Under HIPAA, you have the legal right to inspect and obtain copies of your medical records from most healthcare providers.
You realize you need a childhood immunization record, a lab report from five years ago, or surgical notes from a hospital that closed. Maybe you’re changing doctors, applying for disability, or settling an estate. The idea of tracking down old medical records can feel like digging through a filing cabinet in a dark basement — frustrating and slow.
Here’s the good news: you have a legal right to those records. Federal law gives you clear access, and the process is more structured than you might think. This article walks through the key steps, what to do when a practice closes, and how long records are typically kept.
Your Right to Access Medical Records
The HIPAA Privacy Rule grants you the right to inspect, review, and receive a copy of your health and billing records. This right covers nearly any provider or health plan that holds your information — hospitals, clinics, labs, pharmacies, and insurance companies are all included.
Your right applies even if you still owe money for services. A provider cannot withhold your records because of an unpaid bill, though they may charge reasonable fees for copying and mailing. The rule also lets you request that a copy be sent to another person or organization if you authorize it in writing.
Patient rights under HIPAA also include the ability to request corrections to errors in your records and to receive a notice of how your information is used. These protections are outlined in consumer guidance from the Department of Health and Human Services.
Why the Process Feels Confusing
Many people assume obtaining old medical records requires a lawyer or a formal court order. In reality, the process is straightforward once you know the right methods. The confusion often comes from not knowing which request method each provider prefers.
- Patient portal: Many providers offer secure online portals where you can download or request your records instantly. This is often the fastest route.
- Written request by mail, email, or fax: You can send a letter including your name, dates of care, and the specific records you need. Some providers have their own release forms.
- Health or medical record release form: Most practices require a signed form — they may provide it on their website or in office.
- Phone request: Some offices accept verbal requests, but you may still need to sign a release later to confirm your identity.
- Third-party release authorization: If you want records sent to a new doctor or family member, you’ll need to authorize that in writing.
The key is to choose the method your provider accepts and to be specific about what you need. Including date ranges and types of records (lab reports, imaging, visit summaries) helps them process your request faster.
Step-by-Step: How to Request Your Records
A typical medical records request follows a predictable sequence. Start by identifying the correct provider or facility — the one that held your care. Then follow these steps using the method they prefer.
| Step | Action | Tip |
|---|---|---|
| 1 | Contact the provider’s medical records department | Check their website for a release form or portal instructions |
| 2 | Complete and sign the authorization form | Be specific: include dates, record types, and format (paper vs. digital) |
| 3 | Submit the form (online, mail, fax, or in person) | Keep a copy for your records |
| 4 | Wait for processing — up to 30 calendar days per HIPAA | If needed, the provider may request a single 30-day extension |
| 5 | Receive your records (mailed, faxed, or via portal) | Verify the information is complete and accurate |
The federal 30-day rule applies to most requests. However, if you’re requesting records from a military or federal facility, different timelines may apply. For detailed guidance on your specific rights, see the HHS page on HIPAA right to access — it covers exactly which records are included and how to file a complaint if the provider doesn’t comply.
What If the Practice Closed?
A closed practice adds an extra hurdle, but you still have options. The doctor or practice may have stored records with a medical records storage company, transferred them to a new practice, or turned them over to a state medical board.
- Contact the former doctor’s office or practice location — someone still working there may know where the records ended up.
- Check with the state medical board — many boards hold records for a period after a practice closes or can direct you to the entity that acquired them.
- Ask nearby hospitals or health systems — sometimes a larger hospital absorbed the practice’s patient base and records.
- Contact the local health department — they may have information on where the records are stored, especially for public health clinics.
If you’re trying to obtain records from a deceased family member, provide a letter along with a death certificate or proof of executorship. The process is similar, but you’ll need to show you have the legal authority to request the records.
What About Fees and Deadlines?
HIPAA allows providers to charge reasonable fees for copying records. Those fees must be limited to the actual costs — labor, supplies, and postage.
The 30-day response deadline is a federal requirement. That clock starts when the provider receives your signed request. If they need more time, they can request one 30-day extension — but they must notify you in writing. If the deadline passes without response, you may file a complaint with HHS.
Patients also have the right to correct errors in their records. If you find a mistake — a wrong diagnosis, incorrect medication list, or outdated information — you can submit a correction request. Indiana’s guidance on request corrections to records explains how providers handle these corrections and your right to appeal if they deny the request.
| Record Type | Retention Period (approximate) |
|---|---|
| General medical records (adult) | Often 7–10 years, varies by state |
| Pediatric records | Typically kept until the patient turns 18–21, then additional years |
| Medicare Fee-For-Service documentation | At least 6 years from creation or last effective date (whichever is later) |
Electronic health records may be stored longer because they take up less space, but retention policies still vary. It’s worth requesting records as soon as you need them, rather than assuming they’ll always be available.
The Bottom Line
You have a clear legal right to obtain your medical records under HIPAA. The process usually involves contacting the provider, completing a release form, and waiting up to 30 days. If the practice has closed, check with state medical boards or nearby hospitals. Fees are limited to reasonable costs, and you can ask for errors to be corrected.
If a provider refuses to release your records or misses the deadline, you can file a complaint with the Office for Civil Rights at the Department of Health and Human Services. For questions about retention laws in your state or handling estate-related requests, a healthcare attorney or your state medical board is a good resource for specific guidance.
References & Sources
- HHS. “Medical Records” The HIPAA Privacy Rule gives you the right to inspect, review, and receive a copy of your medical records and billing records held by most health care providers and health plans.
- IN. “Privacy and Security of Health Records” The Privacy Rule provides patients with access to their medical records and with other important rights, including the right to request corrections.
Mo Maruf
I created WellFizz to bridge the gap between vague wellness advice and actionable solutions. My mission is simple: to decode the research and give you practical tools you can actually use.
Beyond the data, I am a passionate traveler. I believe that stepping away from the screen to explore new environments is essential for mental clarity and physical vitality.