Reconstructive Surgery Records Privacy: Your Rights and Who Can Access Them

HIPAA Privacy Rule Overview

The HIPAA Privacy Rule sets national standards for how your reconstructive surgery records—pre‑op photos, surgical plans, implant details, anesthesia notes, and follow‑up care—are used and disclosed. These records are protected health information (PHI) maintained in a designated record set by your surgeon, hospital, or health plan.

Under the HIPAA Privacy Rule, you have core rights: medical record access; the ability to request confidential communications and restrictions; an accounting of certain disclosures; and correction of medical records through a formal amendment process. HIPAA also requires the “minimum necessary” standard for most non‑treatment uses, meaning only the needed details should be shared.

Some content has special rules. Psychotherapy notes disclosure generally requires a specific, separate patient authorization and they are excluded from the right of access. While these notes rarely appear in surgical files, they may be referenced in broader care documentation.

HIPAA protects PHI for 50 years after a person’s death. Record retention laws, however, are set primarily by states or other regulations, not by HIPAA itself.

Accessing Your Reconstructive Surgery Records

You can request copies of your reconstructive surgery records directly from your provider’s medical records department, patient portal, or health information management office. A simple written request usually suffices; you do not need a patient authorization to obtain your own records.

How to request

• Identify the scope: operative report, pre‑ and post‑op photos, imaging, anesthesia and nursing notes, pathology, implant labels, and rehabilitation plans.
• Choose the format: electronic PDF, portal download, CD/USB imaging, or paper. Providers must produce records in your requested form and format if readily producible.
• Verify identity: expect photo ID checks or portal authentication.

Fees and timelines

Providers may charge a reasonable, cost‑based fee covering labor for copying, supplies, and postage. Retrieval fees are not permitted under HIPAA. For electronic copies, per‑page fees are generally not appropriate. Providers must respond within 30 calendar days; one 30‑day extension is allowed with written notice explaining the delay.

Directing records to third parties

You may ask your provider to send PHI to a third party (for example, another surgeon or a personal app). This typically uses your right of access or a patient authorization, depending on the recipient and format requested.

Role of Personal Representatives

A personal representative is someone legally authorized under state law to act on your behalf—such as an agent under a health care power of attorney or a court‑appointed guardian. Under HIPAA, personal representatives generally have the same medical record access rights you do.

For minors, a parent or legal guardian is usually the personal representative, but there are exceptions (for example, when the minor can consent to certain care under state law, or when a provider reasonably believes involving the parent could endanger the minor). If you are incapacitated, providers may use professional judgment to share limited information with someone involved in your care.

State-Specific Privacy Laws

HIPAA sets a national floor. When state privacy rules are more protective, they control. Many states impose stricter consent requirements for sensitive information (such as HIV status, genetic data, substance use treatment, or mental health details) and set clearer limits on patient authorization reuse and expiration.

States also dictate record retention laws—for example, how long surgeons and hospitals must keep adult and pediatric records. Some states require additional consent for clinical photography, which commonly appears in reconstructive surgery records.

Requesting and Amending Medical Records

If something in your reconstructive surgery record is inaccurate or incomplete—wrong laterality, missing implant identifiers, or incorrect allergy status—you can request a correction of medical records through HIPAA’s amendment right.

Amendment steps

• Submit a written request identifying the specific entry, the correction you seek, and supporting documentation (e.g., device card, imaging report).
• Your provider must act within 60 days; one 30‑day extension is permitted with written notice.
• If accepted, the provider appends the amendment and makes reasonable efforts to share it with others who received the incorrect information.
• If denied (for example, because the record is accurate as documented), you may submit a statement of disagreement. The provider may respond with a rebuttal, and both become part of the record set that accompanies future disclosures.

Access denials and reviews

Certain access denials are permitted (for example, when a licensed professional determines a risk of substantial harm). Some denials are reviewable by another clinician not involved in the initial decision. You are entitled to a written denial explaining your review and complaint options.

Disclosure Exceptions and Authorizations

Without your patient authorization, providers may use and disclose PHI for treatment, payment, and health care operations; to you; and for specific public interest purposes required or permitted by law (such as public health reporting, health oversight, law enforcement with proper process, judicial proceedings, workers’ compensation, organ donation, research with appropriate approvals, and to avert a serious threat).

Disclosures should meet the minimum necessary standard, except for treatment. Uses and disclosures not otherwise allowed require your written patient authorization that clearly describes the information, purpose, recipients, expiration, and your right to revoke. Psychotherapy notes disclosure is subject to heightened protections and typically requires a separate, specific authorization.

You can also request an accounting of certain non‑routine disclosures (those not for treatment, payment, or health care operations) over a defined period.

Record Retention and Handling After Death

Record retention laws vary by state and setting. Many providers keep adult records for 7–10 years and pediatric records longer (often until a set age plus additional years), but you should check your state’s record retention laws and your provider’s policy. HIPAA does not set retention durations.

After death, HIPAA protections apply to PHI for 50 years. A decedent’s personal representative—such as the executor or administrator of the estate—generally has medical record access rights. Providers may also disclose limited information to coroners, medical examiners, or funeral directors as permitted by law.

If a practice closes or transfers ownership, records are typically transferred to a custodian or successor. You should receive instructions on how to obtain copies to maintain continuity of care.

FAQs.

Who is allowed to access reconstructive surgery records?

You, your treating providers and their staff for treatment, payment, and health care operations, business associates working on behalf of the provider, and your personal representative may access records. Others—such as employers, insurers not involved in your care, attorneys, or family members—need your patient authorization unless a specific law permits or requires disclosure.

What rights does a patient have under HIPAA for surgical records?

You have medical record access, the right to receive copies in the requested form and format if readily producible, receipt within 30 days (with a single 30‑day extension if needed), reasonable cost‑based fees, the ability to request restrictions and confidential communications, an accounting of certain disclosures, and correction of medical records through the amendment process. Psychotherapy notes are excluded from access and require special authorization for disclosure.

How can corrections be made to medical records?

Send a written amendment request identifying the exact entries to change, what the corrected information should be, and any supporting documentation. The provider must act within 60 days (with one possible 30‑day extension), either appending your amendment or issuing a written denial. If denied, you may submit a statement of disagreement that stays with your record.

What are the timelines for providers to respond to record requests?

Under HIPAA, providers must respond within 30 calendar days of receiving your request. If they cannot meet that deadline, they may take one additional 30‑day extension, but they must notify you in writing, explain the reason, and provide a new date. Some states impose shorter timelines, and providers must comply with the shorter, more protective deadline.