Resources and Glossary

Federal complaint portals

The two federal portals that matter when a provider denies, delays, or interferes with your records request. Both are free, public, and take less than fifteen minutes to file. Both protect you from retaliation.

Federal informational resources

Military and VA records

State medical board complaints

Every state has a medical board that licenses physicians and accepts complaints about "failure to provide patient records," which is listed as an explicit complaint category in most jurisdictions. The board can take license action, fines, or issue public discipline.

The fastest way to find your state's board is to search "[your state] medical board file complaint" or "[your state] board of medicine complaint." Every board has an online form. None require a lawyer.

A medical board complaint adds real pressure because licensure is the doctor's livelihood. Where the OCR complaint creates federal scrutiny, a state board complaint creates local scrutiny from the people who decide whether the doctor can keep practicing.

State attorney general consumer protection

Most state attorney general offices have a consumer protection division that handles healthcare complaints, particularly those involving fees, billing practices, or institutional policies. They're often the most effective channel when the issue is a hospital system's policy rather than an individual doctor.

Search "[your state] attorney general consumer complaint" — every state has an online intake form.

State-by-state quick reference (faster access laws)

Several states require faster turnaround than HIPAA's 30-day federal deadline. When state law gives you more rights, state law wins.

If your state isn't listed, the federal 30-day rule applies as the baseline. Many other states have their own access laws — check with your state health department or attorney general's office for the specifics in your jurisdiction.

Free online DICOM viewers and imaging tools

If a provider gives you imaging on a CD that your computer can't read, or you need to share imaging electronically, there are free tools that can read DICOM files in a browser.

Search "free online DICOM viewer" — multiple services let you upload a CD's contents or DICOM files and view them in your browser, share them with another provider via a link, or store them in a personal health record. We avoid endorsing specific commercial vendors because the market changes, but the general capability is widely available and usually free for basic use.

Note: under the 21st Century Cures Act, if a provider can deliver your imaging electronically, you have the right to request it that way and skip the CD entirely. Always ask first.

Glossary

Plain-English definitions of every term and acronym used in the previous six chapters. If you encountered a word that wasn't explained, it should be here.

HIPAA

Health Insurance Portability and Accountability Act of 1996. The federal law that sets the floor for medical records access and privacy in the United States. Often misunderstood as a privacy-only law — it also gives you the right to a copy of your records.

HIPAA Privacy Rule

The specific section of HIPAA (issued in 2003) that includes both the privacy protections and the Right of Access at 45 CFR § 164.524.

Right of Access

Your federal right under 45 CFR § 164.524 to inspect and obtain a copy of your protected health information from any covered entity. The legal foundation of every chapter of this guide.

21st Century Cures Act

The 2016 federal law that, among other things, directed HHS to write rules preventing healthcare organizations from interfering with the electronic flow of health information. Passed the House 392-26, the Senate 94-5. Signed by President Obama.

Cures Act Final Rule

The 2020 ONC regulation implementing the information blocking provisions of the Cures Act. Citation: 45 CFR Part 171.

Information Blocking

Any practice by a healthcare provider, EHR vendor, or health information network that knowingly interferes with the access, exchange, or use of electronic health information. Eight narrow exceptions are spelled out in the regulation; anything outside those exceptions is illegal.

PHI · Protected Health Information

Any information about your health, healthcare, or payment for healthcare that identifies you (or could identify you). The protected category under HIPAA.

EHI · Electronic Health Information

The broader Cures Act term for any PHI maintained electronically. Information blocking applies to EHI specifically.

EHR · Electronic Health Record

The digital version of your medical chart maintained by a healthcare provider. The system that runs the provider's documentation, ordering, and billing. Common brand names: Epic, Cerner, athenahealth, eClinicalWorks.

CEHRT · Certified Electronic Health Record Technology

An EHR system that has been certified by ONC as meeting the standards for patient access, including the View, Download, and Transmit function. If a provider uses a CEHRT and delivers your records through it, no fee can be charged.

View, Download, and Transmit (VDT)

The specific functions of a Certified EHR that allow patients to see, download, and send their records electronically. Records delivered through VDT must be provided at no cost per HHS guidance.

DICOM · Digital Imaging and Communications in Medicine

The standard file format for medical imaging — MRI scans, CT scans, X-rays, ultrasounds. When you request imaging studies, request them in DICOM format to get the actual image files (not just the radiologist's written report).

