How to Get a Patient’s Complete Health Record in 2026

The average American with a chronic condition has records spread across five or more healthcare organizations. Anyone who’s lived in more than one city has a worse version of the problem: practices that have switched EHR systems, been acquired, or closed entirely, with records sitting in places most patients can’t easily reach. Knowing how to get a patient’s complete health record in 2026 still requires navigating a patchwork of patient portals, fax-based release of information offices, and federal regulations most patients don’t know they have.

What changed is the regulatory floor. The ONC Information Blocking Rule applicability date was April 5, 2021. The full electronic health information scope, matching the HIPAA designated record set, took effect October 6, 2022. USCDI v3 has been the certified-EHR baseline since January 1, 2026, under the HTI-1 final rule. TEFCA QHIN coverage has grown alongside all of it. More patient data is reachable electronically today than at any prior point in US healthcare. The map for getting it is what’s still missing online.

This guide covers both paths. For patients and caregivers (including anyone preparing for a second opinion or a new specialist), what actually works using federal rights and free tools. For builders shipping patient-facing record access apps, the technical stack: SMART on FHIR endpoints, USCDI v3 data classes, the QHIN landscape, and where the trust layer is still maturing.

How Do You Get a Patient’s Complete Health Record in 2026?

Work in five sequential moves. Build a complete provider list from insurance EOBs and Blue Button 2.0 claims, then pull records from patient portals first. File HIPAA requests for what portals miss, layer in Apple Health Records or CommonHealth via SMART on FHIR, and request DICOM imaging files separately from radiology.

Key Takeaways:

1. HIPAA and the Cures Act give patients more leverage than they typically use. OCR fines providers six figures for delayed Right of Access fulfillment, and personal-representative denials are an active enforcement priority.
2. The path to a complete record is five steps in order. Build the provider list, work the portals, file HIPAA requests for the gaps, layer in Apple Health Records or CommonHealth, and pull DICOM imaging separately.
3. The builder stack has three layers, and the trust layer is the volatile one. Direct EHR endpoints via SMART on FHIR, HINs and QHINs for the long tail, HIPAA-compliant infrastructure underneath. Ongoing 2025–2026 litigation is reshaping aggregator due diligence.

Table of Contents

1. What Counts as a “Complete” Health Record, and Why Assembling One Is Harder Than It Sounds
2. HIPAA and the Cures Act Give You More Rights to Your Health Records Than Most Patients Use
3. How to Request Medical Records from Every Provider Type, Step by Step
4. Why Your Records Still Look Incomplete, Even with Federal Mandates
5. The Builder’s Stack for Automated Patient Record Retrieval in 2026
6. How Topflight Can Help

What Counts as a “Complete” Health Record, and Why Assembling One Is Harder Than It Sounds

A complete health record covers your full clinical history across every encounter, every provider, and every system that’s touched your care. In HIPAA terms, that’s your designated record set, the records used to make decisions about your treatment. In practice, it means:

• Active problem list and full diagnosis history
• Medication list, both current and historical
• Allergy and intolerance list
• Immunization records
• Lab results and pathology reports
• Imaging reports, plus the DICOM image files themselves where available
• Clinical notes: visit notes, specialist notes, discharge summaries, procedure notes
• Vital signs history
• Social and family history

Most patients don’t think to ask for all of it because most patients don’t realize all of it exists.

That history almost never lives in one place. Take a patient who, in five years, sees a primary care physician on Athenahealth, a cardiologist on Epic, has a hospital admission at a system running Oracle Health (formerly Cerner), and shows up at urgent care on a different Epic instance. Four EHR systems, no automatic connections between them. Add a couple of moves between cities, an in-network change, or a practice acquisition, and the count climbs. The data exists. It just doesn’t move on its own.

The legal architecture around all of this rests on three pieces. HIPAA’s Right of Access gives you a copy of your designated record set, with a 30-day response requirement. The 21st Century Cures Act expanded that right to electronic access via standardized FHIR APIs whenever the records holder uses certified health IT. The ONC Information Blocking Rule prohibits providers, EHR developers, and health information networks from interfering with that access. Section 3 covers all three.

