LibGuides: Better Communication With Health Professionals: Access to Your Medical Records

Our Right to Access Our Medical Records

Several laws have established that all patients have the right to see the content of their medical records. HIPAA and the Cures Act require that health care providers must give patients access to their own information, and to share medical records when a patient specifically requests it (but otherwise keep medical records confidential and private).

You may have seen notices from your health care providers about “going paperless”, and for entering what used to be information on paper into electronic health records (EHR) accessed over the internet through portals like MyHealth or MyMedicare. For the most part health care providers in the US have opted to do this in order to meet changes in regulations for medical records, but the legal right to access our medical data applies to records on paper also.

Access to electronic health records - seeing our medical records online - must be free of charge. However, if we want a photocopy or digital copy, health care providers can charge us for the cost of making and sending that copy.

Who Else Can Access My Medical Records?

According to the Health Insurance Portability and Accountability Act (HIPAA):

- Patients can choose someone as their personal representative, who then has the same rights to see that person's medical records. Generally, a spouse or adult child doesn't have the right to see your medical records unless you designate them as a personal representative.

- Parents or legal guardians are assumed to be personal representatives for their children under 18, with some exceptions. (California state law requires consent from children 12 and older in cases of suspected abuse, sexual activity, drug use, and in some other situations.) When someone turns 18, a parent or legal guardian no longer has the right to see their medical records even if that person is still covered under a parent's health insurance plan or a student health plan.

However, these requirements don't give complete privacy. Service details that appear on medical bills are visible to the person who pays those bills, whether spouse, parent, child, or legal agent.

- In general when someone dies, their executor or estate administrator automatically becomes the personal representative (see HHS link below for more details).

- Certain agencies, including law enforcement, may request information from your medical records in very specific situations, but generally cannot access the full record. Likewise, an employer may ask for documentation of a medical condition in specific situations (like ADA accommodation or family medical leave). If in doubt, seek legal advice.

What Medical Rights Do Minors Have? (Scripps)
California Minor Consent and Confidentiality Laws (Teen Health Law)
Chart of situations that require a teen's consent to inform a parent or legal guardian, per CA law. Last updated 2019.
How to Get Access to Your Parents’ Health Records (My Health Spin)
10 Things to Know About HIPAA & Access to a Relative’s Health Information (Better Health in Aging)
See FAQ section for examples of information sharing (but not access to medical records) when medically necessary.
Personal representative [for medical records] (HHS)

Finding and Getting Medical Records

Medical records can be in different places. Here are useful tips and advice on retrieving them:

Why Should We Check Our Medical Records, and When?

Why would someone want to take the time to go through their medical record?

Some compelling reasons are:

To spot inaccurate information in our medical records.
To be able to transfer crucial medical information to a new care provider, if we change health insurance, switch doctors, visit a specialist, or change our name. Called continuity of care, this can be life-saving information.
To make a copy of crucial medical information if we are traveling, or away from our care provider in an emergency. Not all EHR systems can communicate directly with each other.
To recall information that came up during medical visits, and to track prescriptions and medical test results. Patients with complex or serious illness often have an especially difficult time keeping track of all the details. As one study of cancer patients pointed out, with open access to their medical records “patients better remember next steps, prepare for future visits, and possibly avert unrealistic expectations.”
To be able to make better lifestyle decisions about our own health by tracking lab tests over time, checking medications (prescription strength and doses), looking at x-rays or other images – and to ask better questions.
To take advantage of health apps (like continuous glucose monitors or heart rate trackers).
To share portions of our medical history as we choose, whether with family members or research studies.
To spot and contest possible racial bias, fat phobia, or other medical prejudice in our records.

What To Do About Errors

Errors are quite common in medical records - an estimated 1 person in 10 who checks their records finds meaningful mistakes. It's wise to pay particular attention to:

- Our medical history. Is it accurately reported? Check that all the visits, tests, procedures, etc. listed actually did happen, and cross-check with billing statements to make sure those were properly billed.

