HIPAA Protection for Disability Records: What’s Covered and Who Can Access Them

HIPAA Coverage of Disability Records

Under the HIPAA Privacy Rule, disability records are protected health information (PHI) when they identify you and are created or received by covered entities—health plans, most health care providers, and health care clearinghouses—or their business associates. These records include any details about your physical or mental impairment, diagnoses, treatments, functional limitations, or evaluations related to disability.

Examples of disability records treated as PHI include:

• Clinical notes, diagnostic reports, imaging, and lab results documenting impairments.
• Functional capacity evaluations, assistive technology prescriptions, and rehabilitation plans.
• Provider letters for benefits, disability determinations, or workplace restrictions.
• Case management, billing, and claims records tied to your disability care.

Not all information is PHI. Exclusions include de-identified data, records not held by covered entities, and employment records kept by an employer in its role as employer. When PHI is used or disclosed, covered entities must follow the “minimum necessary” standard unless an exception applies.

Individuals' Right to Access Health Information

You have the right to access, inspect, and obtain copies of your disability-related PHI kept in a provider’s or health plan’s designated record set. This typically includes medical and billing records, test results, and disability evaluations used to make decisions about you.

How to exercise your access right:

• Submit a written request and specify the format you prefer (for example, paper, secure email, or portal) if readily producible.
• Expect a response within 30 days; one 30‑day extension is allowed with written notice explaining the delay.
• Pay only a reasonable, cost-based fee for copying and mailing; access cannot be denied because of unpaid bills.
• Direct a copy to a third party of your choice by providing a clear, signed request.

Certain narrow exclusions apply, such as psychotherapy notes and information compiled for litigation. If something is inaccurate or incomplete, you may also request an amendment to your records.

Disclosure of Disability Records

Your disability records may be used or disclosed without your written permission for treatment, payment, and health care operations. For example, a specialist may share relevant data with your primary doctor for care coordination, or a provider may send records to your insurer to obtain payment.

For most other purposes, a valid Individual Authorization is required. An authorization should describe what will be disclosed, to whom, for what purpose, and for how long, and it must be signed and dated. You can revoke an authorization at any time, in writing, for future disclosures.

Sharing with non-health care parties—such as a school, a benefits program, or an employer—typically requires your authorization unless a specific HIPAA or other legal exception applies. Even with permitted uses, covered entities should disclose only the minimum necessary information.

Exceptions to Disclosure Without Consent

HIPAA permits certain disclosures of disability records without authorization when important public or governmental interests are at stake. Key categories include:

• Public Health Disclosures: Reporting certain diseases, adverse events, or threats to public safety.
• Health Oversight Activities: Audits, investigations, licensure, or eligibility reviews for government benefit programs.
• Judicial and administrative proceedings: Responding to court orders or specific, valid legal requests.
• Law enforcement purposes and to avert serious threats to health or safety.
• Workers’ compensation and other disclosures expressly required by law.

When these exceptions apply, the minimum necessary rule still governs most disclosures. State laws can be stricter than HIPAA; mental health or developmental disability confidentiality statutes—often called a Confidentiality Act—may require additional consent or tighter limits. The more protective rule generally controls.

FERPA vs. HIPAA for Disability Records in Educational Settings

In schools that receive U.S. Department of Education funds, most student health and disability records are “education records” under FERPA and are excluded from HIPAA. That means student files maintained by a school nurse, counselor, or disability services office are governed by FERPA’s Educational Records Privacy rules, not HIPAA.

Important distinctions you should know:

• K–12 and most colleges: Student treatment and disability documentation are FERPA records; parents (for minors) or eligible students control access under FERPA.
• Campus clinics: Records of non-students (for example, staff or the public) can be PHI under HIPAA, even when student records at the same clinic are FERPA records.
• Schools not subject to FERPA: If a school does not receive Department of Education funds, HIPAA may apply to its health records when the school is a covered entity.

When disability documentation supports academic adjustments or Reasonable Accommodations under Section 504 or the ADA, schools typically share only what faculty or staff need to know about accommodations—not your underlying diagnosis—consistent with FERPA.

Employer Access to Disability Records

HIPAA generally does not apply to employers in their role as employers; “employment records” kept by HR are not PHI. However, your employer’s group health plan is a covered entity and must keep plan PHI separate from employment files, with strict firewalls limiting employer access.

The ADA requires employers to keep medical information confidential and disclose it only to those with a need to know, such as supervisors managing Reasonable Accommodations, first-aid and safety personnel, or government officials investigating compliance. When an employer seeks details from your providers, they typically need your written authorization, and you can limit the scope to what is necessary.

Practical tips: Share only what supports the accommodation or leave request, keep copies of any releases you sign, and ask HR to store medical documents in a confidential file separate from your personnel records.

Social Security Administration Access to Disability Records

For disability claims, the Social Security Administration (SSA) and state Disability Determination Services usually obtain records using your signed SSA‑827, a HIPAA‑compliant authorization. With a valid authorization, providers may disclose the requested records to SSA/DDS to evaluate your eligibility and the severity of your impairments.

Disclosures for certain program integrity efforts may also fall under Health Oversight Activities. The minimum necessary rule does not apply to disclosures made pursuant to your authorization, but you can revoke an authorization in writing to stop future releases. You may also request your own records directly and submit them with your claim to ensure completeness.

Conclusion

HIPAA protects disability records held by covered entities, gives you a strong right of access, and limits disclosures to defined purposes or those you authorize. In schools, FERPA—not HIPAA—usually governs student disability files. Employers must keep accommodation-related information confidential under the ADA, and SSA typically relies on your signed authorization to collect evidence for disability determinations. Knowing these boundaries helps you share only what’s necessary while safeguarding your privacy.

FAQs.

What types of disability records are protected under HIPAA?

Any identifiable health information about your physical or mental impairments—such as diagnostic reports, therapy notes, functional evaluations, prescriptions for assistive devices, and related billing or claims data—held by covered entities or their business associates is protected as PHI.

Who has the right to access disability records under HIPAA?

You (or your personal representative) have the right to access, inspect, and obtain copies of your PHI in a designated record set. Providers and health plans must respond within 30 days, may charge only reasonable, cost-based fees, and must send records in the format you request if readily producible.

When can disability records be disclosed without consent?

Disclosures without authorization are allowed for treatment, payment, and health care operations; certain public health and health oversight activities; valid court orders or legal processes; specified law enforcement needs; to avert serious threats; and as required by workers’ compensation or other laws—subject to the minimum necessary standard where applicable.

How do FERPA and HIPAA differ in protecting disability records in schools?

At schools subject to FERPA, student disability and health records are education or treatment records under FERPA, not HIPAA. FERPA sets the access and disclosure rules for those records, while HIPAA may still apply to clinic records for non-students or to schools not covered by FERPA.