FSFaxSealBETA
Send a Fax →
← Blog·Healthcare · HIPAA

How to Request Medical Records by Fax

Fax remains a primary channel for medical record requests — many providers still prefer fax or their patient portal over email. Here's exactly what to include in a HIPAA authorization letter, where to send it, and what happens next.

FaxSeal Team··6 min read

You have a legal right to your own medical records. The hard part is that most providers still require a signed HIPAA authorization letter — delivered by fax.

This guide covers exactly what goes into that letter, how to send it, how long to expect to wait, and what to do if the provider doesn't respond. Whether you're a patient, an attorney, or a caregiver requesting records on behalf of someone else, the process is the same.

Why fax?

Despite the growth of patient portals and secure email, fax remains a common channel for medical record requests in the US for several reasons: HIPAA explicitly recognizes fax as a permitted disclosure method, providers have mature workflows built around it, and a fax transmission creates a timestamped delivery record that email often cannot.

Most hospitals and clinics publish a dedicated medical records fax number — often on their website under “Patient Services” or “Medical Records.” That is where your request goes.

What HIPAA requires in a records request

Under 45 CFR § 164.508, a valid HIPAA authorization must include:

  • Patient identification — full name, date of birth, and a patient ID or the last four digits of their Social Security Number.
  • Description of the information to be disclosed — which records you want (office notes, lab results, imaging, billing, etc.) and the date range.
  • Who is authorized to make the disclosure — the name of the provider or facility holding the records.
  • Who is authorized to receive the information — you, your attorney, another provider, or an insurance company.
  • Purpose of the disclosure — continuing care, legal proceedings, personal copy, insurance claim, etc.
  • Expiration date or expiration event — typically one year from the date of the request.
  • Signature and date — yours, or the authorized representative's. Many providers accept a typed name with a declaration of authorization for faxed requests, but policies vary — some require a handwritten or electronic signature, or a facility-specific form. If a provider rejects your request on this basis, ask for their preferred authorization form.

Missing any of these elements gives the provider grounds to reject the request. Most rejections come from missing patient ID, an unclear description of records, or no stated purpose.

Who can request records

Patients can always request their own records. Others may also request on a patient's behalf if they can establish authorization:

  • Parents and legal guardians may request records for minor children in most states.
  • Authorized representatives — anyone holding a healthcare proxy, power of attorney, or other legal authorization.
  • Attorneys may request records with a signed patient authorization attached. The authorization must explicitly name the attorney or firm.
  • Insurance companies may request records relevant to a claim with patient authorization.

In all cases, the authorization letter must clearly state the relationship. Providers are entitled to verify authorization before releasing records.

Step-by-step: sending a records request

  1. Find the provider's medical records fax number. Check the hospital or clinic website under “Patient Services,” “Medical Records,” or “Release of Information.” If it's not listed, call the main number and ask for the medical records department.
  2. Prepare your authorization letter. Include all HIPAA-required elements listed above. Be specific about which records you need — “all records” requests are often processed more slowly than specific requests.
  3. Send it by fax. Use a fax service that provides a delivery confirmation. Keep the confirmation — it proves the request was received and establishes the date your statutory response clock started.
  4. Follow up if needed. HIPAA gives providers 30 days to respond, with one 30-day extension. If you haven't heard back after 35 days, call the medical records department and reference your fax confirmation.

Skip the paperwork

FaxSeal generates the HIPAA authorization letter from your answers and faxes it directly to the provider. You get a certified delivery receipt you can reference if the provider disputes receiving the request.

Send a records request →

What happens after you send the fax

The provider's medical records department (sometimes called Health Information Management or HIM) logs incoming requests. Under HIPAA, they have 30 days to respond — either by providing the records, denying the request with a written explanation, or notifying you of an extension (which gives them another 30 days).

Providers may send records by mail, fax, or secure patient portal. If you need them delivered to a specific address or number, state that clearly in the authorization letter.

What to do if the provider doesn't respond

If 35 days pass with no response:

  1. Call the medical records department directly and provide your fax confirmation date and number. Most delays are administrative, not intentional.
  2. Resend the request if they claim they didn't receive it. Your original fax confirmation protects you — the burden of proof shifts if you have a verified delivery record.
  3. File a complaint with the HHS Office for Civil Rights at hhs.gov/hipaa/filing-a-complaint if the provider is non-responsive beyond 60 days. Providers take OCR complaints seriously.
  4. Contact a patient advocate or attorney if records are needed for legal proceedings and the delay is causing harm.

Common reasons requests are rejected

  • Missing patient date of birth or identifying information
  • No stated purpose for the request
  • Authorization letter not signed (or no authorization statement for faxed requests)
  • Date range is missing or too broad (“all records ever” without a start date)
  • Attorney requests without patient authorization attached
  • Request sent to the wrong department (general office fax instead of medical records fax)

A note on fees

Providers may charge a reasonable, cost-based fee for copying and mailing records — but cannot charge for the time spent searching or retrieving them. Many states cap the per-page fee. For records requested for treatment purposes (e.g., transferring to a new provider), HHS guidance limits fees to the cost of preparation and transmission, and some states restrict fees further. Check your state's health department rules, and consider requesting a fee waiver in your authorization letter.

Related: HIPAA Faxing Guide · Send a Medical Records Request · Help & FAQ