Can You Access a Family Member’s Medical Records Under HIPAA?

Designation as Personal Representative

Under the HIPAA Privacy Rule, a Personal Representative is the person legally authorized under state law to make health care decisions for another individual. When you are a Personal Representative, you stand in the patient’s shoes and generally have the same right to access their protected health information (PHI) as they do.

Who typically qualifies

• A court‑appointed guardian or conservator for an adult patient.
• A parent or legal guardian of a minor (subject to state law exceptions where minors control certain records).
• An agent named in a Durable Power of Attorney for Health Care (or similar health care proxy) when the document is in effect.
• After death, the executor or administrator of the estate, or another person authorized by state law to act for the decedent.

Important limitations

• A general financial Durable Power of Attorney may not grant access to medical records unless it expressly covers health care decisions.
• Providers may decline to treat someone as a Personal Representative if they reasonably believe doing so could endanger the patient (for example, in suspected abuse or neglect situations).
• For minors, state laws often give adolescents control over sensitive services (such as certain reproductive, mental health, or substance use care), limiting parental access.

To exercise Personal Representative rights, you must present proof of identity and authority—such as the signed health care power of attorney, guardianship papers, or letters testamentary.

Obtaining Patient Authorization

If you are not a Personal Representative, the most direct path to records is a written Patient Authorization. This HIPAA-compliant authorization allows a provider or health plan to disclose specified information to you.

What a valid authorization includes

• Whose records are requested and who may disclose and receive them.
• What will be shared (for example, “complete chart from January 1, 2024 to present” or “billing records only”).
• The purpose of the disclosure and an expiration date or event.
• The patient’s signature and date, plus required statements about the right to revoke and potential re-disclosure.

Practical steps

• Ask the provider for its HIPAA Authorization form, or the patient can send a signed written request directing the provider to send records to you.
• Ensure the scope is clear and time‑limited to avoid delays.
• Remember the patient can revoke the authorization in writing, which stops future disclosures.

Authorization grants access only to the information specified. If you need ongoing access, consider updating the authorization or, when appropriate, establishing Personal Representative status.

Sharing Information in Care or Payment

HIPAA allows providers to share limited information with family or friends involved in a patient’s care or payment for care—even without a formal authorization—when the patient agrees, does not object, or when the provider reasonably infers the patient’s approval.

What can be shared

• Care coordination details relevant to your involvement, such as discharge instructions, medication lists, or appointment times.
• Payment information, like confirming a bill amount or insurance status, when you help pay for the patient’s care.

This is not full chart access. Providers should disclose only what is reasonably necessary for your involvement (“minimum necessary” standard) and may limit or refuse requests that go beyond those bounds.

Examples

• A nurse discusses home wound care instructions with the spouse who will perform the care.
• A clinic confirms outstanding balances to a family member who pays the bills.
• A pharmacist shares dosing guidance with the caregiver who picks up the prescription.

Handling Incapacity or Emergency Situations

When a patient is incapacitated or facing an emergency, HIPAA permits providers to exercise professional judgment and share Emergency Medical Information with family or others involved in the patient’s care, if doing so is in the patient’s best interests.

What changes during incapacity

• If a Durable Power of Attorney for Health Care becomes active, the named agent is the Personal Representative and may access needed records.
• Without a Personal Representative, providers may still share information directly relevant to your current involvement in care or payment while the patient cannot agree or object.
• To prevent or lessen a serious and imminent threat, providers may disclose necessary information to persons able to reduce the threat.

These allowances facilitate urgent decisions; they do not automatically grant you open‑ended access to the complete medical record.

Access After Patient Death

Deceased Patient Records remain protected under HIPAA for 50 years following the date of death. During that period, access to the full record generally belongs to the decedent’s Personal Representative (for example, the executor or court‑appointed administrator).

What family can receive

• The Personal Representative may request the designated record set, subject to limited exceptions (such as psychotherapy notes).
• Family members and others involved in the decedent’s care or payment may receive information relevant to their involvement, unless the decedent previously objected.

Proving authority

• Provide a death certificate and documents showing authority, such as letters testamentary or small‑estate affidavits recognized by state law.
• If no executor exists, state succession laws may allow the next of kin to act; ask the provider what documentation they require.

Healthcare Provider Disclosure Guidelines

Covered entities must balance patient privacy with appropriate access. The HIPAA Privacy Rule offers clear guardrails for disclosures to family members.

Verification and scope

• Verify identity and authority before releasing PHI (photo ID, proof of guardianship, health care proxy, or executor status).
• Apply the “minimum necessary” standard for most disclosures to family or friends involved in care or payment; it does not apply when disclosing to the patient or their Personal Representative.
• Use professional judgment when the patient is present and can agree or object; document the patient’s preference.

Right of access and timing

• When the requester is the patient or a valid Personal Representative, provide access to the designated record set, typically within 30 calendar days; a single 30‑day extension is allowed with written notice.
• Reasonable, cost‑based fees may apply for copies; emergency access should not be delayed for fee collection.

Special categories and denials

• Psychotherapy notes and information compiled for litigation are excluded from the standard right of access and often require separate authorization.
• Substance use disorder records may be subject to additional federal protections; disclose only as permitted by applicable law.
• For minors, follow state‑specific rules that can limit parental access for certain services.

Conclusion

In short, you generally need either status as a Personal Representative or a written Patient Authorization for full record access. Without either, HIPAA permits only limited disclosures tied to your involvement in care or payment, or when emergencies require sharing critical information. After death, the Personal Representative of the estate controls access to Deceased Patient Records for 50 years.

FAQs.

When can a family member access medical records without authorization?

Without a written Patient Authorization, you can access records if you are the patient’s Personal Representative under state law. Otherwise, providers may share only limited information relevant to your involvement in care or payment, or necessary Emergency Medical Information during incapacity or urgent situations. Those allowances do not grant full chart access.

What qualifies as a personal representative under HIPAA?

A Personal Representative is someone authorized by state law to make health care decisions for the patient—commonly a court‑appointed guardian, a parent or legal guardian of a minor (subject to exceptions), an agent under a Durable Power of Attorney for Health Care when effective, or the executor/administrator for a deceased patient.

How do healthcare providers verify family member access requests?

Providers verify identity (for example, photo ID) and authority (such as guardianship orders, a health care power of attorney, or letters testamentary). If you are not a Personal Representative, they typically require a signed HIPAA‑compliant Patient Authorization or a written, signed directive from the patient specifying what to release and to whom.

Can medical records be shared during patient emergencies?

Yes. When a patient is incapacitated or in an emergency, HIPAA allows disclosures to family or others involved in care if, in professional judgment, sharing is in the patient’s best interests. Disclosures should be limited to what is necessary for the situation and do not automatically grant ongoing access to the entire record.

Are deceased patients’ records accessible to family members?

Full access generally belongs to the decedent’s Personal Representative (for example, the executor or court‑appointed administrator) for 50 years after death. Family or friends involved in care or payment may receive information relevant to their involvement unless the decedent previously objected, but they do not automatically receive full record access.