Patient’s Guide to HIPAA – Basic Rights: B. Right to Inspect and Copy Your Record (FAQ 18 – 24)



You are reading the Patient’s Guide to HIPAA, FAQ 18-24

HIPAA Guide Quick Links:


The HIPAA rule defines seven patient rights, one of them is a right to inspect and copy your health records. This page includes all FAQs explaining this right (FAQ 18- 24).


B. Right to Inspect and Copy Your Record (FAQ 18 – 24)


FAQ 18: Why Both Inspect and Copy?

HIPAA provides each patient with the right to inspect his or her record and to have a copy of the record. These are two different things. You cannot be charged a fee if you want to inspect your records. This means that you can always see your record, even if you don’t want to pay.

If you want a copy of the record to take with you, then you can be charged a fee. You can also be charged an additional fee if you ask for a summary or explanation of your record. You do not have to ask for a summary or explanation.


FAQ 19: Do I Want to See or Copy My Record?

There are many reasons you might want to review your health record at your health care provider or insurer. Decide if any of these appeals to you:

• You plan to move to another city and want to bring your records to a new doctor so that the doctor has your current information on your first visit. You may not know who the new doctor is in advance so you cannot arrange a doctor-to-doctor transfer.

• You want a second opinion from another doctor and want to avoid having duplicate tests. If you have the records, you don’t have to let your first doctor know about the second opinion.

• You want to make sure that your new consulting doctor knows about earlier treatments and previous tests.

• You want to keep a permanent copy of all your health records in one place and in your possession.

• You are curious.

• You want to make sure that your children have your records because you think that something in your record (e.g., genetic information or family history that they may not know) may eventually be relevant to their treatment.

• You have given your medical power of attorney to your grandson, and you want him to have all of your records (not just those for your current treatment) so that he can make informed decisions or so he can obtain assistance in making choices. By the way, the records that you give to your grandson are not covered by HIPAA in his hands (except, perhaps, if he is a physician or other health care provider).

• You want to talk to a lawyer about medical malpractice and don’t want your health care provider to know about it.

• You think that there might be incorrect or irrelevant information in your record.

• You think that you are a victim of medical identity theft.

• You think that your insurance company improperly denied your claim, and you want to see the record about you that the company maintains.

• You think that your doctor or insurance company is lying to you.

• Any other reason or no reason. It is your right to see or have a copy of your record. You don’t need to have a reason. You do not have to tell anyone what your reason is.


FAQ 20: Which Records Can I Get and in What Formats?

You can generally ask for your all of your records maintained by any covered entity, but the covered entity can withhold some records. We will cover that subject in FAQ 24.

The copying of paper records is familiar to everyone. For electronic records that a covered entity maintains (whether or not the information is formally maintained in an electronic health record), you have the right to obtain the information from a covered entity in an electronic format. Generally, you can choose the electronic format you want as long as the information is readily reproducible in that format. In order words, a covered entity has to give you the format you want if it can without a great deal of trouble. Be sure to state your preference and ask for alternative formats if you can. You can also ask the covered entity what formats it is capable of providing and then make an appropriate choice.

Remember that some electronic records (e.g., 3-D images created by an MRI) may be maintained in a format that requires special software to read. If your goal is to be able to share an electronic record with a physician, then the native format may be okay because your physician will likely to able to read it in that format even if you can’t.

Depending on your purpose, you may be interested in records of your hospitalization, records from your family physician, records from your insurance company, records from your pharmacy or pharmacy benefit manager, or your records any other covered entity. You can ask every covered entity for all of your records, but the next few questions suggest reasons for narrowing your request.

New in 2013 is a requirement that you can tell a covered entity to transmit your record directly to someone you designate. Your request must be in writing, signed, and clearly identify the designated person and where to send the copy of protected health information. This is not the same as an authorization, which has many more elements to it. Authorizations are discussed in later FAQs.

We think this rule was needed because some hospitals made it hard for a patient’s lawyer to obtain the patient’s record. It’s fine to use this capability, but be careful that you don’t casually or accidentally sign a form that allows someone to get your health records. Whoever gets your records in this fashion may not be subject to HIPAA, and your records could conceivably be made public or used for marketing or profiling. If you allow a data broker or marketer to have a copy of your health records, you are not likely to be happy about the result. This particular change in the rule has potential for mischief, but your can protect yourself by being careful what you sign. That’s good advice all the time.


