Glaucoma Treatment Records: Privacy Rights, Access, and Consent Explained

Patient Access to Medical Records

What you can access

Under the HIPAA Privacy Rule, you have the right to inspect and obtain copies of your Protected Health Information (PHI) kept in a “designated record set.” For glaucoma, this typically includes exam notes, visual field results, OCT and fundus images, intraocular pressure trends, medication lists and prescriptions, operative reports (for procedures such as trabeculectomy, tube shunts, or MIGS), and billing records.

How to request copies

• Submit a written or portal request stating what you want and the preferred format (for example, secure email, portal download, or paper).
• If readily producible, the provider must supply records in your requested form and format; otherwise, they will offer a reasonable alternative.
• You may direct records to a third party by a signed request that clearly identifies the recipient and where to send the information.

Timing, fees, and denials

Providers generally must respond within 30 calendar days and may extend once with written notice and a reason. A reasonable, cost-based fee may apply for labor, supplies, and postage. Access can be denied only in narrow circumstances; if a review is available and you request it, a licensed professional not involved in the original decision must review the denial.

Consent Requirements for Use and Disclosure

When authorization is not required

Covered entities may use or disclose PHI without your Patient Authorization for treatment, payment, and healthcare operations. This allows your glaucoma specialist to share information with other treating providers, bill your health plan, and conduct internal quality activities that support safe care.

When authorization is required

Written Patient Authorization is typically required for uses and disclosures outside routine care—such as most marketing, sale of PHI, and many research activities. Valid authorizations specify what will be used or disclosed, who may receive it, the purpose, an expiration date or event, and how you can revoke it.

Clinical consent vs. privacy authorization

Off-Label Device Consent (for example, consenting to an off-label use of a glaucoma device) is an informed consent for treatment. It is not a HIPAA authorization and does not, by itself, permit broader disclosure of your PHI. Even when you consent to a procedure, the HIPAA Privacy Rule still governs how your information may be used or shared.

Restrictions on Use and Disclosure

Your right to request limits

You may ask a provider or health plan to restrict certain uses or disclosures of your PHI. They are not required to agree, except in a key situation: if you pay a provider in full out-of-pocket and request that the information about that visit not be disclosed to your health plan for payment or healthcare operations, the provider must honor the restriction unless another law requires disclosure.

Confidential communications and minimum necessary

You can request that communications be sent to an alternate address, phone number, or email. Providers must accommodate reasonable requests; health plans must do so if you state that disclosure could endanger you. For many disclosures, entities should limit PHI to the “minimum necessary,” though this limitation does not apply to disclosures for treatment.

Healthcare operations disclosure and other permitted disclosures

Healthcare Operations Disclosure includes activities such as quality assessment, staff training, accreditation, and auditing—handled without your authorization but subject to safeguards. PHI may also be disclosed when required by law or permitted for public health reporting, health oversight, and certain judicial or administrative proceedings. Business associates that assist a practice (for example, a cloud EHR vendor) must protect PHI under written agreements.

Psychotherapy Notes Access

Psychotherapy notes are the personal notes of a mental health professional documenting or analyzing conversations during private counseling sessions and kept separate from the medical record. They are excluded from your right of access and usually require a separate, specific authorization for use or disclosure. This is distinct from mental health information that appears in your general record (such as diagnoses or medication lists), which remains part of your accessible PHI—even if you are being treated primarily for glaucoma.

Right to Amend Medical Records

Requesting a Medical Record Amendment

If information in your glaucoma chart is incomplete or inaccurate, you may submit a written request for a Medical Record Amendment. The provider must act within 60 calendar days (with one permitted 30‑day extension and written notice). Approved amendments are appended to the record and, when appropriate, sent to others who received the incorrect information and may rely on it.

If an amendment is denied

A request can be denied if the provider did not create the information, the data is not part of the designated record set, it is not available for access (for example, psychotherapy notes), or the record is already accurate and complete. If denied, you may submit a statement of disagreement, which the provider must attach or link to future disclosures of the disputed information; the provider may add a rebuttal, which must also accompany the record.

Notice of Privacy Practices

Providers and health plans must give you a Notice of Privacy Practices that explains Privacy Notice Requirements: how your PHI may be used and disclosed, when Patient Authorization is required, your rights (access, amendments, restrictions, confidential communications, and more), and how to file a complaint. The notice must identify a contact person, carry an effective date, and be available at the point of care and, if the entity has a website, posted online. Reviewing your ophthalmology practice’s notice clarifies how it handles Healthcare Operations Disclosure and electronic information exchange.

Revocation of Consent

You may revoke a HIPAA authorization at any time by submitting a written revocation to the provider or health plan identified in the form. Revocation stops future uses and disclosures under that authorization but does not affect actions already taken in reliance on it. Some programs (for example, research or health plan enrollment) may have conditions or legal limits on revocation; these will be stated in the authorization or research consent.

Revoking clinical consent to treat is different and governed by medical and ethical rules rather than HIPAA; withdrawing treatment consent may limit or pause care. Ask how revocation affects your current glaucoma management so you can plan safe follow-up.

Summary

Your glaucoma treatment records are protected PHI. You can access them, request reasonable restrictions and confidential communications, and seek a Medical Record Amendment when needed. Certain uses require Patient Authorization, which you may revoke in writing, while operations and treatment-related sharing follow the HIPAA Privacy Rule with safeguards. Always review the provider’s Notice of Privacy Practices to understand how your information is handled.

FAQs

What rights do patients have to access their glaucoma treatment records?

You have the right to inspect and obtain copies of your glaucoma PHI—including test results, images, medication lists, and operative reports—in the form and format you request if readily producible. Providers must respond within set HIPAA timeframes, may charge only a reasonable, cost-based fee, and can deny access only in limited circumstances that often allow for review.

How is written consent required for disclosing medical records?

Written Patient Authorization is generally required for disclosures that are not for treatment, payment, or healthcare operations—such as most marketing, sale of PHI, and many research activities. A valid authorization identifies what will be disclosed, who will receive it, the purpose, an expiration, and how you can revoke it. Routine care coordination for glaucoma typically does not need your authorization under the HIPAA Privacy Rule.

Can patients revoke their consent to share medical information?

Yes. You may revoke a HIPAA authorization at any time by sending a written revocation to the entity named in your form. Revocation applies prospectively and does not undo disclosures already made in reliance on the authorization. Clinical consents (for example, Off-Label Device Consent for a glaucoma device) are separate from HIPAA and follow different rules; ask your provider how withdrawing such consent would affect your care.