Frequently Asked Questions

Who can I chat with?

Doctors and other health professionals using Medyear Pro must first initiate the friend request with any Medyear user, through searching for someone’s email address or Medyear Direct address. Once a friend connection is established between a Medyear Pro user and a Medyear patient using Basic or Plus, either side can initiate a new chat and start exchanging medical records.

What is the difference between a Basic and a Plus account?

After you have validated your email you can enjoy the benefits of a Medyear Basic account. Medyear Basic is totally free and allows you to connect to hospitals, browse the records received from the hospitals after connection and track your health status with updates and photos that you can post on the Home screen. You may also chat with any Basic or Plus user if you have a friend connection.

To receive records, you’ll first need to connect to a hospital with which you have a login and password. Please note that the hospital needs to be in our list of health systems. Our list of supported systems is always growing, so please check back soon if yours hasn’t been added yet.

If you have a PLUS account, you will be able to request your records directly from our network of 930,000 medical physicians by HIPAA request and secure messaging. Tap the “Request Records” button on any doctor’s profile page to get started.

What is secure messaging?

Secure messaging allows doctors and patients to communicate confidentially across systems using Direct emails. With a Medyear Plus account, you are given a Direct email address that allows you to send messages to any doctor and any EMR. Anyone with a Medyear Plus Direct address has gone through an online identity validation, so you can message these accounts with confidence.

Who can access my records?

As the patient, you control your records and how you share your records with others is up to you. Medyear gives you precise control over how you can share your medical records. For example, you may opt to share only a single medication record in a chat session, rather than your entire medical history.

Who can I contact with my Medyear Plus account?

With your Medyear Plus Direct address (, you have the ability to send a secure email message (known as a Direct message) to over a million medical professionals across the United States. With a Plus account, you also have access to Medyear Basic’s chat functionality, which let you chat in real-time with any Medyear Pro user that you’re connected with.

What is HIPAA Request and what do I need to know?

A HIPAA request is a legally binding document that formally requests your medical records from a particular doctor or provider. Our HIPAA request cites the federal regulation that requires that your provider must send you your electronic health records within 30 days. Once you receive these records in your inbox, they can be saved to your Medyear account.

I received a request for medical records from a patient’s Medyear email address. Is this a valid request?

Yes, since Medyear is the entity designated by the individual to receive medical records, this is a valid request. According to the US Department of Health and Human Services:

“If requested by an individual, a covered entity must transmit an individual’s PHI directly to another person or entity designated by the individual. The individual’s request must be in writing, signed by the individual, and clearly identify the designated person or entity and where to send the PHI. See 45 CFR 164.524(c)(3)(ii). A covered entity may accept an electronic copy of a signed request (e.g., PDF or scanned image), an electronically executed request (e.g., via a secure web portal) that includes an electronic signature, or a faxed or mailed copy of a signed request.”


What does HHS say about providing patient records via Direct email?

Please see the following HHS guidance regarding the suitable use of Direct to provide medical records:

“In addition, the individual can designate the form and format of the PHI and how the PHI is to be sent to the third party, and the covered entity must provide access in the requested form and format and manner if the PHI is “readily producible” in such a way. Whether PHI is “readily producible” depends on the capabilities of the covered entity and whether transmission or transfer of the PHI in the requested manner would present an unacceptable level of security risk to the PHI on the covered entity’s systems (based on the covered entity’s Security Rule risk analysis).

The following are just a few examples of how these provisions apply:

  • A patient requests that the hospital where she recently underwent a surgical procedure use its Certified EHR Technology (CEHRT) to send her discharge summary to her primary care physician, or to her own personal health record, and she supplies the corresponding Direct address (an electronic address for securely exchanging health information using the Direct technical standard).
  • A patient sends a request to his long-time physician asking the physician to download a copy of the PHI from his electronic medical record, and e-mail it in encrypted form to XYZ Research Institution, at, so XYZ Research Institution can use his health information for research purposes.
  • A patient requests that her ob-gyn digitally transmit records of her latest pre-natal visit to a new pregnancy self-care app that she has on her mobile phone. The ob-gyn’s EHR has the ready capability to establish the connection in a manner that does not present an unacceptable level of security risk to the PHI in the EHR or other of the ob-gyn’s systems, based on the ob-gyn’s Security Rule risk analysis.

In each of these three examples, the covered entity has the capability to transfer the PHI in the requested manner and doing so would not present an unacceptable level of security risk to the PHI in the covered entity’s systems. Thus, after receiving the patient’s request, the covered entity has 30 days (or 60 days if an extension is applicable) to send the PHI to the designated recipient as directed by the individual. However, in most cases, it is expected that the use of technology will enable the covered entity to fulfill the individual’s request in far fewer than 30 days.”


How do I respond to a Medyear patient request for their records?

To provide a patient with a copy of their records using Direct email:

From your EMR’s inbox, simply REPLY to the records request message, and attach a copy of the patient’s CCD file. The CCD file should be in .XML format, but you can also send PDF versions of the CCD file if .XML is not available.

By using the REPLY feature of your EMR’s inbox, the corresponding message should be automatically addressed to the patient’s Direct address ( If it is not, you can manually type in the patient’s Medyear Direct address in the “To:” field of the corresponding secure email message.

This is how many many medical professionals and organizations currently share patient records amongst themselves. Please consult with your EMR provider or IT department for more information on how to construct CCD files, and how to use your EMR’s inbox feature.

How long do I have to respond to a patient request for their records?

According to HHS guidance:

“Thus, after receiving the patient’s written request, the covered entity has 30 days (or 60 days if an extension is applicable) to send the PHI to the designated recipient as directed by the individual. However, in most cases, it is expected that the use of technology will enable the covered entity to fulfill the individual’s request in far fewer than 30 days.”


How can I be sure about this patient’s identity?

All Medyear users with a Medyear Direct Address have been through a rigorous identity proofing that complies with the latest standards set by DirectTrust and NIST.

Medyear uses facial recognition technology to compare a person in the live “selfie” to the photo on their driver’s license or ID card to determine if it is the same person. This Medyear innovation is called the “digital bouncer” because it works in the same way as a real-life bouncer.

Only after correctly supplying the above information is a user allowed to obtain a Medyear Direct address (ie,

Some patients have the same name. How do I know which person is making this HIPAA request?

In order to assist you further in matching the correct patient records to the patient making this HIPAA request, we have provided the following patient identifiers, in addition to their Medyear Direct Address in the HIPAA release:

  • Patient’s name,
  • Gender,
  • Date of birth,
  • Address,

Please refer to the patient identifier information when responding to the request, to ensure you are sending medical records for the correct person.