Have you ever had questions about what might be going on with an older loved one’s health? But then you find that your older relative is unable — or unwilling — to let you in on the health details?
Or maybe you’ve wanted to talk to your parent’s doctor, but worried that doing so might be a HIPAA violation?
Such issues come up often for the family caregivers of aging adults. Common situations include:
- An older parent who starts to act in ways that are strange or worrisome, such as becoming paranoid or delusional.
- An older adult who seems to be physically or mentally declining, but seems reluctant to discuss the situation
- A hospitalization or emergency room visit
- A hospitalized older person becoming confused (this would be delirium) and becoming no longer able to explain to family what the doctors have said
In these situations, family caregivers often find themselves grappling with issues related to the HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule.
Why all the grappling?
Well, although most people — and all clinicians — have heard of HIPAA, its rules and requirements are often misunderstood. So for instance, families may assume that it’s a HIPAA violation to report a relative’s worrisome behavior to the doctor, because their relative hasn’t given them permission to do so.
Even worse: doctors and other clinicians sometimes refuse to disclose any information to families, and will incorrectly claim that it’s a HIPAA violation to do so. This can create extra confusion and stress for families, or can even sometimes put an older person at risk for harm.
If you’ve been concerned about an aging parent’s health, or are otherwise helping someone with their health concerns, then it can be very helpful to understand HIPAA better. HIPAA regulations will also govern your access to medical records and other important health information.
In fact, the American Bar Association includes “Know your rights of access to health information” among its Ten Legal Tips for Caregivers.
The detailed ins and outs of HIPAA can indeed be hard to fully understand. But, it’s not too hard to learn some practical basics, especially since the US Department of Health and Human Services (HHS) provides a Summary of the Privacy Rule here, and maintains a truly useful set of online FAQs about HIPAA here.
In this article, I’ll explain five useful key basics to help you understand HIPAA better, especially when it comes to getting information and medical records as a family caregiver.
I’ll also address five questions I’ve often heard family caregivers ask about HIPAA.
At the end, I’ll share some of my favorite online HIPAA resources, as well as some final tips to keep in mind.
5 Key Basics About HIPAA
1. What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law passed in 1996. Among other things, HIPAA required the Department of Health and Human Services (HHS) to create a federal “Privacy Rule” for health providers and health plans, governing how these entities must protect the privacy of an individual’s medical information.
Usually, when people refer to HIPAA, they are actually referring to the HIPAA Privacy Rule created by HHS.
The HIPAA Privacy Rule basically says that “covered entities” must take certain steps to keep a person’s health information confidential and secure.
“Covered entities” means health providers, health insurers, and many other professionals whose daily work involves the handling of individuals’ medical information.
Private citizens and family caregivers are not “covered” by the Privacy Rule. This means that you do not have to maintain your — or your older parent’s — health information confidential in the same way that health providers do.
Exactly how “covered entities” should comply with the Privacy Rule can get pretty complicated to explain. What is most important for you to know is that this often — but not always — means taking steps to make sure that patients are in agreement, before their health information is shared with other people.
Overall, HIPAA is intended to balance a person’s right to privacy with the need for health providers to share medical records and otherwise communicate with others, in order to properly care for a patient and act in the patient’s best interest.
To read about the rule in more technical detail, see here: Summary of the HIPAA Privacy Rule.
To read a good plain-English summary of your rights (as an individual) under HIPAA, see here: Your Rights Under HIPAA.
2. What information is protected by HIPAA?
HIPAA’s Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity, no matter what form it is in. So HIPAA applies whether a person’s health information is held or disclosed electronically, orally, or in written form.
A person’s health information is often referred to as “protected health information” (PHI). This covers information that relates to:
- a person’s past, present or future physical or mental health or conditions
- any health care provided to a person (e.g. clinical notes or lab results related to a person’s medical care)
- past, present, or future payments related to a person’s health care (e.g. billing records)
In other words, this is information created by, or stored by, healthcare providers and insurers, such as medical records.
HIPAA also covers demographic data and any information that can be used to identify a person, such as names and addresses.
If you are a family caregiver, remember that you are not a “covered entity.” Hence you aren’t responsible for protecting health information in the same way that your relative’s doctor is.
