Can a Healthcare Proxy Access Medical Records Under HIPAA? Rights, Limits, and How to Request Access

Healthcare Proxy Authority

A healthcare proxy (also called a health care agent or medical power of attorney) is the person you authorize to make treatment decisions when you cannot. Under HIPAA, a properly recognized proxy is usually treated as your Personal Representative, which allows them to act on your behalf for information access and Medical Records Disclosure consistent with the authority you granted.

The proxy’s authority depends on the document and state law. Many forms “spring” into effect only when you lack decision-making capacity; others are effective immediately. Bring valid Healthcare Proxy Documentation—your signed proxy or power of attorney, any required witness or notary pages, and government ID—to show the scope and timing of the proxy’s role.

When the proxy is acting, providers may share protected health information (PHI) with them to the same extent they would with you, subject to Patient Privacy Protections and specific limits described below. The proxy’s role covers medical decisions; it does not automatically grant control over non-medical matters unless the document or law says so.

HIPAA Access Rights

HIPAA gives you—and your Personal Representative when recognized—the right to inspect, review, and get copies of your PHI in the “designated record set.” That typically includes medical and billing records and other information used to make decisions about care, but it excludes psychotherapy notes and information prepared for legal proceedings.

Form and format matter. You can request records electronically (for example, PDF or portal download) if readily producible. Providers must act within standard HIPAA timelines, communicate any delays, and may charge only reasonable, cost-based fees for copying, supplies, and postage. The “minimum necessary” rule does not limit disclosures to you or your Personal Representative.

Covered entities (such as hospitals, clinics, and health plans) and their business associates must implement Proxy Access Policies that verify identity and authority before releasing information, while still honoring the right of access without unnecessary barriers.

Authorization Requirements

If the proxy is recognized as your Personal Representative, a separate HIPAA Authorization Form is usually not required for access under the right of access. However, facilities often ask for their standard forms to capture request details, confirm identity, and document the disclosure.

When you still have capacity but want your proxy (or another person) to see your information, you can sign a HIPAA Authorization Form granting that permission. A good authorization specifies what records may be disclosed, to whom, for what purpose, how long it lasts, and how to revoke it. Authorizations are optional for treatment, payment, and healthcare operations but are commonly used to share beyond those purposes.

Additional consents that may be required

Some records are protected by stricter federal or state laws. Substance use disorder treatment information (often regulated by 42 CFR Part 2), certain mental health records, HIV/STI results, genetic testing, and reproductive health services may require specific, heightened consent language—even for a Personal Representative. In these cases, you or your proxy may need to execute a tailored authorization that satisfies those rules.

Access Revocation Procedures

You may revoke a prior authorization or limit a proxy’s access at any time, unless your document says otherwise. Submit a signed written revocation to the provider’s privacy or medical records department and to any patient portals where proxy credentials exist. Ask for written confirmation and verify that portal and release workflows have been updated to prevent further disclosures.

Exceptions to Access

HIPAA permits covered entities to deny access in specific situations. Key exceptions include psychotherapy notes and information compiled for litigation. Access may also be denied if a licensed professional believes releasing information is reasonably likely to endanger the life or physical safety of the patient or another person.

Special protections may apply if the provider reasonably believes the patient has been or may be subjected to domestic violence, abuse, or neglect by the Personal Representative, or that treating the person as the Personal Representative could endanger the patient. In such cases, the provider may decline to treat the proxy as a Personal Representative to protect the patient.

For minors, parents or guardians are generally the Personal Representative, but many states carve out confidential services (for example, certain mental health, substance use, reproductive health, or STI care) where the minor controls access. Records governed by stricter federal or state laws may require specific consent or a court order despite proxy status.

If access is denied, the proxy is entitled to a written denial explaining the basis and, when applicable, how to seek a review by another licensed professional not involved in the original decision.

Requesting Medical Records

Use this step-by-step approach to request records efficiently and securely while honoring Patient Privacy Protections and facility Proxy Access Policies.

