HIPAA Rules for Medical Records: Access, Copies, and Retention Requirements

HIPAA sets national standards for how covered entities handle medical records—defining your right to access information, how copies are provided, and how long records must be retained. This guide explains what providers and plans must do, and what you can expect when requesting your health information.

Patient Access to Medical Records

What you can access

You have the right to inspect or obtain copies of your protected health information (PHI) in a provider’s or health plan’s “designated record set.” This typically includes medical and billing records and information stored in Electronic Health Records, but excludes psychotherapy notes and information compiled for legal proceedings.

Who may request access

Covered Entities must verify identity and may accept requests from Authorized Representatives, such as a parent, legal guardian, or personal representative acting for the patient. Their authority must be documented before records are released.

Form, format, and delivery

You may request records in the form and format you prefer, including electronic copies if the PHI is maintained electronically. When feasible, the entity must provide the copy in the requested format or a mutually agreeable alternative and may transmit it securely to you or to a third party you designate in writing.

When access may be limited

HIPAA allows narrow, reviewable denials (for example, when access is reasonably likely to endanger life or physical safety). Even when a denial applies to part of the file, you must be given access to the remainder.

Timeliness of Record Access

Covered Entities must act on your request no later than 30 days after receipt. If they cannot meet that timeframe, they may take one 30-day extension by providing written notice that explains the reason for delay and the new date.

Efficient processes—standard request forms, patient portal fulfillment, and clear points of contact—help ensure you receive records sooner when they are readily available.

Fees for Copies of Medical Records

HIPAA permits charging a Reasonable Cost-Based Fee for copies. The fee may include only: labor for copying (paper or electronic), supplies (such as paper or portable media), postage if mailed, and preparation of a summary or explanation if you agree to receive one.

Fees may not include costs for searching, retrieving, verifying, maintaining systems, or other overhead not tied to the act of copying and transmitting your PHI. Per-page fees are not appropriate for electronic copies of electronic records.

You can ask for an itemized estimate before committing. Providers should publish a simple fee schedule and explain available options so you can choose the lowest-cost method that meets your needs.

Medical Records Retention Period

HIPAA does not set a nationwide retention period for medical records themselves. Instead, it requires Covered Entities and business associates to retain HIPAA-related policies, procedures, and required documentation for six years from the date of creation or last effective date.

Your organization should implement a written Record Retention Policy that aligns with state laws, payer rules, accreditation standards, and clinical needs. Many providers retain adult records for 7–10 years and pediatric records until the age of majority plus additional years, but exact timelines should be defined by policy.

Elements of an effective retention policy

• Clear retention schedules by record type (clinical notes, imaging, billing, device data, audit logs).
• Coverage for both paper and Electronic Health Records, backups, and archives.
• Procedures for legal holds, secure storage, and destruction when retention ends.
• Documentation of decisions and periodic policy reviews.

State-Specific Retention Requirements

State law is typically the primary driver of medical record retention for providers and facilities. Requirements vary by record type, care setting, and patient age, and some states impose longer periods for specialties such as oncology, obstetrics, or mental health.

Identify applicable statutes and board rules, reconcile conflicts by choosing the longest applicable period, and document the rationale in your Record Retention Policy. Reassess annually to capture legislative or regulatory changes.

Security and Confidentiality of Records

HIPAA’s Privacy Rule protects confidentiality, and the Security Rule requires Administrative Safeguards, Physical Safeguards, and technical safeguards for electronic PHI. Your safeguards must be risk-based and documented.

Administrative Safeguards

• Risk analysis and risk management with written remediation plans.
• Role-based access, minimum-necessary policies, and workforce training.
• Contingency planning, including backups and disaster recovery testing.
• Vendor oversight and business associate agreements with clear security obligations.

Physical Safeguards

• Facility access controls, visitor management, and secure record storage.
• Device and media controls for workstations, laptops, removable media, and servers.
• Environmental protections (e.g., fire suppression, water damage prevention) for archives.

Technical safeguards (for ePHI)

• Unique user IDs, strong authentication, and session timeouts.
• Encryption in transit and at rest where reasonable and appropriate.
• Audit logging, alerting, and periodic access review.
• Integrity controls and secure configuration baselines for Electronic Health Records and connected systems.

Disposal of Medical Records

When retention ends, records must be destroyed in a way that renders PHI unreadable and cannot be reconstructed. Paper may be cross-cut shredded, pulped, or incinerated; electronic media should be cleared, purged, or destroyed following industry-standard sanitization methods before reuse or disposal.

Use vetted destruction vendors under appropriate agreements, control the chain of custody, and keep certificates or logs that document date, method, volume, and authorization of destruction. Train staff on disposal procedures and verify that routine device refreshes include secure media handling.

FAQs

What rights do patients have to access their medical records?

You may inspect or obtain a copy of your PHI in the provider’s or plan’s designated record set, including clinical and billing information. You can request a specific form and format, receive an electronic copy if records are electronic, and direct a copy to another person. Limited exceptions apply, such as psychotherapy notes or information prepared for litigation.

How long do covered entities have to provide access to medical records?

They must act on your request within 30 days of receipt. If they need more time, they may take one additional 30-day extension by sending you a written notice explaining the reason and the new deadline.

Are fees allowed for copying medical records under HIPAA?

Yes. Providers may charge a Reasonable Cost-Based Fee that covers only the labor to copy, the supplies used, postage if mailed, and any agreed-upon summary. They may not charge for search, retrieval, or general administrative overhead unrelated to making and transmitting the copy.