3. What to know about HIPAA’s rules on the disclosing of protected health information without committing a HIPAA violation
You’ll be able to sort out what is and isn’t a HIPAA violation more easily if you understand a few fundamentals about HIPAA’s rules on these issues.
According to the HHS Summary of the HIPAA Privacy Rule: “A covered entity may not use or disclose protected health information, except either:
(1) as the Privacy Rule permits or requires; or
(2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.”
In other words, doctors are allowed to disclose health information if a person authorizes it in writing, or if the Privacy rule otherwise permits or requires such disclosure.
Now, let’s address the difference between being required and being permitted to disclose, because that is really at the heart of a lot of HIPAA confusion.
The difference is that when doctors are required to disclose, then they have to do it, whether or not they want to.
Whereas when they are permitted to disclose, they are allowed to do it, but they don’t have to. (Which means, they might refuse to do it, and they are legally allowed to do so, unless other federal, state, or local laws apply.)
You now probably will want to know: under what circumstances are health providers required or permitted to disclose health information?
Required disclosures of health information. Health providers must disclose protected health information in these two situations:
- When individuals — or their personal representatives — request access to their protected health information. Individuals can also request an accounting of disclosures, which means the covered entity has to tell a person with whom the information was shared.
- When the Department of Health and Human Services requests information, as part of a compliance audit or enforcement investigation.
In short: if you request it, your doctors must give you copies of your medical records. This is known as the “Right of Access.” You can learn more about your rights to view or obtain copies of your health information here: Individuals’ Right under HIPAA to Access their Health Information.
And if you are the durable power of attorney for healthcare for your relative, and if you are currently authorized to act, you have the right to request and obtain your relative’s health information.
Permitted disclosures of health information. Under certain circumstances, health providers are allowed — but not required — to disclose information, without obtaining the patient’s written permission.
Now here’s where things start getting trickier, because the list of permitted circumstances is much longer and more complicated than the list of required disclosures.
If you want to learn about all the permitted disclosures and uses, you can do so by reading the HHS Summary of the Privacy Rule.
But I think it’s more useful to learn from the FAQs that HHS has published online, especially the ones created to guide doctors and other healthcare professionals. I will share some of the more useful ones in the next section, when I address FAQs based on the questions I’ve had people ask me.
For now, the main thing you should know is this: in many cases, health providers are allowed, but not required, to disclose health information to others, even if a patient doesn’t give written or verbal permission for this.
As you will see below, when we go through some FAQs, doctors are allowed to use their clinical judgment and disclose information when a patient lacks capacity to give consent, if the clinician decides that the disclosure is in the best interest of the patient.
4. What to know about HIPAA’s “minimum necessary” requirement
The HIPAA Privacy Rule describes a principle of “minimum necessary” use and disclosure:
“A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.”
Basically, this means that when health providers disclose health information to someone other than the patient, they can’t just disclose anything and everything about their patient’s health. Instead, they should only share on a “need to know” basis, and focus on what’s relevant and necessary.
Note that the minimum necessary requirement does not apply to all disclosures. The Privacy Rule summary lists six situations as exempt, including “disclosure to or a request by a health care provider for treatment.”
In short, if your doctor refers you to another doctor, she can send your whole medical chart along. But, if a doctor is speaking to your family while you are sick in the hospital, the doctor is only allowed to disclose what is necessary and relevant to your current hospitalization and care needs.
5. What is a “HIPAA release”?
Many health providers and other covered entities will require a person to sign a written authorization, before they disclose protected health information. This is sometimes called a HIPAA release, a HIPAA waiver, or a release of information authorization.
Interestingly, the HIPAA Privacy rule itself does not require health providers to do this. Instead, per the Summary:
“Obtaining ‘consent’ (written permission from individuals to use and disclose their protected health information for treatment, payment, and health care operations) is optional under the Privacy Rule for all covered entities. The content of a consent form, and the process for obtaining consent, are at the discretion of the covered entity electing to seek consent.”
In other words, although it’s extremely common for health providers to ask patients to sign written authorizations before disclosing health information, such written consent is not actually required by HIPAA.