Step-by-step process

• Confirm authority: Ensure the proxy is currently authorized to act (for example, the “springing” proxy has been activated due to incapacity).
• Assemble Healthcare Proxy Documentation: Bring the proxy or power of attorney, required witness/notary pages, a photo ID, and any court orders (for guardianship or executorship, if applicable).
• Define scope: Specify the date range, types of records (visit notes, labs, imaging, care summaries, billing), and the designated record set you need.
• Choose delivery: Request electronic copies when possible (PDF, secure email, portal download, or encrypted media). State your preferred form and format in writing.
• Submit the request: Send it to the health information management (HIM)/medical records or privacy office. Some organizations accept requests via their patient portal or e-signature workflows.
• Track timelines: HIPAA requires prompt action within standard deadlines; one reasonable extension is allowed with written notice. Ask for an estimated fulfillment date.
• Understand fees: You may be charged only a reasonable, cost-based fee for copying and supplies. Electronic delivery often lowers costs.
• Receive and review: Verify completeness, request missing items, and maintain secure storage. Share only what is necessary with third parties to reduce risk.
• If denied: Request a written denial with reasons and review rights. You can ask for a supervisory or professional review and elevate concerns to the organization’s privacy officer.

What to include in your written request

• Patient’s full name, date of birth, address, and contact information.
• Statement that you are the healthcare proxy/Personal Representative and a description of your authority.
• Specific records and date ranges requested and preferred format/delivery method.
• Signed attestation and attached Healthcare Proxy Documentation and ID.

Proxy Access to Patient Portals

Most portals support official proxy or delegate accounts so the proxy can view results, messages, and visit summaries using their own login. This is safer than sharing the patient’s password and creates an auditable trail consistent with Proxy Access Policies.

To enable portal access, submit the provider’s proxy enrollment form with your Healthcare Proxy Documentation. Organizations may offer different levels (for example, read-only vs. full messaging), age-based settings for adolescents, and automatic expiration when capacity returns or upon Access Revocation Procedures. Two-factor authentication and identity proofing are common safeguards.

Remember that a portal is not always the complete designated record set. If you need full records, request them from medical records even if portal access is active.

State-Specific Regulations

Terms and requirements vary by state. Your document might be called a “health care proxy,” “medical power of attorney,” or “health care agent,” and witnessing/notary rules differ. Some states recognize out-of-state forms; others have stricter execution or activation standards.

States also set special confidentiality rules for sensitive information such as behavioral health, substance use treatment, HIV/STI results, genetic tests, and reproductive care. Those rules can limit a proxy’s access or require additional authorization language beyond HIPAA. Fees and response deadlines may also be more protective than federal baselines.

If no proxy is named, state “surrogate” statutes determine who may act (for example, spouse, adult child, parent, sibling). Court-appointed guardians have powers defined by court order and may need to present those orders for Medical Records Disclosure.

Conclusion

A healthcare proxy recognized as a Personal Representative generally has the same HIPAA right of access as the patient, with important limits for safety, psychotherapy notes, and specially protected categories. The most efficient path is to provide clear Healthcare Proxy Documentation, specify the records and format, use official proxy workflows (including portals), and follow Access Revocation Procedures when circumstances change.

FAQs.

What rights does a healthcare proxy have under HIPAA?

When recognized as the patient’s Personal Representative, a healthcare proxy typically has the same right to access, inspect, and obtain copies of the patient’s PHI in the designated record set, subject to HIPAA’s defined exceptions, stricter state laws, and Patient Privacy Protections.

How can a healthcare proxy request access to medical records?

Submit a written request to the provider’s medical records or privacy office, attach Healthcare Proxy Documentation and a photo ID, specify the records and dates you need, and state your preferred form and format. A HIPAA Authorization Form is generally not required for a Personal Representative but may be used to document details.

Are there exceptions where access can be denied to a healthcare proxy?

Yes. Common denials involve psychotherapy notes, information compiled for legal proceedings, safety risks, situations involving abuse or neglect where treating the proxy as a Personal Representative could endanger the patient, and records protected by stricter federal or state laws that require special consent or a court order.

Can a healthcare proxy access patient portal information?

Often, yes—through official proxy or delegate accounts established under the provider’s Proxy Access Policies. The proxy submits the required form and Healthcare Proxy Documentation to receive their own login. Portal content may not include all records, so formal requests may still be necessary for the complete designated record set.