USCDI v3 is the technical baseline for what “complete” means in 2026. It’s the federally mandated minimum dataset that certified electronic health record (EHR) systems must expose, around 20 data classes covering most of the list above. USCDI v3 has been the cert baseline since January 1, 2026, under HTI-1. What’s not in it: DICOM imaging files, full free-text notes from non-USCDI encounter types, and anything from providers running non-certified EHRs. Patient complete health record access, in the technical sense, means USCDI v3 conformant data plus everything outside it that you have to chase down separately.

HIPAA and the Cures Act Give You More Rights to Your Health Records Than Most Patients Use

HIPAA gives you the right to your records. The Cures Act makes it electronic. The ONC Information Blocking Rule and OCR enforcement put teeth behind both. OCR keeps fining providers who can’t fulfill basic Right of Access requests, sometimes after delays of more than a year, which is part of why serious HIPAA compliant software development for patient-facing tools now bakes timely-fulfillment audit trails into the workflow. If your starting question is “how to access all my medical records,” the answer is in four parts: what you can ask for, when, in what format, on whose behalf, and what providers can legitimately refuse.

HIPAA Right of Access

Any HIPAA covered entity has 30 days to respond to a written request for records in your designated record set, with one 30-day extension allowed if they notify you in writing. The maximum is 60 days. The 30-day response requirement applies whether you’re asking for paper, PDF, or a FHIR-formatted electronic copy. You don’t have to give a reason, and you can specify electronic format if the covered entity is technically capable.

The Patient Rate has three legitimate calculation options: a reasonable cost-based fee tied to actual labor and supplies, an average labor schedule, or a flat fee not exceeding $6.50 for electronic copies of records already stored in an EHR. The $6.50 is a safe harbor, not a ceiling on what’s reasonable. State laws sometimes set stricter limits.

One important carve-out from Ciox Health v. Azar (January 2020): the Patient Rate cap applies to your own access. It does not apply when you direct a covered entity to send your records to a lawyer or an insurer.

OCR enforces this, and the dollar amounts have not been small. Concentra paid $112,500 in December 2025 after taking 13 months and six patient follow-ups to fulfill a single request. American Medical Response paid $115,200 in August 2024 over a 370-day delay. The HIPAA Right of Access Initiative has been running since 2019 with no sign of slowing.

21st Century Cures Act, Electronic Access Without Delay

The Cures Act made electronic health record access via FHIR APIs the legally required default for certified EHRs. Patients can use third-party apps to pull records without ever logging into a provider portal.

The mechanics: the ONC Information Blocking Rule became applicable April 5, 2021, with full electronic health information (EHI) scope, matching the HIPAA designated record set, effective October 6, 2022. The rule covers three categories of actors:

• EHR developers
• health information networks and exchanges (HINs and HIEs)
• healthcare providers

The first two face OIG civil monetary penalties up to $1M per violation. Provider disincentives, finalized by CMS in 2024, work through Medicare reimbursement programs.

What this gets you in practice is a patient-facing FHIR API exposed by every major certified EHR. Apple Health Records, CommonHealth, and any other SMART on FHIR app can authenticate against that API with your OAuth consent and pull your data directly. No paper request, no fax, no portal screenshot.

The HTI-1 final rule, effective January 15, 2025, raised the technical floor: USCDI v3 became the certified-EHR data baseline on January 1, 2026, and SMART App Launch v2 replaced v1 as the required authorization standard. Anything operating on the older spec stops counting as compliant.

How Caregivers and Personal Representatives Can Request Records

Personal representative status under HIPAA is governed by state law. Whoever state law authorizes to make health care decisions for an individual can request that individual’s records, with the same scope of access the patient would have.

For minors, parents are usually the personal representative. The exceptions are narrow: a minor who has consented to their own care under state law (mental health, substance use, sexual or reproductive health), care directed by a court, or a documented confidentiality agreement between provider and parent. State law and provider-specific protocols matter.

For deceased patients, the executor, administrator, or other estate representative authorized under state law has access. HIPAA stops applying 50 years after death.