Instead, a requirement for written consent usually reflects a clinic’s policies, or perhaps the preference of an individual clinician. Understandably, clinicians want to avoid HIPAA violations or otherwise being accused of failing to protect a patient’s confidentiality.
5 Caregiver FAQs about HIPAA and avoiding HIPAA violations
1. Is written permission always required by HIPAA, for a doctor to be able to talk to me about my older parent’s health?
Nope! As noted above, for permitted disclosures of health information, HIPAA does not require that a patient give written permission.
Instead, clinicians are allowed to use a patient’s verbal consent.
HIPAA also says it’s ok for clinicians to give patients an opportunity to object and to proceed if they don’t object, or even to “reasonably infer, based on professional judgment, that the patient does not object.”
Personally, I have often spoken to a patient’s adult children on the phone, because the patient told me it was okay to do so. However, I usually document in my clinical note that the patient said it was fine to talk to his or her children.
Last but not least, if a patient is not present or if it’s “impracticable because of emergency circumstances or the patient’s incapacity for the covered entity to ask the patient about discussing her care or payment with a family member or other person,” HIPAA says that clinicians can disclose information if they determine that doing so is in the best interest of the patient.
In short, HIPAA allows health providers to have a lot of leeway, when it comes to disclosing medical information to family and others. However, those disclosures will usually have to comply with the “minimum necessary” rule.
Most state laws are similar to HIPAA, but in some states, requirements may be more stringent.
You can find more details through these FAQs:
2. Can doctors talk to me about my older parent’s health during an emergency?
Yes, HIPAA allows this type of disclosure. So doctors are permitted to update you about your parent’s health during an emergency.
Furthermore, HIPAA does not require providers to ask family caregivers for proof of identity, before disclosing information.
That said, just because doctors are permitted to disclose information to you doesn’t mean they have to do it. As this FAQ notes, “a health care provider is not required by HIPAA to share a patient’s information when the patient is not present or is incapacitated, and can choose to wait until the patient has an opportunity to agree to the disclosure.”
For more information:
3. My older parent doesn’t want his doctor to talk to me. What can I do?
This question tends to come up when a family has become concerned about an older person’s mental and/or physical decline. Some older adults will resist their family’s desire to communicate with the doctor. So what can be done?
First of all, as a family member, remember that you are not a “covered entity.” So whether or not a doctor is permitted to disclose information to you, HIPAA does not prevent you from contacting your parent’s doctor and relaying any concerns or information you have.
You can even ask questions; the doctor probably won’t answer them, but it’s good for your parent’s doctor to know what kind of questions your family has.
Otherwise, if your parent has specifically told his doctor to not talk to you, then there are a couple of angles you can consider:
- Consider the possibility of incapacity. HIPAA does permit doctors to disclose information to family when a patient is incapacitated or otherwise unable to consent to the disclosure.
- If you think your parent might be incapacitated by cognitive decline, delirium, or another medical problem, ask the doctor to consider this.
- You can start by voicing concerns in a phone call, but it’s best to eventually put them in writing, because your letter will normally end up scanned into your parent’s medical chart. Be sure to include information on concerning behaviors of incidents that you have observed (such as any of these: 8 Behaviors to Take Note of if You Think Someone Might Have Alzheimer’s).
- You can learn more about incapacity here: Incompetence & Losing Capacity: Answers to 7 FAQs
- Has anyone been designated as durable power of attorney for healthcare? HIPAA allows a patient’s representative to request medical records and health information.
- Check any durable power of attorney documentation to see under what circumstances the agent has authority to act. Most documents require the older person to be incapacitated, but some allow the agent to act right away.
Of course, even if you are legally permitted to seek information about your parent’s health, your parent is likely to be angry about your doing so. The decision to override an older person’s decision or preferences is a serious one, and should only be considered under special circumstances.
If you have good reason to believe your parent’s insight and judgment are impaired, then it may be ethically reasonable to override their preference for privacy and take actions that will help them achieve their health and safety goals. Just be sure to think through the benefits and risks of your available options carefully, before you proceed.
Of course, what is better is that older adults plan ahead and tell their children what they should do if their older parent ever seems to be ill or mentally impaired, and refuses assistance. But as most older adults don’t get around to doing this, family caregivers do sometimes have to consider some difficult trade-offs when it comes to privacy versus health, safety, or other goals.
