If you have ever wondered how to get your medical records, you are not alone. Most Americans have never made the request, even though federal law has guaranteed the right for years. The reason is simple: nobody is taught how to do it, and providers do not advertise it.

This guide fixes that. Every step below is grounded in current federal law and reflects how providers actually respond in 2026. Read straight through if you want the whole picture, or jump to the scenario that fits your situation.

What counts as a medical record

A medical record is any information about your health that a healthcare provider, health plan, or healthcare clearinghouse creates or maintains. Under HIPAA, this is called your designated record set, and it is broader than most people realize.

Your records typically include:

  • Clinical notes. Every visit, every consultation, every phone call documented by a clinician.
  • Lab and pathology results. Bloodwork, urine tests, biopsies, cultures, genetic testing.
  • Imaging. X-rays, MRIs, CT scans, ultrasounds, mammograms. Both the reports and, in many cases, the actual DICOM image files.
  • Medications. Every prescription written and refilled, including discontinued ones.
  • Immunizations. Childhood and adult vaccination history.
  • Operative and procedure reports. Surgeries, biopsies, endoscopies, anything performed on you.
  • Hospital records. Admission notes, discharge summaries, daily progress notes, nursing notes.
  • Emergency department records. Every ED visit, even the ones you may have forgotten.
  • Billing records. Claims data, diagnosis codes, and procedure codes, which often reveal services your clinical notes missed.
  • Mental health records. Therapy notes, psychiatric medications, treatment history. (Psychotherapy notes are handled separately under HIPAA.)

Anything created or maintained by a covered entity that is used to make decisions about your care is part of your record. You have the right to a copy of all of it.

The federal law in plain English

Two federal laws give every American the right to their medical records. Both have been in effect for years. Almost nobody uses them.

HIPAA Right of Access (45 CFR § 164.524)

The Health Insurance Portability and Accountability Act, passed in 1996, includes a "right of access" provision that says any individual has the right to inspect and obtain a copy of their protected health information. The provider must respond within 30 days, may extend once by another 30 days, and can only charge a reasonable cost-based fee.

21st Century Cures Act (2016)

The Cures Act, signed into law in 2016, dramatically expanded patient access rights. Its Information Blocking Rule, which took full effect in 2021 and 2022, prohibits providers, electronic health record vendors, and health information exchanges from interfering with the access, exchange, or use of electronic health information. In practice, this means a provider cannot refuse to release records, delay them unreasonably, or charge unreasonable fees for electronic delivery.

WHAT THIS MEANS

If you ask in writing for your records, and your provider refuses, delays unreasonably, or charges large fees for an electronic copy sent to you, that is generally a federal violation. The Office for Civil Rights enforces the HIPAA right of access. The Office of the National Coordinator for Health IT enforces the Cures Act information blocking rule. Both have authority to investigate complaints and levy penalties.

The six scenarios, step by step

Most people fit into one of six situations. Find yours, follow the steps.

SCENARIO 1

Getting records from your current primary care doctor

The fastest path is your provider's patient portal. Most modern practices use Epic MyChart, Athenahealth, Cerner, or a similar system.

  1. Log into your patient portal. Look for a section called "Medical Records," "Health Summary," "Documents," or "My Records."
  2. Download whatever the portal offers. This is usually a summary, not the complete record, but it is a starting point.
  3. If the portal does not have a full download option, submit a written records request through the portal messaging system, by email to the medical records department, or in writing at the front desk.
  4. Specify: "I am requesting a complete copy of my medical records under my HIPAA right of access. Please send electronically to [your email] within 30 days."
  5. Keep a copy of your request and note the date.
SCENARIO 2

Getting records from a hospital

Hospitals have dedicated Health Information Management (HIM) departments. The records are often more extensive than office records: admission notes, discharge summaries, every test, every consultation, anesthesia notes, nursing notes.

