Home Your Rights Learn & Act For Health Systems About Stories Support our work
Patient data rights

What you're entitled to —
and probably weren't told.

Federal law gives every patient powerful rights over their health data. Healthcare data belongs to you — not the systems that store it.

Your 6 rights How to request records Top 10 myths FAQ

Your complete patient data rights

These aren't suggestions. They're federal law — protected under HIPAA and the 21st Century Cures Act.

The right to access
You can request your complete electronic health record from any covered provider. They must respond within 30 days. Electronic copies are generally free.
HIPAA Privacy Rule · 21st Century Cures Act
The right to understand
You have the right to a plain-language Notice of Privacy Practices and to ask your provider to explain your diagnoses and treatment in language you understand. This isn't a courtesy — it's a right.
HIPAA Privacy Rule
The right to correct
Found an error? Submit a formal amendment request. Providers must respond within 60 days. Even if denied, they must document your disagreement in your record.
HIPAA Privacy Rule · Amendment Rights
The right to share
You decide who sees your data. Authorize sharing with specialists, family, or caregivers — and revoke that authorization at any time. No provider can share your data without your written consent — except for treatment, payment, or operations purposes.
HIPAA Authorization Rules
The right to privacy
You have the right to know who has accessed your record and why. Request an accounting of disclosures and request restrictions on how your information is used or shared.
HIPAA · Accounting of Disclosures
The right to complain — without retaliation
Rights violated? File a complaint with the HHS Office for Civil Rights at no cost. Providers are legally prohibited from retaliating against you. We can help you through every step.
HHS Office for Civil Rights
Step by step

How to request your records

Simpler than most people think — and free for electronic copies.

01
Find your provider's patient portal
Most hospitals and clinics use a portal like MyChart or athenahealth. Log in and look for "Medical Records" or "Request Records." Many portals let you download records immediately at no cost.
02
Submit a formal written request
Contact your provider's Health Information Management department directly. You can send a written request by mail or email — it doesn't have to be on their form.
Tip: Ask for your complete EHR in electronic format (CCD or CCDA file)
03
Specify exactly what you want
Lab results, visit notes, imaging reports, medication lists, diagnoses, immunization records. For electronic records, ask for a Continuity of Care Document (CCD).
04
Know the timeline and your rights
Providers must respond within 30 days. For electronic records, fees must be minimal or free. If they deny your request or miss the deadline, file a complaint with HHS.
05
Get a Direct Secure Address to receive records safely
A Direct Secure Address lets providers send your records directly to you, securely, anytime. See the section below for how to get one.
See below ↓
↑ Back to top
Myth busting

Top 10 myths about health data

These misconceptions stop patients from claiming rights they already have. Click through to set the record straight.

01 of 10
"My doctor owns my medical records."
✓ The fact
The information belongs to you
Your provider maintains the physical record, but the information in it belongs to you. Federal law gives you an absolute right to access, copy, and share your own health data.
02 of 10
"Requesting my records is expensive and complicated."
✓ The fact
It's free and straightforward
Electronic copies are generally free or very low cost. Many providers offer instant access through patient portals. A written request is enough — no lawyer needed.
03 of 10
"If I ask for my records, my doctor will think I don't trust them."
✓ The fact
Engaged patients have better outcomes
Most providers welcome patients who take an active interest in their care. And even if they don't — it's your legal right, no permission needed.
04 of 10
"My health data is already secure — I don't need to worry."
✓ The fact
Health data breaches are the most costly of any industry
Your data may be stored in multiple systems, shared with third parties, and used for purposes you never consented to. Knowing your rights is your first line of defense.
05 of 10
"I can't do anything if my provider refuses to give me my records."
✓ The fact
You absolutely can — and it's free
File a complaint with the HHS Office for Civil Rights. It's free, providers are prohibited from retaliating, and serious violations result in significant fines.
06 of 10
"Only tech-savvy people can access their digital health records."
✓ The fact
Paper copies are also your right
You can request paper copies if you prefer. Patient portals are designed to be user-friendly, and you have the right to ask your provider to help you access your information.
07 of 10
"My health data can't be used against me."
✓ The fact
Non-HIPAA entities are not bound by the same rules
Data shared with many health apps may not be protected. Understanding who has your data — and under what terms — is essential to protecting yourself.
08 of 10
"There's nothing wrong in my record — why bother checking?"
✓ The fact
A significant percentage of records contain errors
Wrong medications, incorrect diagnoses, or misattributed data — you won't know unless you look. Errors can affect your insurance, future care, and health outcomes.
09 of 10
"The 21st Century Cures Act doesn't apply to regular patients."
✓ The fact
It absolutely does — and violations carry major fines
The Cures Act gives every patient the right to their electronic health information. Withholding it without a valid reason is a federal violation.
10 of 10
"This is too complicated — I'll deal with it when something goes wrong."
✓ The fact
That's exactly the wrong time to start
When you're sick or scared is not when you want to figure this out. Getting familiar with your records takes less than an hour — and could make a critical difference in your care.
1 / 10
↑ Back to top
Common questions

Patient-friendly FAQ

Plain answers to the questions we hear most often.

For electronic copies, providers can only charge a reasonable, cost-based fee — and in many cases cannot charge at all. They cannot profit from providing your records. If charged an unreasonable amount, file a complaint with HHS.
You can still request your records in writing. Send a letter or email to their Health Information Management department. Include your name, date of birth, and what records you want. They must respond within 30 days.
Yes — if you are a legally authorized representative. This includes parents for minor children, individuals with healthcare power of attorney, or legal guardians. Provide documentation of your authorization with your request.
Information blocking is when a covered entity interferes with your access to your electronic health information without a valid reason. Under the 21st Century Cures Act, this is illegal and can result in fines of up to $1 million per violation. Report it to the ONC at HealthIT.gov.
Federal law generally requires covered entities to maintain records for at least 6 years. State requirements vary and may be longer. This is one reason it's important to request and save your own copies — you are the most reliable custodian of your own health history.
You have the right to ask your provider to explain anything in your record in plain language. You can also use the National Library of Medicine's MedlinePlus to look up medical terms. Reach out to us and we'll help connect you with resources.
Generally, no. Most consumer health apps are not covered by HIPAA and can use, share, or sell your data in ways a hospital could not. Always read the privacy policy before sharing health information with any app.

Ready to claim your rights?

Start by requesting your records today. Free, legally protected, and faster than you think.

Get involved Our story