A signed HIPAA authorization is not the same thing. An authorization lets a third party receive specific PHI for a specific purpose. The third party doesn’t “stand in the shoes of” the patient. Personal representative status does.

OCR has been treating personal representative denials as enforcement priorities. Hackensack Meridian Health paid $100,000 in April 2024 after denying a personal representative’s records request. OHSU paid $200,000 in March 2025 over a timely-access failure. In December 2025, OCR sent a letter to covered entities explicitly designating parental access to minor children’s records as an enforcement focus. The leverage is real if you’ve been denied as a parent, executor, or court-appointed guardian.

What Providers Can Legitimately Withhold

Denials are allowed only on narrow grounds. HIPAA splits them into two categories: unreviewable and reviewable.

Unreviewable denials, where there is no internal appeal:

• Psychotherapy notes, meaning the therapist’s process notes kept separate from the clinical record. The clinical record itself remains accessible.
• Records compiled in reasonable anticipation of legal proceedings.
• Certain narrow inmate-safety grounds.
• Specific research-during-study denials, where the patient agreed to suspension as a study condition.
• PHI not in the designated record set.

Reviewable denials, where you have a right to internal review:

• Life or physical safety endangerment to you or another person.
• Substantial harm to a person (other than a healthcare provider) referenced in the PHI.
• Substantial harm to you or another via your personal representative.

The reviewer is a licensed healthcare professional designated by the covered entity who did not take part in the original decision. You don’t get to pick the reviewer.

The “harm” standard is narrowly construed. Emotional or psychological discomfort doesn’t qualify. The mere possibility of harm doesn’t qualify. The provider needs a specific, articulable basis. Any records request denial must be in writing, including a description of your appeal rights and how to file a complaint with HHS OCR. If the denial looks improper, the OCR complaint is the next move.

How to Request Medical Records from Every Provider Type, Step by Step

If you’re trying to work out how to get all medical records together in one place, there’s no single button. The path is a sequence of five moves: build the provider list, work the portals, file HIPAA requests for the gaps, layer in an aggregator app, and pull imaging separately. Skipping any one of them leaves a hole somewhere. The order matters because portals are free and instant, HIPAA requests cost time and sometimes money, and DICOM is its own track.

Step 1. Make a List of All Your Providers

Start by listing everyone who has touched your care. Categories that matter:

• Primary care
• Specialists (every one, including the ones you only saw a couple of times years ago)
• Hospitals, including inpatient stays, outpatient procedures, and ED visits
• Labs: Quest, LabCorp, and any hospital lab a provider sent you to
• Imaging centers
• Urgent care
• Behavioral health and substance use providers
• Pharmacies

Most people forget at least three providers on the first pass. Three discovery tools surface the rest.

Insurance EOB statements (Explanation of Benefits) list every billed provider. Pull at least the past five years from your insurer’s member portal. Tax records covering medical deductions surface providers who didn’t go through insurance. Behavioral health and substance use care paid out of pocket often won’t show up in either source, so note those separately as you build the list.

Blue Button 2.0 at MyMedicare.gov gives Medicare beneficiaries a claims-derived provider list, which is functionally a complete map of who’s billed Medicare on your behalf. Non-Medicare adults have a parallel path that fewer patients use: most commercial insurers offer an EOB or claims history feed in their member portal that does the same job. Pull it.

If you’re preparing a specialist referral or assembling records for a second opinion, this list is the first deliverable anyway. Build it once, reuse it across every other step in this section.

Step 2. Use Patient Portals First, Because They’re the Fastest Path

Most major-EHR portals let you download your records as a CCDA (Continuity of Care Document) or PDF without filing a formal records request. This is the cheapest, fastest channel and should always be the first move.

The big portals to know:

• MyChart on Epic
• The Oracle Health patient portal (HealtheLife and successors)
• Athenahealth’s patient portal
• Smaller-vendor portals at independent practices

Most patients only know the practice-specific name they log into. The actual EHR underneath determines what’s exportable. On MyChart, the export sits under “Document Center” or “Health Summary” depending on the system’s configuration; the result is a CCDA file (sometimes called a continuity of care document) that any aggregator app or new provider can ingest.

