Does a Healthcare Power of Attorney Give Access to Medical Records Under HIPAA?

Healthcare Power of Attorney Overview

A healthcare power of attorney (HPOA) lets you appoint a trusted person—often called your healthcare agent—to make medical decisions if you cannot. The document can be broad or narrow, and it can take effect immediately or only upon your incapacity, depending on how you draft it and what your state healthcare laws require.

Because medical decision-making and information go hand-in-hand, most well-drafted HPOAs include language authorizing Medical Record Disclosure to the agent. That language aligns the agent’s role with the HIPAA Privacy Rule so your providers can speak with the agent and share needed records when the HPOA is in effect.

Your HPOA does not erase your rights. When you have capacity, you remain in control and can limit or revoke your agent’s access. This article offers general information, not legal advice; always check State Healthcare Laws and consult counsel for document drafting.

Role of Personal Representative under HIPAA

Under the HIPAA Privacy Rule, a “personal representative” is treated as the individual for privacy purposes. When your Healthcare Agent Authority is active under state law, that agent is typically your personal representative for HIPAA, a Personal Representative Designation that grants the same rights you would have to access and control your protected health information (PHI).

Covered entities must verify identity and authority before treating someone as a personal representative. Practically, that means your agent should present a valid photo ID and the HPOA; if the HPOA “springs” into effect upon incapacity, providers may also request proof that the triggering condition has occurred.

Important boundary: HIPAA allows providers to decline to treat a person as a personal representative when Abuse and Neglect Exceptions apply—for example, if the provider reasonably believes the individual has been or may be subjected to abuse, neglect, or domestic violence by the proposed representative, or that treating the person as a representative could endanger the individual.

• Adults: An HPOA agent with current decision-making authority is the HIPAA personal representative.
• Minors: Parents/guardians are typically personal representatives, subject to specific exceptions under state law.
• After death: The decedent’s executor or administrator—not the former HPOA agent—usually becomes the personal representative.

Granting Access to Medical Records

Once recognized as your personal representative, the agent may exercise your HIPAA right of access. That includes the right to inspect or obtain copies of PHI in the “designated record set” (medical and billing records and other records used to make decisions about you), and to direct a Medical Record Disclosure to a third party or system you specify.

Providers must respond to access requests within a reasonable time—generally within 30 days—with one permitted 30‑day extension and a written explanation. They may charge only a reasonable, cost‑based fee for copying and postage. The HIPAA “minimum necessary” rule does not limit disclosures made to you or your personal representative exercising the right of access.

How your agent can request records

• Submit a written request stating what records are sought, preferred format (electronic or paper), and delivery method.
• Provide the HPOA and government‑issued ID; if the HPOA is springing, include proof of incapacity if required.
• Ask for records from the designated record set (e.g., clinical notes, test results, medication lists, billing records).
• If timing or fees are unclear, request the provider’s HIPAA access policy and an itemized, cost‑based fee estimate.

Conditions and Limitations for Access

HIPAA guarantees access to PHI in the designated record set. Not every document a provider holds is part of that set. For example, data used solely for business planning or quality assurance—when not used to make decisions about you—may fall outside the access right.

Your agent’s access can also be limited by the HPOA’s text. If your document narrows Healthcare Agent Authority (for example, allowing discussion with clinicians but not access to full records), providers must honor that limit under the HIPAA Privacy Rule and State Healthcare Laws.

Common items outside the designated record set

• Provider peer review, quality improvement, or risk management files not used to make decisions about you.
• Business planning or compliance reports unrelated to individual patient care decisions.
• Psychotherapy notes kept separately by a mental health professional (addressed below).

Exceptions to Access Rights

HIPAA recognizes narrow categories where access may be denied outright (unreviewable) and categories where a licensed professional may deny access, subject to review (reviewable). Providers must issue a written denial that cites the basis and explains any review rights.

Unreviewable denials

• Psychotherapy Notes Restrictions: Separate psychotherapy notes maintained by a mental health professional.
• Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.