- Provider notes. Check how interactions with us were reported (this is one of the ways that embedded stereotyping or racism can pop up, and alert us to bias in healthcare).

- Be on the lookout for signs in the medical record itself that our medical information was shared (with an employer, drug company, or research study, for example). The flip side of how easy it can be to share electronic medical records is that they’re much more likely to be shared inappropriately and without our consent.

If we find meaningful errors in your medical records, or disagree with statements in your records, we have the right to require corrections.

The first step to resolve these issues is to contact the patient relations group or our health care provider directly. Request they begin the amendment and correction process, and specify which records need to be fixed.
If the medical professional disagrees with the request for corrections, and refuses to make the change, then request how to insert a statement into the medical record that describes what is in error.
If so choose, file a complaint with the federal Health and Human Services offices.
If we find out that information in our medical records was inappropriately shared, there is also a process to file a HIPAA violation complaint.

Bottom line: it can be a challenging process, but we absolutely have the legal right to advocate for ourselves in these situations.

Racial bias: Another reason for patients to get and correct their own medical records (KHN, 9/26/2022)

Medical Records Hacked?

Unfortunately, medical records are very attractive to data thieves. They're a rich source of information for identity theft and their information can go back years. Accurately sharing information is so crucial to hospitals and healthcare systems that they are being targeted by ransomware more and more each year.

If You Suspect a Cybersecurity Breach

Monitor the notices and bills you receive from insurers and providers. Contact them immediately if anything seems suspicious.
If a medical provider requests your Social Security number or other financial details (besides proof of insurance) on intake forms, leave that space blank, and politely push back if they insist.
Ask if the hacked business (or your health plan) offers free credit or identity theft monitoring following a breach, and take it.

If you’re concerned your data has been compromised:

File an identity theft report with the Federal Trade Commission (see link below).
If someone used your name to get medical care, contact every provider who may have been involved and get copies of your medical records. Correct any errors.
Notify your health plan’s fraud department and send a copy of the FTC identity theft report.
File free fraud alerts with major credit reporting agencies (Equifax, Experian, and TransUnion in the U.S.)
If you have a health savings account (HSA) or a flexible spending account (FSA), be sure to change the passwords and monitor those accounts closely as well.

Advice from from Patient Power's What to Do if Your Healthcare Data is Breached. and from Michelle Andrews, quoted in February 29, 2024 KFF article on the Change Healthcare / UnitedHealth ransomware hack.

Image from blogtrepreneur.com/tech, provided under Creative Commons Attribution.

Information Blocking

According to the Cures Act, information blocking is “a practice that interferes with, prevents, or materially discourages access, exchange, or use of electronic health information.” It covers situations where patients cannot access their test results, written notes, diagnoses, drugs administered and prescriptions; or when medical records are not shared with specialists or when switching medical providers. It also applies to electronic health record systems that are so technologically incompatible that information cannot be shared.

If information blocking is suspected, submit a complaint to the U.S. Department of Health & Human Resources website. This video explains that process:

About the Content in This Guide

We believe that being well-informed is key to taking better care of health (our own, and of our loved ones), and empowers us to work more effectively with our health care professionals.

PlaneTree Health Library strives to guide the public to trustworthy, accurate, and free-to-use health and medical information. Links on these webpages have been chosen from authoritative and reputable non-commercial sites (nonprofit organizations, medical specialty groups, or government agencies). All of that information is freely accessible. We never link to advertisements and we avoid infomercials.

Back to the main PlaneTree Health Library website

Disclaimer

While PlaneTree Health Library strives to guide you to reliable, valid, up-to-date information, every person's situation is unique. Be sure to discuss information gathered from these resources with your health care providers to see if it is relevant to your individual situation. Health and medical information accessed through these websites is not intended to substitute for or to replace the advice or instruction of a health care professional.

PlaneTree Health Library is not responsible for the content on web sites accessed from our site. Each originating organization has sole responsibility for its web pages. Our intention is to provide patients, their families, and caregivers with trustworthy information to help them make informed decisions.