This slideshow offers tips for patients/caregivers on obtaining their health records. Health information management professionals are also encouraged to review and share the information with patients/caregivers in an effort to increase patient engagement.


Here’s a set of facts that should concern providers and patients alike: 27 percent of individuals don’t know they have a HIPAA-protected right to have a copy of any kind of their medical records, and 41 percent say they have never even seen their own health information. Yet, eight in 10 people who view their medical records consider that information useful. According to the GetMyHealthData initiative, 78 percent of people who get copies of their health records have better communication with their doctors.

Sources: Office of the National Coordinator for Health IT (ONC), National Partnership for Women and Families,


In too many cases, patients are prevented from obtaining their records for a variety of factors—often this is because healthcare workers don’t understand patient rights themselves. GetMyHealthData officials have found that requests are frequently denied for the following [inaccurate] reasons: that HIPAA prevents releasing them; that only electronic copies are available; that only paper copies are available; that caregivers aren’t able to request them; that requests must be made in person; the fee is too high; that if you have an unpaid hospital bill you can’t get records.

Sources: GetMyHealthData, ONC,


Actually, patients have broader access to their records than ever before thanks to HIPAA and the wide adoption of electronic health records. These rights include:

  • Following a written request, patients can receive an electronic or paper copy of their records within 30 days of requesting them.
  • Requesting a change if the information on file is incorrect.
  • Only being charged a “reasonable fee,” although they vary by state
  • Ability for patients to designate a “personal representative” to obtain records on their behalf.
  • Request a document explaining who has access to their information and the ways in which their information can be used for other purposes.

Source: ONC,


Fortunately, health information management (HIM) professionals get to play the role of hero in patients’ quests for their own data. While doctors and nurses can print up quick appointment summaries, more elaborate requests go to HIM departments, where federal guidance dictates what providers can release. In its Patient Engagement Playbook, ONC encourages providers to enact automatic patient portal enrollment instead of waiting for patients to sign up after an appointment. To further encourage patient use of their records, ONC also advises providing in-office enrollment capabilities. The chart above highlights problems HIM professionals can help solve.

Source: ONC,


It’s one thing to create a patient portal—but it’s another thing to make them as easy to use as possible. Well-informed patients know what providers owe them. ONC encourages providers and vendors to make portal landing pages accessible to non-English speakers, as well as make text messaging available with languages spoken by providers’ populations. Additionally, there are regulations governing parental access to their child’s patient portals based on the child’s age. For adolescent patients (ages 12 to 17), setting up varied levels of access can be particularly tricky. Adolescents may want to keep their healthcare decisions and medical information private, but laws vary from state to state. The chart above demonstrates how the University of California at San Francisco breaks down its portal access with its vendor.

Sources: ONC,;


Information is power, so it’s important for patients understand how sensitive their medical information is and how it can be misused. HIM professionals should make sure patients understand the basics when it comes to security. For example, patients should be reminded that the hospital is not responsible for patient privacy once the patient sends their health information out by mail or email to another provider. Nor is the provider responsible if the patient uses their information on a mobile application unaffiliated with a provider and their information is compromised.

Source: ONC,