Relevant HIPAA FAQs and other information:
Incompetence & Losing Capacity: Answers to 7 FAQs
4. Does a power of attorney for healthcare give me the right to access my parent’s health information?
HIPAA gives a patient’s authorized “personal representative” the right to access information and medical records. A personal representative is defined as a person authorized, under State or other applicable law, to act on behalf of the individual in making health care related decisions.
So yes, if you are the durable power of attorney for healthcare, then you will have a right to access your parent’s health information, provided you are currently authorized to act.
A power of attorney document should specify under what conditions the agent can act. Some are “springing,” which means the agent can only act if the “principal” (the person signing the document) is incapacitated.
But other durable power of attorney documents may allow the agent to have authority to act right away. In this case, you can act unless there is a conflict with what the principal says (assuming the principal has not been deemed incapacitated).
For more information:
Guidance: Personal Representatives
Individuals’ Right under HIPAA to Access their Health Information
Addressing Medical, Legal, & Financial Advance Care Planning
5. My parents want their doctors to share health information with me. How can we make sure the doctors do this?
The best approach is for your parents to bring this up with their doctors and ask what should be documented, to ensure this.
Even though HIPAA itself does not require patients to provide written authorization in order to disclose information to family, clinicians usually feel more comfortable disclosing information if the patient has put something in writing. Many clinics have forms available for this purpose.
Another thing to consider is having your parents designate you as durable power of attorney for health. Consider having your parent indicate that your authority is effective immediately, rather than upon incapacity. (This is an option on health POA forms in California.) This will confirm your status as their “personal representive,” when it comes to requesting access to their medical information.
For more information:
More Useful HIPAA Resources
I’ve tried to cover the practical basics for caregivers in this article, but of course, there’s a lot more to HIPAA and medical privacy. As of 2020, there has also been additional guidance provided related to COVID, which you can find here: HIPAA and COVID-19.
Here are some of my favorite resources.
HIPAA Resource List
HIPAA FAQs for Professionals: Disclosures to Family and Friends
California Civil Code (regarding disclosures to family): CHAPTER 2. Disclosure of Medical Information by Providers
Individuals’ Right under HIPAA to Access their Health Information (Includes FAQs)
Next Step in Care Guide: HIPAA: Questions and Answers for Family Caregivers
Final Tips
Here are a few final tips for you to keep in mind, if you ever want to talk to a doctor about a relative’s healthcare.
- Plan ahead if possible.
- Older people should consider how their family might be able to communicate with doctors in the event of an emergency, or even in the event of developing memory or thinking problems.
- Find out how your family’s usual doctors and health providers will be most comfortable disclosing health information. Complete release of information forms ahead of time if possible.
- Every older person should complete a durable power of attorney form for healthcare. Consider giving the agent authority to act immediately; this will enable the agent to request medical records even if the older person has not been proven to be incapacitated.
- Consider researching your state’s laws governing disclosure of health information to family and friends.
- Many states have laws similar to HIPAA, but some may impose additional restrictions.
- Be prepared to politely help inform clinicians of what HIPAA permits. Some clinicians may not realize that HIPAA does allow them to talk to you about your relative’s health, depending on the circumstances.
- Consider printing out a copy of the relevant HHS HIPAA FAQs for Professionals: Disclosures to Family and Friends.
- For a good NPR story confirming that hospital employees and health providers often do NOT understand your access rights: It’s Your Right To See Your Medical Records. It Shouldn’t Be This Hard To Do.
- Remember that although HIPAA permits clinicians to disclose information under many circumstances, such disclosures are not required. Clinicians are only required to disclose health information when a patient — or authorized representative — requests this, based on the patient’s right of access.
This article was last reviewed and updated in July of 2024.
