Your Health Data Belongs to You

Most people have never downloaded their own medical records. They have seen fragments — a lab result on a patient portal, a discharge summary handed over in a folder — but the complete picture of their health history lives on servers they do not control, in formats they have never seen, managed by institutions whose interests are not identical to theirs. This is a sovereignty problem. Nassim Nicholas Taleb argues in Antifragile that information asymmetry is one of the primary mechanisms by which institutions maintain power over individuals. Your health data is the most personal information asymmetry you will ever face, and closing that gap is the first move in any serious health autonomy practice.

Why This Matters for Sovereignty

You cannot make autonomous health decisions without first owning the data those decisions depend on. Every time you walk into a new provider’s office and fill out a form from memory — guessing at medication names, approximating surgical dates, forgetting which imaging was done three years ago — you are ceding the informational high ground to a system that already has it. The provider pulls up whatever their network happens to share. You get whatever they choose to tell you. The relationship is asymmetric from the first handshake.

When you walk in with your own organized records, the dynamic shifts. You are not a blank slate waiting to be written on. You are a participant with context, continuity, and the ability to notice when something in the new provider’s assessment contradicts what you already know. This is not adversarial. It is the same due diligence you would apply to any infrastructure you depend on. Your body is infrastructure. Treat the data accordingly.

The philosophical case runs deeper than convenience. Emerson’s “Self-Reliance” argues that dependence on external authority for self-knowledge is a form of intellectual surrender. Your medical records are a form of self-knowledge — accumulated, clinical, longitudinal. Letting that knowledge reside exclusively in institutional systems, accessible only on their terms and in their timeframes, is a quiet abdication of the very information you need to steward your own health.

How It Works

Your Legal Right to Your Records

In the United States, you have an unambiguous legal right to your medical records. The HIPAA Privacy Rule guarantees the right of access — you can request your complete medical record from any covered entity, and they must provide it within 30 days (with a possible 30-day extension). The 21st Century Cures Act, passed in 2016 and enforced with teeth starting in 2021, goes further: it prohibits information blocking, which means healthcare providers, health IT developers, and health information networks cannot unreasonably prevent or interfere with your access to your electronic health information .

This matters because the gap between legal right and practical access has historically been wide. Hospitals would acknowledge your right to records while making the process slow, confusing, and expensive. The Cures Act was designed to close that gap. It has not closed it entirely, but it has given you a stronger position when a records department drags its feet.

The Request Process

The theoretical process is simple: submit a written request to the medical records department of any provider, hospital, lab, pharmacy, or insurer. The practical process requires specificity. When you request records, ask for the complete medical record — not a summary, not a portal printout, not a care plan excerpt. Specify that you want clinical notes, lab results with reference ranges, imaging reports, pathology reports, medication histories, surgical records, and any correspondence between providers about your care.

For hospitals and large health systems, start with the medical records or health information management (HIM) department. For individual physicians, the request often goes through the front desk or office manager. For labs like Quest Diagnostics or LabCorp, you can request results directly through their patient portals or via written request. For pharmacies, request your complete prescription history. For insurers, request your claims history — this is a different dataset from your clinical records and can reveal patterns in billing that illuminate your care history from a different angle.

Digital Formats: What to Ask For

Patient portals are not your complete record. They are a curated view — typically showing recent results, active medications, and visit summaries. The gap between what the portal shows and what the record contains can be substantial, particularly for complex care histories. When requesting electronic records, ask for the C-CDA (Consolidated Clinical Document Architecture) format if available, which is a structured XML document that many health IT systems can produce. Some systems will offer FHIR (Fast Healthcare Interoperability Resources) access . In practice, you will often receive PDFs, which are better than nothing but harder to organize and search.

The Proportional Response

You do not need to become a medical records specialist. You need a personal health binder — physical, digital, or both — that contains the core elements of your health history in a form you can access and carry.

Start with the basics. Gather your records from every provider you have seen in the last ten years. This may take several requests over several weeks. Request them in parallel rather than sequentially. Most records departments respond faster when the request is specific and references HIPAA right of access explicitly.

Build your binder. Organize what you receive into categories: lab results (chronological, with reference ranges), imaging reports, medication history (current and past, including dates and reasons for changes), surgical and procedure history, family history, immunization records, and provider notes. A simple spreadsheet tracking your lab values over time is remarkably powerful — it lets you see trends that no single snapshot reveals.

Use the tools available.Apple Health Records can pull data from participating health systems directly into your phone. CommonHealth serves a similar function on Android . Neither replaces the complete record, but both provide a useful real-time layer. For the comprehensive binder, a well-organized folder structure on an encrypted drive works. You do not need expensive software. You need discipline and a consistent filing system.

Maintain it. After every significant medical encounter — annual physical, specialist visit, procedure, ER visit — request the records and add them to your binder. This is a practice, not a project. Ten minutes after each visit keeps the system current.

What to Watch For

The portal gap. Patient portals will continue to improve, but they are not your record. They are a convenience interface. Do not mistake the portal for the complete picture, especially if you have a complex history or have received care across multiple systems.

Privacy audit.Under HIPAA, you also have the right to an accounting of disclosures — a record of who your health information has been shared with, beyond treatment, payment, and healthcare operations. Request this periodically. It is often revealing. Your data moves through more hands than you expect, including health information exchanges, data brokers operating in the healthcare space, and research databases .

The leverage is real. When you present organized records to a new provider, you communicate something beyond preparedness. You communicate that you are an active participant in your care, that you track your own data, that you will notice inconsistencies. Providers who welcome this are the ones worth keeping. Providers who find it threatening are telling you something about how they view the relationship.

The cost should be minimal.HIPAA limits what providers can charge for record copies to a reasonable, cost-based fee. Some states have stricter limits. If a provider quotes you hundreds of dollars for your own records, push back and reference the applicable fee limits .

This is where health sovereignty begins — not with a dramatic gesture, but with the quiet, deliberate act of gathering the information that already belongs to you and organizing it so that every future health decision you make starts from a position of knowledge rather than dependence.

This article is part of the Health Autonomy series at SovereignCML.

Related reading: The Informed Patient Approach, Direct Primary Care: Cutting Out the Middleman, Building a Relationship with a Doctor Who Listens