FAQ 21: How Much Will It Cost For a Copy of My Medical Record?

A covered entity can charge a reasonable, cost-based fee for providing a copy. The fee may include only the cost of labor for copying, the cost of supplies for creating the paper copy or electronic media, and the cost of postage. Any other copying charges – including but not limited to administrative fees, overhead, retrieval costs for locating data – are improper. Charges for inspecting a record are improper, even if the covered entity says that it had to make a copy for you to inspect. Charges for a summary or for an explanation are permissible if you ask for a summary or explanation.

Don’t let anyone charge you more than is allowed by the HIPAA rule. If you don’t think that the fees are proper, complain about it. You have a right to complain to the Secretary of HHS (via the Office of Civil Rights), and that right will be covered later. (See FAQs 46-50, 51.) Remember that state law may establish lower fees than HIPAA allows or may not allow any fees at all. If you need records and can’t afford to pay, ask for a waiver of fees. Some covered entities may provide some or all records without charge or at a discount, but they are not required by HIPAA to do so.

Standard copying costs can be as much as $1.00 a page or perhaps more. If you want a hard copy of an x-ray, the fee could be considerably more (but an electronic copy may be cost-free if transmitted to you electronically). Many health care institutions hire outside firms to handle copies. Copying hospital records is a business. Insurance companies and lawyers tend to be frequent requesters of records, and copying charges can be expensive because these requesters don’t much care and because there is no competition. The result is that the standard charge per page can be high. Your best strategy may be to narrow your request (see the discussion in FAQ 23 about what records to request) or to obtain an electronic copy of records that are already electronic. Copies of electronic records may be less expensive.


FAQ 22 : How Do I Make a Request for Access?

Start by reviewing the covered entity’s copy of the notice of privacy practices. Remember that every covered entity must provide a copy of its notice to anyone who asks for one. In addition, a copy should be available on the website of each covered entity (if the covered entity has a website).

The notice of privacy practices describes your right to inspect and to obtain a copy of your record. It should also tell you the local procedure for making a request. You will likely be asked to write a letter or fill out a form in order to make your request for access. A covered entity can insist on a written request and may ask you for identification. Asking for an ID is reasonable because you don’t want someone else to get your records without your consent. However, avoid letting a covered entity make a copy of your driver’s license. Someone with access to your health records may use that copy to make you a victim of identity theft.

When you make a request, the covered entity must act on your request within 30 days. Don’t count on an instant response. The entity can take an additional 30 days to respond if it provides you with a written explanation of the delay. If you need the records more urgently, say so. It might help, but the rule allows the covered entity to wait 30 days or more no matter what. Your doctor might be responsive to your need for fast access, but bigger institutions have procedures and may not be inclined to do anything but the minimum required of them.


FAQ 23: What Records Should I Ask For? The Strategy of Asking for Records.

A covered entity must allow you to inspect or obtain a copy of your record. Some records can be withheld. (See the next FAQ.) Just figuring out who to ask and what to ask for can be complex. Don’t assume that you need a copy of all records from all health care providers and insurers. Obtaining your health records can be surprisingly complicated, may present some hard choices, may be expensive, will require some planning, and can take time. Managing many records from many different providers may be a challenge too. This FAQ tells you about the strategy for requesting health records.

First, copying costs for paper records may be considerable. You may want to think about the costs involved before you ask. A hospital record can have hundreds or even thousands of pages. Think about whether inspecting your records will meet your needs. If you can inspect first, you might be able to narrow your request and cut the cost. Copies of electronic records may be much less expensive than copies of paper records.

Second, if you have been using the same hospital or doctor for 20 years and the reason for your request relates only to your treatment from your last visit, you might limit your request to recent records, or records dating back one visit, one month, or one year. The same idea may work if you want records from your insurer.

You may not know which records you need at first. The point is that you want to obtain records that you think are relevant, but you may not want every record from every HIPAA covered entity. Most people have had dozens of health care providers and insurers in the course of their lives. Many records will not be important or worth the time and effort to find for most people. Old records from individual practitioners may be hard to locate and obtain. However, hospitals and other long-standing institutions are more likely to have older records, although they may be in storage offsite.

If you want your records because you think you might have been a victim of an identity thief, you will find some more specific advice at the World Privacy Forum’s FAQ for medical identity theft victims.

It is possible that a thief used your name to obtain services from a health care provider, clinic, pharmacy, or laboratory that you never used yourself. Don’t be surprised if the trail leads you to unexpected places.