Reviewable denials (subject to second‑level review)

• If access is reasonably likely to endanger the life or physical safety of the individual or another person.
• If access is reasonably likely to cause substantial harm to a person referenced in the PHI.
• If the request is by a personal representative and access is reasonably likely to cause substantial harm to the individual or another person.

Separately, the Abuse and Neglect Exceptions allow providers to decline to treat someone as a personal representative when disclosure could enable abuse or endanger the individual. In those cases, providers may still disclose to protective services or as otherwise permitted by law.

Scope of Authority in POA Documents

Your HPOA controls when and how your agent can act. If it is immediate, the agent may access information now (subject to your consent and any stated limits). If it is springing, the agent’s authority—and HIPAA personal representative status—begins only after the specified trigger, such as a physician’s certification of incapacity.

Spell out Healthcare Agent Authority clearly. Many HPOAs include a HIPAA authorization that permits Medical Record Disclosure to the agent and allows the agent to obtain, use, and share PHI as needed to make decisions. You can limit this authority to certain providers, dates, or types of records.

Authority ends when you revoke the HPOA or when a termination condition occurs. Upon death, the HPOA typically ceases, and the estate’s personal representative assumes HIPAA rights. State Healthcare Laws may impose witnessing, notarization, or content requirements—build those into your document.

Tips for drafting the HPOA

• State when the document becomes effective and how incapacity is determined.
• Include explicit HIPAA Privacy Rule language authorizing access to the designated record set.
• Define any exclusions (for example, psychotherapy notes or specific sensitive categories).
• Authorize electronic exchange and patient portal access if desired.
• Name alternates and explain how disputes among agents are resolved.

Access to Mental Health Records

HIPAA draws a sharp line between general mental health records and psychotherapy notes. Diagnoses, medications, treatment plans, and progress notes kept with the medical record are usually accessible to the individual or personal representative. By contrast, psychotherapy notes—clinician’s separate, private notes analyzing counseling conversations—are subject to Psychotherapy Notes Restrictions and are generally excluded from access.

Additional regimes may apply. Substance use disorder treatment records from certain programs are protected by federal law and often require specific consent. Many State Healthcare Laws impose heightened confidentiality for mental health, HIV, genetic, or reproductive health information, sometimes limiting what a healthcare agent may obtain without the patient’s express authorization.

Key takeaways

• An active HPOA usually makes the agent your HIPAA personal representative with the same right of access you have.
• Access covers the designated record set, not everything a provider maintains.
• Psychotherapy notes and litigation‑prepared materials are excluded; safety‑related denials are reviewable.
• Your document’s wording—and state law—ultimately set the outer limits of Healthcare Agent Authority.

FAQs

What rights does a healthcare power of attorney grant under HIPAA?

When the HPOA is in effect and the agent qualifies as your HIPAA personal representative, the agent can exercise your right to access, obtain copies of, and direct Medical Record Disclosure of your protected health information in the designated record set. The agent may also communicate with providers and use information to make treatment decisions consistent with the HIPAA Privacy Rule and the HPOA’s terms.

Can a healthcare agent access all types of medical records?

No. The right of access does not include psychotherapy notes kept separately or information prepared for legal proceedings. Records outside the designated record set (such as certain quality or business files) are also excluded. Other laws—like federal substance use disorder privacy rules and State Healthcare Laws—can add limits, reflecting Psychotherapy Notes Restrictions and other heightened protections.

Are there situations where access to records can be denied?

Yes. A provider may issue an unreviewable denial for psychotherapy notes or litigation‑prepared material. A licensed professional may also deny access, subject to review, if disclosure is reasonably likely to endanger life or physical safety, cause substantial harm to someone referenced in the record, or cause substantial harm when the request comes from a personal representative. Additionally, Abuse and Neglect Exceptions allow providers to withhold recognition of a representative when disclosure could facilitate harm.

How does state law affect access to medical records under a POA?

State Healthcare Laws determine when an HPOA becomes effective, what formalities make it valid, and any special confidentiality rules for categories like mental health, HIV, genetic, or reproductive health information. Those laws can expand or narrow Healthcare Agent Authority and may require specific language or consents before a provider releases certain records under HIPAA.