Looking at your own medical chart is not a HIPAA violation when you do it as a patient through the proper channels. HIPAA actually guarantees your right to see your own health information. But if you work in healthcare and pull up your own chart using your clinical login, that’s a different situation entirely, and it can get you disciplined or fired even though the records are yours.
HIPAA Protects Your Right to Your Own Records
The HIPAA Privacy Rule explicitly gives you the right to inspect and obtain a copy of health information about yourself maintained by your healthcare providers and health plans. This covers a broad range of records: medical charts, billing and payment records, insurance information, lab reports, X-rays, clinical notes, consent forms, wellness program data, and more. The legal term for this collection is a “designated record set,” and it includes essentially any record used to make decisions about your care or payment.
Not only can providers not refuse you access to your own records, federal law actively penalizes them for blocking it. Under the 21st Century Cures Act, healthcare providers who knowingly and unreasonably interfere with your access to electronic health information face formal disincentives from the Department of Health and Human Services. Health IT developers and health information networks face civil penalties of up to $1 million per violation for information blocking.
The Exception: Accessing Your Chart at Work
Here’s where most people get tripped up. If you’re a nurse, medical assistant, physician, or anyone else who works in a healthcare setting, you likely have access to your employer’s electronic health record system. You might see your own name pop up after a visit, and it feels natural to click on it. It’s your information, after all.
But healthcare organizations treat this as a policy violation, and many treat it seriously. Access to patient records through clinical systems is restricted to authorized business purposes: treating a patient, approved research, education, or healthcare operations like audits and quality reviews. Looking at your own chart doesn’t fall into any of those categories. Columbia University Irving Medical Center’s policy states it plainly: “Workforce members that are granted access to the EHR should not access their own medical information.” That includes viewing notes, printing records, checking test results, updating your contact information, scheduling appointments, or ordering tests for yourself.
UNC Health’s privacy office takes the same position, noting that accessing patient records outside of authorized business purposes “will be considered a violation of patient privacy and of UNC Health privacy policies.” These aren’t unusual stances. Most hospital systems have identical rules, and they audit EHR access logs to catch violations.
Why Your Own Records Are Off-Limits at Work
This seems counterintuitive, but the reasoning is straightforward. When you log into an EHR system, you’re acting as an employee with elevated access privileges. The system can’t distinguish between you looking at your own chart and you snooping on a coworker, an ex, or a celebrity patient. Hospitals enforce a blanket rule (access only for work purposes) because it’s the only rule that can be consistently monitored and enforced. If “it’s my chart” were an acceptable reason, every unauthorized access could be harder to investigate.
There’s also a clinical integrity concern. Policies specifically prohibit altering your own records, self-prescribing medications, or ordering your own tests through the system. Allowing any self-access creates a gray area that’s easier to eliminate entirely.
What Happens If You Access Your Own Chart at Work
Consequences vary by employer but can be significant. Columbia’s policy states that workforce members “will be subject to disciplinary action if impermissible access is confirmed in accordance with the organization’s discipline and/or sanction policy for privacy violations.” In practice, this can range from a written warning to termination, depending on the organization and whether the access involved any changes to the record. Some hospitals treat a first offense with counseling, while others apply a zero-tolerance approach. If the access results in any compromise of protected health information, regulatory reporting requirements may kick in as well.
How to Access Your Records the Right Way
Whether you work in healthcare or not, the proper way to view your own medical information is through a patient-facing channel. Most health systems offer a patient portal (like MyChart) that gives you secure online access to your records, lab results, visit notes, and messaging with your care team. If you work at the same hospital where you receive care, the portal is your designated path. UNC Health, for example, directs employees to use MyUNC Chart for personal record access rather than the clinical system.
You can also submit a formal records request. Your provider must give you access to your designated record set, which includes medical records, billing records, clinical notes, imaging, and case management files. Providers can charge a reasonable fee for copies. The Department of Health and Human Services allows a flat fee option of up to $6.50 for electronic copies, though providers may also calculate actual costs and charge accordingly. The $6.50 figure is a convenience option, not a universal cap.
Records You May Not Be Able to Access
A small number of record types are excluded from your right of access. The most notable is psychotherapy notes, which HIPAA treats differently from all other mental health information. These are the personal notes a mental health professional writes during or after a private counseling session, kept separate from your main medical record. They’re not the same as a therapist’s clinical notes or treatment summaries, which you can access. Psychotherapy notes require your specific written authorization before they can be disclosed to anyone, including other healthcare providers, and in some cases a provider may decline to share them with you.
Information compiled in anticipation of a legal proceeding and certain lab results governed by other federal laws may also be restricted. But for the vast majority of your health information, the right of access is broad and well-established.