Katherine says
I work at a hospital and went into my sons records to get a percentage of a eczema cream that we use because the Dr. Couldnt find it in my records. Now my job may want to fire me be a cause of this. The Dr. Is standing with me but do I have a chance
Nicole Didyk, MD says
Hi Katherine. I understand your concern in this current climate of privacy awareness. In my experience, privacy breaches are taken seriously by hospitals, and the best course of action is often to be honest about your intentions and demonstrate a commitment to avoid breaches in the future. We did have an employee in our office who was repeatedly looking at medical records of family members and she was reprimanded and moved to another position, but she remained employed (I wasn’t involved in managing her role and I wasn’t aware of these breaches, they were found by the information technology department). I would hope that your employer would take an educational rather than punitive stance, especially if you have a good job performance record.
Bonnie Bingham says
So my question is can a child cancel a parent’s appointment if he or she is not on the privacy practices form?
Nicole Didyk, MD says
I would guess that it would not be possible to cancel an appointment on an elder’s behalf without express authorization from the elder.
John c says
My ex-wife is always talking about clients personal information from where they live to who they are, to what they got. Who do I need to talk to, to put a stop to her working in the medical field period?
Nicole Didyk, MD says
Probably the best thing to do would be to talk to her employer, as they would be able to determine if her activities are in breach of their office policies or regulations, or of HIPAA. Here’s an answer from Dr. Kernisan to a similar question. If the employer doesn’t take any action, there is probably nothing more that you can do.
Joanna says
My niece went into the ER for attempted suicide on Saturday. I tried seeing her multiple times in the night with a different excuse from nurses each time. I basically went home with nothing and left a note that they got to her. She called me and I got to talk to her briefly. She had no idea what was going on and basically had been left to sit in an ER room for 7 hours. The next day she got transferred to another hospital. I have been calling them constantly to at least find out where and maybe what is going on with her and they are refusing any information. There is a good chance I am probably on her HIPAA form. But if I am not, are they required to keep that information? Another thing is, is that I don’t know what kind of shape she was in mentally and if she was even able to understand what she was signing if she did or if they even made her sign anything. Is this different when you get taken in VIA ambulance? Do you still sign papers?
Leslie Kernisan, MD MPH says
I’m so sorry to hear of your niece’s suicide attempt. Honestly, I don’t know the answers to your questions. My personal experience almost entirely related to older adults who may have lost capacity due to dementia or serious illness. There are probably different conventions in how HIPAA is interpreted and applied, when it comes to suicide attempts in younger adults. Also, the laws related to involuntary hospitalizations are state-specific, and may be playing a role in this.
I would recommend looking for a support group or non-profit supporting family members of people who have attempted suicide. A group based in your state will be familiar with your state’s laws, which should be helpful. good luck!
EW says
I live in MN. Are adult parents (age 75) permitted to request medical record information (medical diagnosis, treatment and prescriptions, etc) for their deceased adult children (age 55) if there is no surviving spouse?
Leslie Kernisan, MD MPH says
There is a HIPAA FAQ covering access to health information of decedents here: HIPAA FAQ – Decedents
Also see this comment above.
KW says
I have an employment Mediation and I was a nursing Supervisor. I completed nursing supervisor visits and nursing assessment. We have 70 client 36 HHA and 12 nurses that I supervised. I worked from monthly list and we knew who needed a timely 62 day visit.
MY question is that this mediation is done with lawyers for both side and the mediator. I need to use those list that have the clients,staff and nursing employees.
Can I use the client list if I no longer work there and is it allowed to give this information. When the cases
were open the client signed a release for the agency to receive all medical,billing and other information.
Leslie Kernisan, MD MPH says
I’m not an attorney or compliance expert, and so I don’t know the answer to your question. I would recommend consulting with someone whose primary line of work is HIPAA compliance.
My understanding is that as employees of covered entity, we are only supposed to access that protected information held by the entity while doing our work. So if you are no longer employed as a nursing supervisor with the agency, I would think you are not allowed to keep the list, much less use it for other purposes. But that is just my guess. Be sure to look into this further. Good luck!