Where this stops working: records older than the portal itself, smaller practices on non-certified EHR software, and records from practices that have changed EHR systems. Migrations frequently break the patient-facing portal even when the data is technically still on file with the new system. Anything that doesn’t appear in your portal becomes a HIPAA request.

Step 3. Submit a HIPAA Records Request for the Gaps

For records the portal doesn’t have, file a written HIPAA request. The mechanics are the same across most large health systems.

A complete HIPAA medical records request includes:

• Patient identification (full legal name, DOB, dates of treatment)
• Specific records sought (date range, record types, departments)
• Format requested (electronic preferred)
• Delivery destination (encrypted email, secure download link, or third-party app)
• Photo ID copy

Most large systems route these through an online ROI form (release of information) under “Medical Records” in the patient portal. Smaller practices may use a paper records release form that you fill in and fax or scan back. Either format works. What matters is that the request is in writing and dated.

Two practical tips. First, ask for electronic delivery rather than paper. It’s faster, cheaper (the $6.50 safe harbor only applies to electronic copies), and easier to feed into anything else you’re doing with the records. Second, be specific. A request for “all my records since 2018” is harder for the ROI department to process than “all clinical notes, lab results, and imaging reports between January 2018 and present.”

Knowing how to request medical records this way is mostly about being precise. The 30-day clock starts when the request is received, and OCR has the enforcement track record to make it stick.

Step 4. Use a Health Record Aggregator App

Aggregator apps pull your records directly from any Cures Act-compliant EHR via SMART on FHIR, with no records request needed. They’re the fastest path to medical records consolidation in 2026. Two free, well-supported options cover most patients.

Apple Health Records lives in iOS’s HealthKit framework, exposed through the Health app. It authenticates against participating organizations’ FHIR endpoints, pulls records into your iPhone, and stores them locally on the device. Connection is per-organization: you authorize each provider once, and records flow in automatically after that.

CommonHealth (Android), built by The Commons Project nonprofit, does the same job on Android and adds support for SMART Health Cards (the verifiable vaccine and lab record format). Free, encrypted on-device storage, FHIR export.

Coverage in 2026 is wide but not universal. Most major Epic, Oracle Health, and Athenahealth deployments are connected. Smaller systems and specialty platforms are hit-or-miss. Check Apple’s and CommonHealth’s own provider directories before making either app your primary tool, because the lists move quarterly.

Aggregator coverage is also widening through TEFCA. The QHIN ecosystem (eHealth Exchange, Surescripts, Health Gorilla, CommonWell, and Oracle Health Information Network, designated as the 11th QHIN in October 2025, among others) gives aggregator apps a path beyond direct EHR endpoints, even where a portal doesn’t exist. Medicare beneficiaries can layer Blue Button 2.0 on top for claims history. The combined output is a portable personal health record you can carry between providers and into any new clinical relationship.

Step 5. Request Imaging Files Separately

Radiology images are stored as DICOM files in a separate system from the clinical record. The radiologist’s report (the interpretation) comes with a standard records request. The images themselves don’t, and they don’t transmit via FHIR. They’re a separate request to the imaging center or hospital radiology department.

Most providers will deliver DICOM either as a CD/USB or, increasingly, a download link with a one-time access token. Ask for the digital option if it’s available; CDs have a half-life problem.

DICOM viewers worth knowing in 2026:

• Mac: Horos. Free, open-source, actively maintained. Apple Silicon native since v4.0.1.
• Windows: MicroDICOM (free for personal use) or Weasis (cross-platform open-source).
• Web: OHIF Viewer or PostDICOM if you want to view from any device without installing.
• Paid: RadiAnt is now trial-only or paid; mention it only if you need its specific feature set.

A note on what the imaging report actually contains. The report is the radiologist’s clinical interpretation: findings, impressions, recommendations. That’s what’s part of your medical record and ends up in any care summary your providers exchange. The images are the underlying data. For a second opinion, the new specialist often wants both. Ask for both.