  1. Call the hospital's main number and ask for "Medical Records" or "Health Information Management."
  2. Ask them to email or mail you a records request form. (Many post the form on the hospital website.) Or send your own written request.
  3. Include the date range of your admission(s), your medical record number if you have it, and your contact information.
  4. Specify electronic delivery. Hospitals are required to accommodate this under the Cures Act.
  5. If the hospital uses MyChart or a similar portal, you may also be able to download records there. The portal version is often abbreviated; the HIM department version is more complete.
SCENARIO 3

Getting records from your health insurance company

Your insurer often has the most comprehensive view of your medical history, because they see every covered provider, every prescription, every test billed. Under the CMS Patient Access API rule (effective 2021), insurers must make claims and clinical data available through a standardized interface.

  1. Log into your insurer's member portal.
  2. Look for "My Health Records," "Claims History," "Health Summary," or a similar section.
  3. Download or request claims data, prescription history, and any clinical data the insurer maintains. Most carriers provide at least 5 years of history.
  4. If your insurer offers a third-party app integration (Apple Health, CommonHealth, Hugo Health, etc.), connecting one of these can pull all your insurance-side records into a single place automatically.
  5. If you have changed insurers, repeat with each previous insurer. They are required to give you access to your historical records too.
SCENARIO 4

Getting records from a pharmacy

Your pharmacy holds your prescription history, sometimes going back many years. This is especially useful if you have used multiple doctors over time and want a single source of every medication you have been on.

  1. For a current pharmacy: log into the pharmacy app or website. Most chains (CVS, Walgreens, Walmart, Rite Aid, supermarket pharmacies) let you download prescription history directly.
  2. For older or closed pharmacies: contact the pharmacy chain's records department. They are required to retain prescription records for at least 2 years federally and often 5 to 10 years under state law.
  3. For a complete prescription history across pharmacies, request a report from a Prescription Drug Monitoring Program (PDMP) through your state health department. PDMPs track all controlled-substance prescriptions in your state.
SCENARIO 5

Getting records from a former provider you no longer see

Your right to records does not expire when you leave a practice. Providers are required to retain adult records for 7 to 10 years in most states, often longer.

  1. If the practice is still open: contact them directly using the same steps as Scenario 1 or 2.
  2. If the doctor has retired or the practice has closed: state medical boards often maintain a registry of where closed-practice records went. Check with your state medical board.
  3. If records were transferred to another provider (common when a doctor retires), follow them there.
  4. If a hospital has closed entirely (rare), the state health department or a state archive may hold the records.
  5. If records are truly lost or destroyed (older paper records, fires, etc.), the provider must tell you in writing. You may have to reconstruct from other sources: insurance claims, lab companies, imaging centers, pharmacy records.
SCENARIO 6

Getting records for a deceased family member

HIPAA protects a deceased patient's records for 50 years after death. Family members and personal representatives can obtain them, but the process is more involved.

  1. Determine your legal authority. The strongest path is being the personal representative of the estate (executor, administrator, or court-appointed representative). Letters testamentary or letters of administration from the probate court establish this.
  2. If no estate has been opened, immediate family members may still be able to access records under certain circumstances, especially for family medical history purposes. Each state handles this differently.
  3. Submit a written request to each provider that treated the deceased. Include: a certified copy of the death certificate, documentation of your legal authority, your government-issued ID, the records you want, and how you want them delivered.
  4. Expect this to take longer than a standard records request. Providers are appropriately cautious about releasing decedent records.
  5. State probate courts and state medical boards can help if you encounter resistance.
FREE · HIPAA COMPLIANT · NO SIGNUP
Get the Universal Release Form

If you need records sent to a third party (another provider, attorney, insurer), download our free HIPAA release form. PDF or Word, no signup.

Request letter vs release form vs portal vs FOIA

Four different documents come up in medical records conversations, and they do different things. Picking the wrong one wastes time. Use this table to decide which fits your situation.