Mari says
I was an in-home caregiver for a local company. I had various clients, a few of them are spouses of well known business people in my area. I no longer work for the company, but sometimes will see my former clients in town. One came up to hug me and say hello, but a friend from church saw this and spread around church that must of been one of my former clients. Then they started to say things about what the client looked like, so they thought they knew what her issues were, so they come to me looking for answers and verification of their thoughts. I keep telling them it is a breach of privacy (Hipaa and just general manners regarding privacy) for me to be discussing this so I refuse to answer anything. They say I am just hiding behind Hipaa. Does their knowledge of them seeing me with her put me in any breech? I have always been protective of them when I worked for the agency, and still am, it isn’t anyone else’s business. The same client is a personal friend of my dentist. He too might ask if I was her caregiver, in general talk as I have been seen in the waiting room with her just last month. Now I have to go see him, and hope no one asks, oh, weren’t you her caregiver? Since they too have to comply under Hipaa, I am guessing they know better to ask, but this is a small town, and sometimes this sort of thing comes up in innocent conversations. Thanks for any suggestions, I know you can not give legal advice.
Leslie Kernisan, MD MPH says
Kudos to you for being so professional and protective of your clients’ privacy. Honestly I’m not sure exactly how HIPAA would apply here. You certainly aren’t the one revealing anything if a former client’s family comes to hug you and others draw conclusions, so I wouldn’t worry about that.
In regards to people wanting more information from you, you could politely tell them that as a matter of principle, you don’t answer questions about former clients and you don’t feel comfortable even discussing whether or not someone was a former client, because you feel it’s important to maintain people’s privacy regarding these issues.
I am not sure you even need to bring up HIPAA…people might understand more if you just state it as part of your personal and professional code of conduct.
Hope this helps, good luck!
Melinda says
My brother has placed our mother in a Memory Care facility but will not disclose the name or location. Another family member has given me that information but when I called the facility to confirm my mother’s location, I was told that they could not confirm or deny her as a resident due to Hipaa Laws. I just want to know if she is a resident or not. As her daughter am I entitled to that information?
Leslie Kernisan, MD MPH says
Sorry to hear of your situation. I’m not sure you are entitled to that information, unless you are her power of attorney. You could try contacting your local Area Agency on Aging to see if they know more about this type of situation. Of course, the best would be to improve communication with your brother, but if already he’s refusing to disclose information, that’s presumably easier said than done.
For help resolving sibling issues related to aging parents, you could try consulting with a geriatric care manager or elder mediator. good luck!
Linda Beck says
This would be another good issue to raise with the Long Term Care Ombudsman in your area, because – at least in California – isolating an older adult may be considered a form of elder abuse. Anyone can find the Long Term Care Ombudsman in their area by going to https://theconsumervoice.org/get_help
Linda Beck
Deborah says
My sister has cancer but won’t disclose what kind. My biggest concern is that our mother died from cancer in her 70s; my sister is in her 70s; I will be in my 70s in a few short years. It seems I have a right to know for my own health what type of cancer she has, but I don’t know what steps to take to get that information.
Leslie Kernisan, MD MPH says
I’m sorry to hear of this cancer history in your family, I can see why you’d be worried.
Unfortunately, although I understand your desire to know about your sister’s cancer, my understanding is that you don’t have any legal right to obtain that information. So to find out, your sister would need to agree to tell you.
I imagine you’ve already asked your sister and she’s refused to answer. In that case, you may need to reconsider your approach to discussing this with her. Many books on communication offer helpful suggestions; I like Difficult Conversations in particular. Otherwise, you could see if she’d agree to a conversation facilitated by a therapist or mediator. Good luck!
Danielle says
I was hospitalized for depression and was seeking help for suicidal thoughts and my spouse and I got into a argument at the hospital about what we thought was the correct care I needed. She was asked to leave and she left but was verbally loud as she was leaving. The hospital reported that my daughter was being dragged out of the hospital and a abuse claim was reported. Upon my discharge CPS came to my home and had full knowledge of all my medical information and everything I spoke to my doctors about. My question is was my rights violated under hippa laws since the claim to CPS was my spouse was being rough with my daughter as they were exiting the hospital and not my mental health in question or my parenting ability? I don’t understand why my medical information was given while I was in a hospital bed seeking help for my depression.
Leslie Kernisan, MD MPH says
Sorry that this has happened to you, it does sound upsetting. I am not an attorney or a HIPAA compliance expert, so I’m afraid I can’t answer your question. I have not researched the circumstances under which a hospital might disclose (or be required to disclose) information to a social services agency such as CPS.