extra just because it's in a format you prefer.

Requesting records through a patient portal (if the practice has one) is often the fastest path. Many portal downloads are immediate and free.

Step 4: Know what they can charge

Providers are permitted to charge a reasonable, cost-based fee for copies. What counts as "reasonable" is regulated. They can charge for:

  • Labor to copy records (electronic or paper)
  • Supplies (paper, postage for mailed copies)
  • Preparation of a summary, if you request one instead of the full record

They cannot charge you a search fee, a retrieval fee, or any fee that isn't tied to actual reproduction costs. And if you request an electronic copy that the practice can produce without significant labor — a portal download, for instance — the HHS OCR guidance indicates the fee should reflect that, meaning it may be very low or zero.

Fees vary by state, since many states have their own medical records laws that cap what providers can charge. If you're not sure what's allowed in your state, your state health department's website is a good starting point.

What to do if a practice delays or denies your request

If the 30-day window passes without a response, or if the practice denies your request without citing a valid HIPAA exception, you have options.

First, follow up in writing. Send a dated letter or email referencing your original request and the date you submitted it. Put the practice on notice that you're aware of the federal timeline.

Second, ask to speak with the practice's Privacy Officer. Every HIPAA-covered entity is required to designate a Privacy Officer. That person is responsible for handling access requests and complaints. Escalating directly to them often resolves delays faster than going through front desk staff.

Third, file a complaint with HHS OCR. If the practice still doesn't comply, you can file a complaint online at HHS. Complaints must be filed within 180 days of when the violation occurred, though OCR can sometimes extend that window. OCR has the authority to investigate and, if warranted, impose civil monetary penalties on providers who violate the right of access rule.

You can also contact your state attorney general's office. Many states have their own medical privacy statutes and enforcement mechanisms that run parallel to federal HIPAA protections.

A few things worth knowing before you request

Requests for records on behalf of someone else — a minor child, a parent under a power of attorney, a deceased family member — require documentation of your legal authority to make the request. The specifics vary by state and circumstance, so ask the practice what documentation they need upfront.

Sending records directly to another provider is common and often free. When you're requesting a transfer to a new doctor, specify that in your written request. The receiving provider's fax number or secure email address is usually all you need to include.

Corrections and amendments are a separate right under HIPAA. If you believe something in your record is inaccurate, you can submit an amendment request in writing. The provider can accept or deny it, but if they deny it, they must tell you why — and you have the right to submit a statement of disagreement that becomes part of your record.

Where to go from here

If you're looking for a new provider to send your records to, the ProviderQuoHealth directory lets you search by specialty, location, and insurance. Once you've found a match, you can use the steps above to request a transfer directly from your current practice.

If you're looking for a specific type of specialist — say, a new primary care physician or a cardiologist — browsing by specialty at /specialties/family-medicine or /specialties/cardiology can help you narrow the list before you start the records transfer process.

Important note

This article is for general information and is not medical advice. It is not a substitute for professional care from a licensed clinician. If you have a medical concern, talk to a healthcare provider. If you are experiencing a medical emergency, call 911 (in the U.S.) or your local emergency number.

← Back to Blog