Document What it does When to use it
Request letter You ask the provider to send your records to you. You want your own records, for yourself. No formal authorization required under HIPAA right of access. See template letters.
Release form (HIPAA authorization) You authorize the provider to send your records to a third party. Records are going to another provider, an attorney, an insurer, or a family member. Required by HIPAA at 45 CFR § 164.508. Free release form.
Patient portal download You download records yourself from the provider's online system. Fastest option for current providers. Usually delivers a summary, not the complete chart. Best paired with a written request for the full record.
FOIA request You request records from a government agency. Only applies if the provider is a government entity (VA, military hospital, federal prison, public health department). For non-government providers, FOIA does not apply; use HIPAA right of access instead.

How long it takes and what it costs

Timeline

Under HIPAA, the provider has 30 days from receipt of your request. They may extend once by another 30 days if they notify you in writing of the reason for the delay. Total maximum: 60 days. In practice:

  • Patient portal downloads: immediate.
  • Email or portal-based requests: typically 5 to 15 business days.
  • Hospital HIM department requests: typically 10 to 30 days.
  • Mailed paper requests: 15 to 45 days.
  • Closed practices, archived records, microfilm: 30 to 90 days. Providers must still produce what exists.

Cost

Under HIPAA and current HHS guidance, providers can only charge a "reasonable, cost-based fee" for labor, supplies, and postage. Per the 2020 Ciox Health v. Azar decision, providers cannot charge a flat retrieval fee for electronic records delivered directly to the patient. In practice:

  • Patient portal downloads: always free.
  • PDF by email: almost always free.
  • USB drive or CD: small media cost, usually $5 to $10.
  • Paper copies: a small per-page fee plus postage, often capped by state law (typically $0.25 to $1 per page).
  • Records sent to a third party (lawyer, other provider): the provider may charge a labor fee. This is the path where some legitimate fees do apply.
CHARGED TOO MUCH?

If a provider tries to charge you a large sum for an electronic copy of your own records sent to you, that is likely a HIPAA violation. The Office for Civil Rights has fined providers from $3,500 to over $4 million for right-of-access violations. File a complaint at hhs.gov/ocr.

Common roadblocks and how to fix them

"We can only deliver through our portal."

Under HIPAA, you have the right to receive records in the form you request. If the portal does not contain your full record, the provider must produce it through another channel. Email, USB drive, CD, or paper. Cite 45 CFR § 164.524(c)(2)(ii) if they push back.

"You need to come in and sign a form in person."

Generally not required. A written request with your signature, sent by email or mail, is sufficient. The provider may verify your identity (a reasonable practice), but cannot require an in-person visit as a condition of releasing records.

"We charge $1.50 per page."

Per-page fees are allowed for paper copies under state law. They are not allowed for electronic records sent to you. Request electronic delivery instead.

"Your records are too old, we no longer have them."

Providers are required to tell you in writing if records were destroyed and when. If they refuse to search or refuse to confirm in writing, file an OCR complaint. Most adult records must be retained for at least 7 years under state law; many providers retain them longer.

"We can release the records, but only to your new doctor."

Not true. You have the right to receive your own records yourself. The provider does not get to decide where they go.

"It will take 60 days."

The 30-day clock is the rule; a 30-day extension is the exception, and the provider must notify you in writing of the specific reason. "It will take 60 days" without explanation is not a valid extension.

What to do once you have your records

You will likely end up with a large PDF or a stack of files. A few practical things:

  • Save everything in one place. A folder on your computer, a cloud storage account, or both. Name files by provider and date.
  • Make a one-page summary. Major diagnoses, current medications, allergies, recent surgeries, family history. This is the document you actually bring to appointments.
  • Identify gaps. Missing imaging? Missing lab results? Cross-check what you received against what you remember being done. Request the missing pieces.
  • Look at the billing records too. Diagnosis codes (ICD-10) and procedure codes (CPT) in billing data sometimes reveal services not documented elsewhere.
  • Share selectively. You decide who sees what. New providers, family members, attorneys: only what is relevant.

Most importantly: this is now your record. You can fix errors. Under HIPAA's right to amend, if you find something inaccurate, you can request a correction. The provider must respond within 60 days.

Frequently asked questions