Ask your doctor or other health care providers for access to your health information. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule gives you, with few exceptions, the right to inspect, review, and receive a copy of your medical records and billing records that are held by health plans and health care providers covered by the Privacy Rule.

A provider cannot deny you a copy of your records because you have not paid for the services you have received. If you request an electronic copy of protected health information, a covered entity is required to provide you with such electronic copy to the extent it is readily producible. Covered entities are permitted to charge reasonable, cost-based fees that cover the cost of copying (including supplies and labor) to provide you with a copy of your protected health information. They cannot, however, charge you a fee for searching for or retrieving your records.

For more information about the HIPAA privacy rule, visit the U.S. Department of Health and Human Services (HHS) Office for Civil Rights.

Learn more about the Privacy and Your Health Information, your Health Information Privacy Rights, and the Right of Access.

Also, you may have additional rights under state law. You can view a report about state medical record access laws at.

Additionally, more and more people are using personal health records (PHRs) to manage their health information and become full partners in the quest for good health. PHRs are different from electronic health records (EHRs). Information in an EHR is typically entered by and accessed by health care providers. A PHR is a record controlled by the individual and may include health information from a variety of sources, including multiple health care providers and the patients themselves.

Electronic PHRs are increasingly being offered to patients through health plans, health care providers, employers, and independent vendors. These tools offer a wide variety of features for obtaining, storing, and understanding health information.

There are two kinds of PHRs:

• Standalone PHRs let patients fill in the information from their own records and memories. The data is stored on the patients’ computers or on the internet. Patients can decide whether to share the information with providers, family members, or anyone else involved in their care. In some cases, information can be downloaded from other sources into the PHR.
• Tethered, Connected PHRs are linked to a specific health care organization's EHR system or a health plan’s information system. The patient accesses the information through a secure portal. Typically, patients can view information such as lab results, immunization history or due dates for certain screenings. When a PHR is connected to the patient’s legal medical record it is protected under the Health Insurance Portability and Accountability Act (HIPPA) Privacy Rule.

The legal protections surrounding PHRs may be different depending on who offers the PHR. For example, PHRs offered by your provider organization or health plan may still be protected by HIPAA. However, web-based PHRs or chat boards offered directly by an entity that does not provide health care may not be covered by HIPAA. You should know that information stored on these PHRs may not receive the same privacy and security protections that HIPAA grants to a patient.