Javascript is not enabled.

Javascript must be enabled to use this site. Please enable Javascript in your browser and try again.

Skip to content
Content starts here
CLOSE ×
Search
CLOSE ×
Search
Leaving AARP.org Website

You are now leaving AARP.org and going to a website that is not operated by AARP. A different privacy policy and terms of service will apply.

11 Things to Know About Health Information Privacy

Find out more about rights surrounding medical records belonging to your loved one and to you


spinner image hands flip through folders of medical records
Photo Collage: AARP;(Source: Getty Images(2))

Everyone values medical privacy. But relatively few people have a good understanding of how privacy laws work.

Even doctors and hospital staff sometimes misunderstand what they’re allowed to share, which can lead to patients and caregivers being denied access to important information. Here are answers to 11 questions about privacy laws concerning accessing medical information for your loved one and for yourself.

1. What is HIPAA, and how does it protect health information?

In 1996, Congress passed the Health Insurance Portability and Accountability Act, known as HIPAA, to create national standards to protect sensitive patient health information. The federal law, whose privacy rules took effect in 2002, prohibits your health information from being shared without your consent or knowledge.

The law makes it illegal for certain individuals or organizations to share your health information without your written consent. Those “covered entities” include health care providers, health plans and health care clearinghouses. The law also covers business associates or contractors who provide services, such as data analysis, to health care organizations.

2. How can caregivers access a loved one’s health information?

Caregivers don’t necessarily have an automatic right to a loved one’s health information, even if the patient has diminished mental capacity, such as dementia, says Emily Largent, a bioethicist at the University of Pennsylvania. 

Caregivers should ask their loved one to sign a waiver allowing health care providers to share medical records. 

If you accompany your loved one to a clinic, ask the provider to note in the medical record that you are the person’s caregiver, Largent says.

3. Can family members see private medical records?

Not without consent, even if that person is the caregiver, Largent says. 

Anyone 18 and older must sign a waiver to allow family members to access records. Patients can share as much or as little information as they like. 

Though a HIPAA waiver allows your loved one to access your health data, it doesn’t give them the authority to make decisions about care. If the patient wants to give a particular loved one power to make decisions, they will need to sign an advanced directive naming them power of attorney for health care, Largent says.

HIPAA does allow friends and family to accompany a patient to medical visits and hear information as long as the patient agrees, she says. And doctors sometimes can share some information when the patient isn’t present, such as giving a family updates during surgery.

4. Can family members access medical information if a patient is not mentally competent?

Not necessarily. If adults don’t provide written consent to share their information, parents or other family members can be cut out of a loved one’s health care even if the patient is living with them. 

Family members frantically calling emergency rooms in search of a missing loved one may get no help from hospital staff, says President Chris McDade of Medicare Markets at AmeriHealth Caritas, a national managed care organization. “Most providers will take the better-safe-than-sorry approach,” he says. “The patient could potentially sue the provider” for breaching privacy.

5. What about my own health information?

You have the right to view your medical information and to amend any information that is not correct or complete, McDade says. Your health care provider cannot deny your request for a copy of your medical records. 

“It is on them to provide that to you,” he says. “It’s your data.”

HIPAA does allow health providers to charge you for providing your records, which can include copying costs, McDade says.

6. What if someone refuses to provide my medical information?

If you are denied the ability to see your records, it could be because of a provider’s misunderstanding of the law.

“HIPAA sometimes is just something that people toss out there as a justification for not providing information,” says lawyer Eric Carlson, director of long-term services and support advocacy at Justice in Aging, a nonprofit legal advocacy organization. 

If a clerk refuses to provide your information, ask to speak to your health care provider or the practice manager, says Shirley B. Whitenack, a lawyer and former president of the National Academy of Elder Law Attorneys. 

Or ask if a social worker or patient advocate is on staff, she says. If all else fails, seek a lawyer’s help. 

Nursing home residents and their caregivers have special protections. If your loved one or you live in one of these facilities, you can ask your state ombudsman for help getting medical records, Carlson says.

7. Who has access to private medical records?

Covered entities may disclose your loved one’s or your information to another health provider within a hospital or health system to provide care, McDade says.

But health care providers are obligated to limit information they share to the essentials, McDade says. An example: Your loved one or you may need to provide written permission if you want your family doctor to share medical history with a specialist. 

8. Can people outside the health system access private information?

Yes, in limited circumstances.

Medical providers and others covered by HIPAA are allowed to share private health information in certain cases, such as when law enforcement requires it, to process a claim for worker’s compensation or to prevent a serious threat to public health or safety. Researchers are sometimes allowed to view private health information if all data that might personally identify you is removed.

9. Do employers have access to private medical records?

In general, no. Neither supervisors nor the chief executives can view their employee’s health data. They can’t use your loved one’s or your health information to make decisions about who gets hired, fired, promoted or reassigned.

But if your loved one or you have health insurance through your employer, they may access aggregated data, such as the total amount of money their insurer spent to cover employees, McDade says. 

“Employers cannot see your individual health care records,” he says. “It’s between you and your insurance company, and employers are kept out of that.”

Even if your employer administers a health insurance plan itself, rather than using a contractor, it “needs to implement HIPAA protocols and appoint employees who may view the data under minimum-use standards,” McDade says.

10. Can a new insurer contact a previous insurance company to get access to medical records? 

No, insurance companies cannot access your loved one’s or your private medical information to determine coverage eligibility or cost, McDade says. That’s been true since the Affordable Care Act went into effect, covering preexisting conditions.

11. Does HIPAA require health and fitness apps to protect health data?

No, although developers of smart watches and period trackers can amass enormous amounts of data about health, they are not considered health care providers and have no legal obligation to abide by HIPAA, Largent says.

In fact, these companies can make money by selling your data. Consumers should read their privacy statements carefully before signing them, she says.

Editor’s note: This story, originally published in 2012, has been completely rewritten with up-to-date information along with advice from experts.

Unlock Access to AARP Members Edition

Join AARP to Continue

Already a Member?