Also read: telehealth integration

Why Your Records Still Look Incomplete, Even with Federal Mandates

Federal mandates didn’t make records magically complete. Even with the Cures Act, USCDI, and TEFCA running, eight failure modes still produce missing data when patients try to get medical records from multiple doctors. Naming them is what separates honest guides from marketing posts.

• Small and solo practices. Practices running non-certified EHR software or still on paper. The Cures Act applies to certified health IT. Practices outside that scope don’t have to expose anything via FHIR, and many don’t.
• Behavioral health and substance use providers. Many use specialty platforms with limited FHIR support, and substance use records are governed separately by 42 CFR Part 2 confidentiality rules that override default sharing. Expect to file ROI requests by hand.
• Legacy records from before 2015. Records that predate widespread EHR adoption are often paper-only and require physical ROI requests, in-person scanning, or a working fax line. The Cures Act doesn’t reach back through time.
• Closed practices. When a provider retires or a practice shuts down, records may transfer to a storage vendor, the state health department, or another practice that absorbed the patient panel. Locating them usually starts with the state medical board.
• Radiology images vs. reports. The radiologist’s report is part of the clinical record. The DICOM images are not, and they don’t move through FHIR. Treat imaging as a separate retrieval track even when the rest of the record arrives clean.
• Out-of-country records. No US federal interoperability mandate applies to international providers. Retrieval is manual: direct contact with the foreign provider, translation overhead, sometimes the destination country’s data protection regime, and almost never electronic in any standardized format.
• Inconsistent patient matching. No nationwide patient identifier exists in the US. Mismatches in name spelling, DOB formats, or address history break record linkage even when the data is reachable. It’s also the single most common reason a chronic disease management app build hits its first data-quality wall.
• Trust gaps in the aggregator and QHIN ecosystem. 2025–2026 brought ongoing litigation. Particle Health’s antitrust case against Epic survived a motion to dismiss in September 2025. In January 2026, Epic, OCHIN, Reid Health, Trinity Health, and UMass Memorial Health sued Health Gorilla and several customers over alleged record misuse. Both cases ongoing. The infrastructure works; the trust layer is still maturing.

Anything on this list that’s a runtime problem rather than a paperwork problem becomes the builder’s job. The next section is the stack.

Also read: FDA clearance for health AI

The Builder’s Stack for Automated Patient Record Retrieval in 2026

The patient access stack in 2026 has three layers. Direct EHR endpoints via SMART on FHIR for the major platforms. Health information networks and TEFCA QHINs for the long tail. HIPAA-compliant infrastructure underneath all of it. Anything that doesn’t account for all three is going to leak data on the patients who need the records most: chronic-condition patients with provider lists scattered across both major-EHR practices and small specialty clinics.

SMART on FHIR Patient Access, the Core Standard

Any patient-facing app can request a patient’s data at a USCDI v3-compliant FHIR R4 endpoint, exposed as a patient access API, with the patient’s OAuth 2.0 consent. The two regulations that put this in place are the CMS Interoperability and Patient Access Final Rule (for payers, often called the patient access rule) and the ONC 21st Century Cures Rule (for EHR developers).

The authorization standard is SMART on FHIR, with SMART App Launch v2 the required baseline since January 1, 2026 under HTI-1. OAuth 2.0 authorization code flow handles patient consent. The minimum HL7 FHIR R4 resources to query are Patient, Condition, AllergyIntolerance, Medication, MedicationRequest, Observation, Immunization, DiagnosticReport, and DocumentReference.

This is the layer the how to integrate with Epic EHR guide covers in detail. Anything wrapping AI on top, like AI in EHR summarization or agentic retrieval, sits on this same standard.

Bulk FHIR ($export) is the population-level B2B counterpart for care management and research. Not patient-facing; out of scope here.

USCDI v3, What Data You Can Actually Get

USCDI v3 has been the federally mandated baseline for certified EHRs since January 1, 2026. The required data classes:

• Allergies and intolerances
• Assessment and plan of treatment
• Care team members
• Clinical notes (8 types including consultation notes, discharge summaries, progress notes)
• Goals, health concerns
• Immunizations, medications
• Patient demographics
• Problems, procedures, smoking status
• Unique device identifiers (UDIs)
• Vital signs, laboratory results
• Patient-reported assessment findings

For any patient health record retrieval workflow at scale, USCDI v3 is the data ceiling you can rely on. Anything beyond it requires non-FHIR retrieval. The UDI class is the medical device integration hook, paired with the Observation resource for device-generated readings.