HIM · Health Information Management

The department within a hospital responsible for medical records, including request processing. The right place to send a written records request at any hospital.

MRN · Medical Record Number

A unique identifier a hospital or large practice assigns to your chart. Helps the HIM department locate your records faster. If you have one, include it in your written request.

OCR · Office for Civil Rights (HHS)

The federal agency at the U.S. Department of Health and Human Services that enforces HIPAA. Don't confuse with optical character recognition, which uses the same initials.

ONC · Office of the National Coordinator for Health IT

The federal office responsible for the Cures Act's information blocking rule and for certifying EHR systems. Located within HHS.

OIG · Office of Inspector General (HHS)

The federal agency that investigates information blocking complaints and has authority to impose civil monetary penalties under the Cures Act.

Personal Representative

Under HIPAA (45 CFR § 164.502(g)), a person legally authorized to make healthcare decisions for another individual. Personal representatives have the same access rights as the patient. Examples: parent of a minor child, healthcare power of attorney, court-appointed guardian, executor of a deceased patient's estate.

Psychotherapy Notes

The private notes a mental health professional takes during a therapy session, kept separate from the rest of the medical record. Subject to stronger HIPAA protections than other records and generally require separate written authorization for release.

Preemption

The legal rule that when state and federal law conflict, one of them controls. For medical records, the rule is that whichever law gives the patient more rights wins. If California gives you 15 days to receive records and HIPAA gives you 30, California's 15-day rule applies.

Cost-Based Fee

The only kind of fee a provider can legally charge for paper or alternative-format records under HIPAA. Limited to actual labor of copying, actual supplies, and actual postage. Does not include retrieval time, search, or review.

Resolution Agreement

The formal settlement between OCR and a healthcare organization that violated HIPAA. Includes both required corrective actions and a financial penalty. All resolution agreements are public.

Civil Monetary Penalty (CMP)

A financial penalty imposed by HHS for HIPAA violations or, under the Cures Act, for information blocking. Right of Access Initiative penalties have ranged from $16,500 to over $200,000.

SF-180 · Standard Form 180

The federal form used to request military service records, including military medical records, through the National Archives.

C-File · VA Claims File

The complete file the Department of Veterans Affairs maintains on each veteran's disability claim. Includes medical records, decisions, evidence, and correspondence. Requested via FOIA through AccessVA.

FOIA · Freedom of Information Act

The federal law that gives the public the right to request records from federal agencies. Used to request VA C-Files. Information about who filed an information blocking complaint with ONC is specifically exempt from FOIA disclosure.

Covered Entity

Under HIPAA, the kinds of organizations that must comply with the Privacy Rule. Includes healthcare providers, health plans (insurance companies), and healthcare clearinghouses.

Business Associate

A company that handles PHI on behalf of a covered entity. Examples: billing companies, transcription services, records storage vendors. They are also bound by HIPAA.

EOB · Explanation of Benefits

The document an insurance company sends after processing a claim, showing what services were billed, what was paid, and what the patient owes. Part of the records you can request from your insurance company.

UB-04

The standard claim form hospitals use to bill insurance. Contains itemized service information that's often useful for understanding what was done during a hospital stay.

The whole guide in one quick reference

Where to start, if you're starting today

If you've reached this page and you haven't actually sent a records request yet, the fastest path is:

1. Take the quiz on the homepage to see how many records you might already have. It's free, takes thirty seconds, and gives you a sense of the scale of your medical history.

2. Download the free templates bundle (Word) or PDF version.

3. Pick one provider — usually your primary care doctor or your most recent hospital — and send Template 1 or Template 2 today.

4. Mark your calendar 30 days out.

That's the whole guide in four steps. Everything else — the law, the escalation, the special cases, the glossary — exists for when something doesn't go to plan. For most people, it goes to plan.

If this guide helped you, the best thing you can do is share it with someone else who needs it. Send the link. Print the templates. Tell your family. Tell your aging parents. Tell anyone who has ever said the words "I just need to get my records and they won't give them to me."

This guide is, and will remain, free. There is no signup. There is no paywall. There is no upsell. We built it because every American is entitled to know what's in their medical chart, and most Americans never get told that the law is on their side. Now you know. Pass it on.