Browse libraryBrowse library
Guide

Accessing Medical Records

How patients and authorized representatives can request copies of medical and billing records.

13 min read

What this guide covers

Accessing medical records is one of the first practical skills patient advocates learn. Records are how you verify what care happened, support an insurance appeal, challenge a bill, prepare for a second opinion, or help a family caregiver understand the plan after discharge.

This guide explains—in plain language—how patients and properly authorized helpers can request copies of health information from doctors, hospitals, labs, and other covered providers. It focuses on federal HIPAA right of accessrules that apply to most U.S. health care organizations. State laws, school records, workers' compensation files, and some specialized programs can add extra steps; when those apply, note them in your file and look for state-specific help on state guides where relevant.

Privacy rules about who may see information without a patient's OK are covered in HIPAA & Privacy Rights. How to sign someone up as an authorized helper is in Personal Representatives & Authorization. This article is about getting the actual documents in hand.

Why advocates need records

Patients remember visits in plain English. Payers and billing offices work in codes, policies, and claim numbers. Medical records bridge that gap. Without them, you are arguing from memory while the other side reviews clinical notes you have never seen.

Common advocate uses include:

You do not need every page in the chart for every problem. Request what matches the dispute or clinical question, plus enough context (problem list, relevant dates, imaging/lab for that episode) that a reviewer can follow the story.

Under HIPAA, covered providers and health plans generally must give patients (and personal representatives with proper authority) access to their protected health information in a designated record set. That is separate from asking the provider to share records with a third party—which usually requires a specific authorization form.

The U.S. Department of Health and Human Services (HHS) has stressed that access should be timely and not blocked by unreasonable fees or “only if your lawyer asks” policies (HHS — Individuals’ right to access health information). A provider may deny access in limited situations (for example, certain psychotherapy notes or when a licensed professional determines access is reasonably likely to endanger life or physical safety), but blanket refusals for ordinary clinical copies are a red flag.

If a provider will not release records to the patient but offers to send them only to another doctor, clarify whether they are treating the request as a patient access request or a provider-to-provider transfer. Patients can often choose to receive copies themselves and send them on to a new clinician.

Who can request copies

The patient (or their legal personal representative) has the core right. Adults with capacity should sign their own requests when possible.

Parents and guardians generally may access minors’ records, with exceptions for adolescent consent laws in some states (for example reproductive health, mental health, or substance use treatment).

Family, friends, and professional advocates need documented permission—typically a HIPAA authorization that names the person and describes what may be released, or legal authority such as health care power of attorney, guardianship, or executor status after death. Do not assume a spouse or adult child may call and receive copies without paperwork. Step-by-step help is in Personal Representatives & Authorization.

Insurers often already have claims-related documents they processed, but they are not a substitute for the full clinical record from the treating provider. Request both when an appeal turns on clinical detail the EOB does not show.

What to ask for

Be specific so the health information management (HIM) team pulls the right items the first time.

  • Clinical records— office notes, hospital history & physical, progress notes, consults, operative reports, discharge summaries, nursing notes, therapy notes, and medication lists for the dates you name.
  • Test results — lab reports, pathology, EKG tracings (or summaries), and imaging reports. For actual image files (CD or electronic link), say so explicitly.
  • Billing records — itemized hospital statements, UB-04 data, and chargemaster-backed detail if you are disputing charges. Billing may be a separate department from medical records.
  • Insurance-facing documents — prior authorization submissions, peer-to-peer summaries, or letters of medical necessity if the provider created them.

Example wording: "Copies of all medical records, including discharge summary, operative report, radiology reports, and laboratory results for dates of service March 4–March 12, 2026, for [patient name and date of birth]." Add "electronic PDF via secure email or patient portal" if you want digital delivery.

How to request records

Before you contact the office

Gather:

  • Patient full legal name, date of birth, and contact information
  • Dates of service and facility or physician name
  • Medical record number or hospital account number if you have it (often on a wristband label, discharge paper, or bill)
  • Signed HIPAA authorization if you are not the patient
  • Photo ID copy if the provider requires it for pickup

Patient portal

Many systems let patients download visit summaries, test results, and after-visit notes without a formal HIM request. Portal access is often the fastest route for recent care. Limitations: not every note type appears, imaging may be report-only, and older records may be missing. Still submit a formal request if you need legal copies for an appeal or a complete chart for a date range.

Written request

A short written request creates a clear deadline clock and a paper trail. Send it to the address listed on the facility website under "Medical Records," "Health Information Management," or "Release of Information." Many offices have their own form—you may use theirs, a template from Patient Rights Templates, or a plain letter that includes the patient identifiers and specific records sought.

Your letter should state:

  • That this is a HIPAA right of access request for copies (not only provider-to-provider transfer)
  • Exact records and date range
  • Preferred format (electronic PDF, paper, CD for images)
  • Where to send them (mail, fax, secure email)
  • Patient signature and date (or representative authority attached)

Track the request

Log the date sent, method, contact person, and any ticket number. HIPAA generally allows 30 days to act, with one 30-day extension if the provider notifies the patient in writing of the reason for delay (45 CFR § 164.524). Mark your calendar for follow-up at day 25 if nothing arrives.

