HIPAA Personal Representative Explained: Who Qualifies, What They Can Access, and How to Appoint One

Definition of Personal Representative

A HIPAA personal representative is a person authorized under applicable law to act on your behalf for health care decisions. Covered Entities—health care providers, health plans, and health care clearinghouses—must treat a personal representative as you for purposes of accessing and controlling Protected Health Information (PHI), subject to specific exceptions.

PHI includes medical, billing, and administrative records that can identify you and relate to your care. A personal representative’s authority tracks the Legal Authorization that gives them power, so their access is only as broad as the role they hold.

Qualifications for Personal Representatives

Common ways someone qualifies

• Health Care Power of Attorney: An agent you name in a health care proxy or medical power of attorney to make treatment decisions when you cannot.
• Court-Appointed Legal Guardian: A guardian or conservator designated by a court to make health care decisions for an adult who lacks capacity.
• Parental or Guardian Status for Minors: A parent or legal guardian, unless an exception applies under state or federal law.
• Estate Executors: The executor or administrator of a deceased individual’s estate, acting within estate-related duties.
• Other State-Law Surrogates: A spouse, adult child, or next of kin recognized by state surrogate consent statutes when no agent or guardian exists.

Verification and scope

Covered Entities must verify both identity and authority. The representative should present documentation—such as a power of attorney, guardianship papers, court order, or letters of appointment. Access is limited to the scope of the Legal Authorization (for example, a document that covers only a specific procedure or time period).

Access Rights of Personal Representatives

What a representative can do

• Inspect, obtain, and receive copies of the designated record set, including medical and billing records, care plans, lab results, and discharge summaries.
• Authorize or revoke disclosures of PHI through a HIPAA authorization when authorization is required.
• Request amendments to records, ask for restrictions on certain disclosures, and request confidential communications.
• Exercise rights related to electronic PHI, such as obtaining records in a readily producible electronic format and using patient portals where permitted.

Minimum necessary and timing

The HIPAA “minimum necessary” standard does not apply to disclosures to the individual or their personal representative. Covered Entities may apply standard timelines and reasonable fees for copies, and they may require written requests consistent with their Notice of Privacy Practices.

Limitations on Access

Domestic Violence Exception and safety concerns

Providers may decline to treat someone as a personal representative if they reasonably believe the individual has been subjected to domestic violence, abuse, or neglect by that person, or if treating the person as a representative could endanger the individual. This is often referred to as the Domestic Violence Exception.

Specially protected information

• Psychotherapy notes: Maintained separately by a mental health professional and subject to heightened protection; routine access is not required without specific authorization.
• Substance use disorder records: Certain records are protected by federal law (42 CFR Part 2) and may require specific consent beyond HIPAA.
• State-law protections: Some states add extra safeguards for services such as reproductive health, HIV/STI treatment, or mental health care.

Minor-specific limits

When a minor can legally consent to their own care, or when a parent agrees to a confidential provider–minor relationship, a parent may not be treated as the minor’s personal representative for that episode of care. Providers also may restrict access if disclosure would put the minor at risk.

Appointment of Personal Representatives

Using a Health Care Power of Attorney

• Choose your agent and alternates, define decision-making scope, and detail end-of-life preferences if desired.
• Sign the Health Care Power of Attorney (or health care proxy) with required witnesses or a notary as state law requires.
• Give copies to your physicians, hospital, and health plan; carry a wallet card; and store originals where they are easy to find.
• Review after major life events and update or revoke as needed.

Court appointments and other authorizations

If ongoing decision-making authority is needed and the person lacks capacity, a Court-Appointed Legal Guardian may be required. For narrower, one-time disclosures of PHI, a HIPAA authorization can permit release to a named person, but an authorization alone does not make that person a personal representative or confer decision-making power.

What to provide to providers

Expect to present government ID plus Legal Authorization documents (power of attorney, guardianship order, or similar). Ask how the provider documents representative status in the record to ensure consistent access across visits.

Parental Rights for Minor Children

Default rule and common exceptions

Parents or legal guardians usually act as a child’s personal representative and can access PHI. Exceptions arise when the minor can consent to care under state law, when the parent agrees to a confidential provider–minor relationship, or when treating the parent as representative could endanger the minor (abuse, neglect, or similar risks).

Custody and documentation

When parents are separated or divorced, custody orders and parenting plans may limit or share access. Providers may request copies of orders to verify decision-making authority and any restrictions.

Personal Representatives for Deceased Individuals

Who qualifies after death

The personal representative for a decedent is typically the Estate Executor or court-appointed administrator. This person may access PHI as needed to settle the estate, pursue benefits, or handle claims, consistent with their Legal Authorization.

Duration and scope

HIPAA protects a decedent’s PHI for 50 years after death. If no executor exists, state law determines who may act. Friends or family involved in care may receive limited information at a provider’s discretion, but they are not the personal representative unless recognized under applicable law.

Conclusion

A HIPAA personal representative stands in your shoes for PHI and health care decisions, but only within the bounds of their Legal Authorization and subject to safety and privacy limits. Clear documents, proper verification, and awareness of exceptions help you, your representative, and Covered Entities handle information lawfully and efficiently.

FAQs

Who qualifies as a HIPAA personal representative?

Someone authorized under law to make health care decisions for you—most often an agent named in a Health Care Power of Attorney, a Court-Appointed Legal Guardian, a parent or legal guardian for a minor, or an Estate Executor for a deceased person. State surrogate consent laws may also recognize spouses or next of kin when no formal documents exist.

What information can a personal representative access under HIPAA?

They can access the same Protected Health Information (PHI) you can, including medical and billing records, and may request copies, amendments, and restrictions. Their access is limited to the scope of their Legal Authorization, and certain records such as psychotherapy notes or specially protected substance use disorder records may require extra consent.

How is a HIPAA personal representative appointed?

You typically appoint an agent through a Health Care Power of Attorney that meets state formalities, or a court may appoint a guardian. After death, an Estate Executor or administrator serves. For one-time disclosures, a HIPAA authorization can allow release of PHI but does not create personal representative status.

Are there restrictions on a personal representative’s access to health information?

Yes. Providers may refuse to treat someone as a representative if doing so could endanger the individual or in cases of abuse, neglect, or domestic violence. Additional limits apply to psychotherapy notes, certain substance use disorder records, and minor-consented services protected by state law.