I hope that this helps clear up the confusion regarding medical records and HIPAA and the patients right to obtain, view, dispute, etc. information in their medical records. I am not a lawyer, but under the word of the law (below), I interpret it to say that the individual, who is the subject of protected health information, has the right to view, copy, etc. his or her medical records.

I take this to say that the doctor cannot refuse you access to your own medical records. Hope it helps.

Federal Law
HIPAA

The HIPAA Privacy Rule (45 CFR Parts 160 and 164) provides the "federal floor" of privacy protection for health information in the United States, while allowing more protective ("stringent") state laws to continue in force. Under the Privacy Rule, protected health information (PHI) is defined very broadly. PHI includes individually identifiable health information related to the past, present or future physical or mental health or condition, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. Even the fact that an individual received medical care is protected information under the regulation.

The Privacy Rule establishes a federal mandate for individual rights in health information, imposes restrictions on uses and disclosures of individually identifiable health information, and provides for civil and criminal penalties for violations. The complementary Security Rule includes standards for protection of health information in electronic form.

Rights Under the Privacy Rule

The individual, who is the subject of Protected Health Information (PHI), has the following rights under the Privacy Rule:

Right to access, inspect and copy PHI held by hospitals, clinics, health plans and other "covered entities," with some exceptions
Right to request amendments to PHI held by "covered entities"
Right to request an accounting of disclosures that have been made without authorization to anyone other than the individual for purposes other than treatment, payment and health care operations
Right to receive a Notice of Privacy Practices from doctors, hospitals, health plans and others in the health care system
Right to request confidential communications of PHI, e.g., having PHI transmitted to a different address or a different telephone number
Right to request restrictions on uses or disclosures, although the "covered entity" receiving the request is not obligated to accept it
Right to complain about privacy practices to the "covered entity" and to the Secretary of Health and Human Services
Limits on uses and disclosures
"Covered entities" that hold PHI may use it without an individual's consent for the purposes of providing treatment to the individual, for payment activities such as claims adjudication and premium setting, and for operating their businesses. They are also permitted to use and disclose PHI as required or permitted by other laws, e.g., laws related to reporting of child or elder abuse, public health oversight and national security investigations. However, those who have PHI must obtain an individual's signed authorization for use of PHI in marketing, research, fundraising, or any other activities that are not part of treatment, payment, health care operations, and other categories specifically identified under the Privacy Rule. A few types of disclosures require that the individual be given an opportunity to agree or object to the disclosure, e.g., whether information should be included in a hospital directory or given to clergy. Based on the professional judgment of a health care professional, some disclosures may be made to friends and family who are involved in an individual's care if such disclosures are found to be in the best interest of the individual.

In addition to specific restrictions on uses and disclosures, the Privacy Rule imposes a general "minimum necessary" requirement on those who hold and use PHI. Except for disclosures to the individual who is the subject of PHI or disclosures for treatment purposes, organizations must limit their uses and disclosures to "minimum necessary" information required to perform a task. They must have policies and procedures that specify what PHI can be viewed by different classes of employees within their workforces, what PHI should be released in response to routine inquiries, and must have a process in place for deciding what PHI should be released in response to non-routine requests.

"Covered entities" must also have formal contracts with their business associates, which use PHI to perform functions on their behalf. Examples of business associates include law firms, accounting firms, accreditation organizations, credentialing services, billing services and third-party administrators. Business associate agreements must stipulate that the business associate will safeguard PHI and will assist the "covered entity" in complying with its obligations with regard to individual rights and oversight by the Secretary of Health and Human Services.