What’s not in v3: DICOM imaging files, full free-text notes from non-USCDI encounter types, behavioral health notes, and anything from providers not running certified EHRs.

USCDI v4 is published, and USCDI v3.1 sits in the December 2025 ASTP/ONC deregulatory NPRM. v3 remains the current cert baseline.

Health Information Networks: Carequality, CommonWell, TEFCA

Direct EHR endpoints handle the major platforms (Epic, Oracle Health, Athenahealth). Health information networks and TEFCA QHINs cover the long tail.

Carequality and CommonWell run query-based exchange across participating providers. CommonWell is now a designated QHIN. The current QHIN list as of 2026 includes eHealth Exchange, Surescripts Health Information Network, Health Gorilla, CommonWell, and Oracle Health Information Network, designated October 2025 as the 11th QHIN.

API aggregators Health Gorilla and Particle Health expose developer-friendly APIs that abstract HIN connectivity, reducing integration burden. For care coordination use cases, like a remote patient monitoring app ingesting data across many provider systems, aggregator-fronted patient data access is often the only practical path.

Honest tradeoff for 2026: aggregator selection has trust and litigation implications. Particle Health’s antitrust case against Epic survived a motion to dismiss in September 2025. Epic plus OCHIN, Reid Health, Trinity Health, and UMass Memorial Health sued Health Gorilla and several customers in January 2026. Both ongoing. The practical implication for builders is to do real due diligence on chain of custody and customer screening before integrating, especially for treatment-purpose access. QHIN designation alone doesn’t screen out misuse.

HIPAA and Consent Requirements for Builder Apps

Any patient-facing app receiving PHI from a covered entity is almost always a HIPAA business associate. The BAA chain has to include every EHR, network, aggregator, and subprocessor that touches PHI. The infrastructure has to be HIPAA-compliant end to end. The privacy policy has to actually describe what the app does with the data. Mismatches between policy and practice have become an enforcement focus.

This is the layer that distinguishes HIPAA compliant app development from generic mobile work. Get the architecture wrong here and the cost is paid in audit prep two years later.

One architectural escape hatch: on-device-only apps. The Apple Health Records pattern, where the covered entity sends data to the patient’s device and the app never operates a server-side PHI store, sidesteps the BAA chain because the developer isn’t acting as a business associate. Any server-side storage or processing puts you back in the chain.

For products layering AI on top of this stack (LLM-based summarization, agentic retrieval, clinical-decision support), the AI in healthcare compliance overlay is its own distinct work.

How Topflight Can Help

This guide pulled from both sides of the same problem. We’ve spent the better part of a decade building HIPAA-compliant healthcare apps at Topflight, which means we’ve watched record fragmentation from the patient experience down through the FHIR endpoint and the BAA chain underneath. Most agencies pick one side. The dual perspective is the wedge: our patient-facing work knows where the data actually goes, and our integration work knows what patients actually need.

What we ship for builders working in this space:

• SMART on FHIR patient access apps: OAuth 2.0 consent flows, FHIR R4 resource queries, USCDI v3 data mapping.
• Health information network integration: Carequality, CommonWell, Health Gorilla, and Particle Health, with diligence on the chain-of-custody questions raised earlier in this post.
• TEFCA QHIN connectivity planning: evaluating which QHIN to connect through and what that means for coverage of your patient population.
• HIPAA-compliant architecture: BAA chain management, PHI storage and transmission, privacy policy that holds up under enforcement scrutiny.
• EHR-specific integrations: Epic MyChart, Oracle Health, and Athenahealth SMART on FHIR app registration and certification.

Building a patient-facing health record access app, or adding record retrieval to an existing clinical platform? Talk to us. If complete medical history access is what your product needs to deliver across multi-provider and care coordination workflows, that’s the work we do.