Timelines & fees

Expect up to 30 days for most HIPAA access requests, with a written extension possible. Some states set shorter timelines for certain record types—check your state consumer or hospital regulations if the patient is inpatient or the delay is extreme.

Providers may charge a reasonable, cost-based fee for copies, not a profit center. Federal guidance limits what may be included (generally labor for copying, supplies, postage, and in some cases a flat fee for electronic copies). Push back on per-page hospital rates that look like hundreds of dollars for routine PDFs. HHS has published patient-friendly fee guidance (HHS — Permitted fees for copies).

Ask for electronic copies when possible—they are often cheaper and faster. If a fee is quoted, request an itemized estimate before paying.

Paper, PDF, or electronic

Patients may request records in the format they prefer if the provider can readily produce it. Many advocates want searchable PDFs through secure email or direct portal download. Imaging may still arrive on CD; confirm whether a link to a cloud viewer is available.

When records will go to an insurer or attorney, you may still obtain your own set first, review for accuracy, and then authorize forwarding. Typos in demographics or wrong dates of service in the chart can undermine an appeal—catch them early.

When access is delayed or denied

If the provider stalls, narrow the request, confirm they received it, and escalate in writing:

  1. Confirm receipt — fax confirmation, certified mail tracking, or portal ticket number.
  2. Ask for status in writing — cite the request date and HIPAA access timeframe.
  3. Narrow the scope — a smaller date range or record type list often speeds release.
  4. Fix authorization gaps — missing signatures or wrong scope on a HIPAA form is a common fixable problem.
  5. File a HIPAA complaint with the HHS Office for Civil Rights for unjustified denial or unreasonable fees, and note parallel state options in Where to File Complaints.

A delay is not the same as a clinical denial of access. Document every call: date, time, name, title, callback number, and what you were told.

Using records in advocacy

Insurance appeals

Match records to the denial reason on the letter or EOB. Prior authorization denials need documentation that criteria were met or that urgency justified an exception. Medical necessity denials need notes showing symptoms, failed conservative treatment, or guideline-concordant care. Use the Denial Decoder to sort the denial type, then build the packet described in Evidence Packets.

Billing disputes

Compare the chart to the itemized bill and EOB. Was the service documented on the day billed? Does the procedure code match the operative report? Were supplies billed that do not appear in nursing notes? Records plus billing detail are the core of many provider-side disputes on the Billing Disputes roadmap.

Care coordination

After ER or hospital care, request the discharge summary and test results before the follow-up visit. Share them with the primary care clinician or specialist. For caregivers, combine records access with a clear authorization so future calls to the care team are smoother.

Scenarios beginners run into

Family cannot get records

The front desk says HIPAA prevents release. That often means there is no authorization on file—not that the patient has no right. Have the patient sign a targeted HIPAA release, fax it to HIM, and call back with the confirmation number. If the patient lacks capacity, confirm whether a health care proxy or guardian document is needed and recorded.

Records from years ago

Retention rules vary by state and setting. Hospitals may archive older charts off-site, which adds weeks but does not eliminate the access right if the record still exists. Ask when the retention period ends so you know whether a copy is even possible.

Imaging or lab-only request

Say "radiology images and reports for [date]" or "laboratory results for [date range]." Labs may be a different legal entity than the hospital—request from the lab that performed the test if the hospital redirects you.

Provider says they already sent them

Ask where they were sent (fax number, address, insurer name) and on what date. Insurer portals are not always the same as patient copies. Request a fresh copy to the patient's address or email and keep the mailing proof.

High copy fees quoted

Request an itemized fee estimate, ask for electronic format, and cite HHS access guidance if the charge looks like a barrier rather than cost-based recovery. Offer to accept a limited record set (for example discharge summary plus operative report only) if that reduces labor.

Example:

Situation: Medicare Advantage denied a skilled nursing stay after hospitalization. The family only has the discharge instruction sheet.

Action: Request hospital records for the admission (discharge summary, therapy notes, nursing assessments). Compare to the Medicare denial letter reason. File the internal appeal with those pages highlighted and a short cover letter—see Appeals Roadmap.

Official resources

HIPAA & Privacy Rights

What HIPAA protects, who can access records, and how advocates can work with patient authorization.

Read guide

Personal Representatives & Authorization

HIPAA releases, healthcare power of attorney, caregiver access, and when providers can speak with family.

Read guide

Where to File Complaints

State health departments, licensing boards, OCR, CMS, insurance departments, and hospital accreditation bodies.

Read guide

The weekly brief

Patient advocacy notes, in your inbox.

One short email a week — policy changes, denial trends, and new guides. Free. No spam.

  • ~1 email / week
  • Plain English
  • Unsubscribe anytime

Join 38,000+ readers. See our privacy policy.