One part of the health care world that few people recognize is the Pharmacy Benefit Manager or PBM. A PBM is a company that contracts with managed care organizations, self-insured companies, government programs, and other insurers to manage pharmacy network management, drug utilization review, and other activities. A PBM is likely to be the organization that fills your drug prescriptions by mail. A PBM may have relevant records. Your health plan hires the PBM, and you may have to seek access to PBM records through the plan. The notice of privacy practices should tell you what you need to know on this front, or it should tell you how to find out. PBM records may duplicate records that exist elsewhere, but they can be important sources of information at times. If you are seeing more than one doctor, clinic, or hospital, PBM records tend to include information from different providers.

Third, asking for a copy of your complete paper health record may provide more information than you need. It may also be especially expensive. Your health records may include results of x-rays and other diagnostic tests that may be costly to duplicate.

On the other hand, if records are electronic, it may be easy and inexpensive to obtain an electronic copy of everything or almost everything. If the covered entity has electronic records, it must give them to you in electronic form if you want them in that form. You can ask for hard copy of electronic records, but the cost might be higher. Not all electronic records can be printed on paper. You can obtain electronic records in the format you want if the covered entity can reasonably provide them in that format.

Consider how you might limit your request for access so that you limit your costs. See if you can talk to someone in the record keeper’s office when you make a request so that you can negotiate what you really need. One idea is to not ask for a hard copy of an x-ray unless you know that x-rays are essential. Even then, an electronic copy may be sufficient. If other records are especially expensive to duplicate, you may want to defer asking for those records too. Ask for a price list before requesting all records. Another idea is to ask to inspect your records first so you can decide which parts you want to have copied.

Fourth, once when you receive some records, you may be able to focus your later requests. You may find that the provider used a lab or other independent provider that will have some of your records that you may want to have or that you may want to inspect.

Finally, copying of electronic records can be very inexpensive. If you want a copy of all of your electronic records, you can ask for them. It’s a reasonable approach. Understand that the records may not arrive in a single, chronological file, however. You may receive many different files in different formats.

If you are planning to maintain your own health record archive for your lifetime, remember that computer record formats may change over time. Some formats go out of date. For example, it can be difficult or impossible today to read a file saved by a 1992 word processing program. Consider asking for records in formats likely to remain in use in the long run. Experts think that PDF may be one of those formats, but there may be others. This can be a complex issue to assess.


FAQ 24: Can a Covered Entity Withhold Any of My Medical Records?

Yes. In some situations, a covered entity can withhold records.

First, the right of access under HIPAA does not extend to psychotherapy notes, materials compiled for litigation, and some laboratory records (non-CLIA labs). A non-CLIA lab is typically a lab that does research work. By the way, CLIA stands for the Clinical Laboratory Improvement Amendments, and you can find more information at It is a complicated law, and most patients don’t have to worry about CLIA issues.

Second, a covered entity can deny you access to some records, including records maintained by a prison, some records of research participants, and records obtained from someone other than a health care provider under a promise of confidentiality. The HIPAA privacy rule does not require a health care institution to allow you to appeal the denial of these records, but some institutions might accept an appeal if you file one. Read the notice of privacy practices to learn if there is an appeal option. We recommend that you appeal to the head of the institution (or to the privacy officer) even if you don’t have the right to do so. An appeal may result in a review of the initial decision. If it doesn’t, then you only invested the energy of writing a letter.

Third, a covered entity can deny you access to some records if a licensed health professional determines that access is reasonably likely to endanger the life or physical safety of you or another individual. Records about other people can be withheld if a licensed health professional has determined that access is reasonably likely to cause substantial harm to that individual or another person. Requests made by an individual’s personal representative can also be denied if disclosure would cause substantial harm. If an institution withholds records for any of these reasons, it must provide a written denial explaining the reason for the denial. It must also explain any appeal rights that you have.

Remember that state law may grant you greater access rights than HIPAA. If state law has an access provision for health records – and many states do – then you may be able to obtain records exempt under HIPAA. If a federal agency has your records, rights of access under the Privacy Act of 1974 may be greater than the rights under HIPAA.


Roadmap: Patient’s Guide to HIPPA: Part 2: Basic Patient Rights: B. Right to Inspect and Copy Your Record  (FAQ 18 – 24)

Jump to list of FAQs 1-65 | See all of Part 2