← All posts
Health News

Your Medical Records Are Yours — The Law That Finally Made Getting Them Easy

Getting a copy of your own medical records used to mean forms, fees, and fax machines. The 21st Century Cures Act quietly changed that — here's how the law put your health data back in your hands.

Alejandro Naranjo Alejandro Naranjo June 18, 2026 4 min read

The records were always "yours." Getting them was another story.

If you've ever tried to get a copy of your own medical records, you know the drill. You call the clinic. They tell you to print and mail a form. You wait. You get told the file is at another office, or on a system that "doesn't talk to" the one in front of them. Sometimes a bill shows up — sometimes a big one. And often what you finally receive is a fax or a stack of paper that no app, doctor, or human can easily make sense of.

This wasn't your imagination. In 2018, the U.S. Government Accountability Office studied how patients actually access their records and found the process slow, fragmented, and expensive. The fax machine, long dead almost everywhere else, was (and largely still is) a backbone of American healthcare.

Then the rules changed. A 2016 law called the 21st Century Cures Act, and the regulations that brought it to life, quietly rewired who controls your health data. The short version: your records are now supposed to flow to you, electronically, for free, into the app of your choice. Here's what changed, why it took so long, and where the gaps still are.

What the 21st Century Cures Act actually did

The Cures Act passed in 2016 with a sweeping mandate, but the part that matters for your records is its attack on "information blocking" — the practices, intentional or not, that kept health data locked up.

To enforce it, the federal Office of the National Coordinator for Health IT (ONC) issued the Cures Act Final Rule in 2020. Two things in that rule changed the game for patients:

1. You get your electronic health information at no cost. The rule gives patients access to all their electronic health information (EHI) — not just lab values and medication lists, but clinical notes too — at no cost when delivered electronically. (Charging for manual effort, like staff pulling and copying paper, is still allowed under a narrow "Fees Exception." The "free" part applies to electronic access.)

2. Your records have to be reachable by apps, through a standard "plug." The rule requires certified health IT systems to expose a standardized FHIR API — think of it as a universal electrical socket for health data. Under a certification criterion known as §170.315(g)(10), electronic health record systems must support HL7 FHIR (R4.0.1), the US Core data profiles, and the government's standardized data set (USCDI), using SMART on FHIR so you can securely authorize a third-party app to pull your data. More than 290 health IT products have been certified against this standard, each tested through the government's open "Inferno" test suite.

That second point is the quiet revolution. Before, getting your data meant a human on the other end deciding whether, how, and at what price to hand it over. Now there's supposed to be a standard, machine-readable doorway that you control the key to.

"Information blocking" — and who's now on the hook

The legal heart of all this is the ban on information blocking, defined under the Public Health Service Act (§3022). It applies broadly — not just to hospitals and doctors, but to the health IT developers, health information exchanges, and health information networks that move data behind the scenes.

The rule isn't absolute. It carves out a set of exceptions such as protecting patient privacy or safety, or genuine infeasibility. There were originally eight exceptions; a ninth (covering data shared through the national TEFCA framework) was added in 2023. These exceptions are also where the remaining friction lives: they're the legal "yes, but…" that can still slow access in specific situations.

The rules carry teeth. Since September 2023, the HHS Office of Inspector General can fine health IT developers, exchanges, and networks up to $1 million per violation.

Where VitalLoop comes in

That last sentence is the whole reason VitalLoop exists. The law opened the door. The hard part — actually walking through it, pulling your records from every doctor and insurer, and turning a pile of FHIR data and PDFs into something you can read, track, and act on — is still on you.

VitalLoop is built to do exactly that: connect to the access points the Cures Act created, gather your scattered records into one place, and make your own health data finally make sense. The records were always yours. Now you can actually hold them. Try it for free.

Sources

  • ONC, Cures Act Final Rule — healthit.gov/topic/oncs-cures-act-final-rule; healthit.gov/regulations/cures-act-final-rule/
  • 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program — Federal Register, May 1, 2020
  • ONC §170.315(g)(10) API criterion & Inferno test kit — onc-healthit.github.io/api-resource-guide; inferno.healthit.gov
  • CMS Patient Access API (CMS-9115-F) — cms.gov interoperability FAQ
  • HHS-OIG information blocking penalties (effective Sept 2023) — oig.hhs.gov/reports/featured/information-blocking; ropesgray.com alert, July 2023
  • HHS, Crackdown on health data blocking — hhs.gov press room
  • GAO-18-386, patient access to records (2018) — gao.gov; HIPAA Journal; Healthcare Dive
Alejandro Naranjo

Written by

Alejandro Naranjo

Founder