HIPAA and Senior Care: Accessing Medical Records for Your Parent

Target keyword: hipaa elderly parent medical records

The Problem Families Encounter

Your mother is in the hospital. You call to get an update from her doctor — and you’re told they can’t share information with you. Or you’re trying to understand her care plan at a nursing facility, and staff won’t tell you what’s happening.

This is HIPAA in action. The Health Insurance Portability and Accountability Act of 1996 created federal privacy protections for medical information. Those protections don’t disappear because your parent is elderly or because you’re family.

Understanding how HIPAA works — and how to navigate it — can prevent serious breakdowns in your parent’s care.

What HIPAA Protects

HIPAA’s Privacy Rule protects Protected Health Information (PHI) — any individually identifiable information relating to:

• Past, present, or future physical or mental health conditions
• Healthcare services received
• Payment for healthcare services

PHI held by covered entities — which include hospitals, nursing homes, assisted living facilities, doctors, health insurance companies, and their business associates — cannot be disclosed without authorization.

Can You Access Your Parent’s Records Without Authorization?

If your parent has capacity: No, not without their authorization. An adult with capacity controls their own health information regardless of age.

If your parent lacks capacity: Rules become more nuanced, and HIPAA has built-in exceptions:

• A healthcare proxy/agent named under a healthcare power of attorney has rights equivalent to the patient
• A court-appointed guardian can access records within the scope of their guardianship
• Providers can share information with someone “involved in the individual’s care” when it’s in the patient’s interest and they have no reason to believe the patient would object

That last exception is informal and provider-dependent — don’t rely on it when you need reliable access.

The Right Tool: HIPAA Authorization Form

The simplest, most reliable solution: have your parent sign a HIPAA authorization form while they still have capacity.

A valid HIPAA authorization must include:

1. A description of the information to be used or disclosed
2. The person(s) or entity authorized to receive it
3. The purpose of the disclosure
4. An expiration date or event
5. Your parent’s signature and date

Important: Each covered entity (each hospital, each doctor’s office, each facility) has its own HIPAA authorization form. A signed authorization for your parent’s primary care physician doesn’t give you access at the hospital.

Best practice: Have your parent sign HIPAA authorization forms at every provider they regularly see and any facility where they might receive care.

Who Can Access Records: A Decision Tree

Does your parent have legal capacity?

• Yes → They control their records. You need their written authorization.
• No → Continue

Is there a healthcare power of attorney in place?

• Yes → The named healthcare agent has patient-equivalent rights to records relevant to the agent’s decision-making authority
• No → Continue

Is there a court-appointed guardian?

• Yes → Guardian can access records within scope of guardianship
• No → You have informal access only (depends on provider’s judgment)

Is this an emergency?

• Yes → HIPAA allows disclosure of minimum necessary information to prevent serious harm even without authorization

The Healthcare Power of Attorney: Your Access Key

A healthcare power of attorney (healthcare proxy) does double duty:

1. Authorizes your parent’s agent to make medical decisions when they cannot
2. Gives the agent rights equivalent to the patient for accessing health information relevant to those decisions

Under HIPAA, an agent under a healthcare POA is treated as a “personal representative” — they have the same rights to access PHI as the patient themselves.

This is the most robust tool for ongoing access and should be part of every senior’s estate planning.

Requesting Medical Records: The Process

Even with proper authorization, accessing records requires a formal request.

Step 1: Submit a Written Request

Contact the provider’s medical records department (hospitals have a designated Health Information Management department). Your request should include:

• Patient’s full name and date of birth
• Dates of service
• Specific records requested
• Where to send records (your address, email, or to another provider)
• Your authorization documentation

Step 2: Response Timeline

Under HIPAA, covered entities must respond within 30 days. One 30-day extension is permitted with written notice.

Step 3: Costs

HIPAA permits providers to charge a reasonable cost-based fee for copies. Typical costs:

• Electronic records: often free or $0–25
• Paper copies: $0.25–1.00 per page in most states
• Some states cap per-page fees by law

Step 4: Right to Inspect

Patients (and their personal representatives) have the right to inspect records in person, not just receive copies.

What’s Included in Medical Records

Typically included in a standard request:

• Physician notes and progress notes
• Test results (labs, imaging)
• Discharge summaries
• Medication lists
• Problem list and diagnoses
• Surgical reports
• Consultation notes

May require separate request or specific authorization:

• Mental health records (many states have additional protections)
• HIV/AIDS test results
• Substance use disorder treatment records (protected under 42 CFR Part 2)
• Psychotherapy notes (HIPAA specifically allows withholding these even from patients in some cases)

Special Situations in Senior Care

Nursing Home and Assisted Living Records

Nursing home residents have specific rights under the Nursing Home Reform Act, including:

• Access to their clinical records within 24 hours of request
• The right to purchase copies at no more than the cost to the facility

As an agent under healthcare POA or guardian: You can access these records on your parent’s behalf. Facilities are sometimes reluctant — know your rights and be prepared to cite them.

Memory Care and Dementia

Once your parent has been diagnosed with dementia but may still have periods of capacity, work with their physician to document capacity for signing HIPAA authorizations and other documents.

Once capacity is clearly lost, you must rely on:

• An existing healthcare POA (most reliable)
• Court-appointed guardianship (if no POA exists)
• The facility’s “involved in care” informal exception

Telehealth Records

Subject to the same HIPAA rules as in-person care. The platform used must comply with HIPAA.

When a Facility Wrongly Denies Access

If you have proper authorization and a facility refuses to share information:

1. Request a written denial — Providers are required under HIPAA to provide a written denial with the reason
2. Escalate to the facility’s Privacy Officer — Every covered entity must designate a Privacy Officer
3. File a complaint with HHS — The Office for Civil Rights at the U.S. Department of Health and Human Services (HHS) enforces HIPAA. Complaints can be filed online at hhs.gov/hipaa/filing-a-complaint
4. Consult an elder law attorney — If a facility is withholding records you have a legal right to access, an attorney can intervene

Document Checklist: HIPAA and Medical Access

• HIPAA Authorization signed at primary care physician
• HIPAA Authorization signed at all specialist providers
• HIPAA Authorization signed at any hospital your parent may use
• HIPAA Authorization signed at pharmacy
• Healthcare Power of Attorney executed and distributed to all providers
• Copy of healthcare POA kept with your parent in hospital/facility
• Know the name of each facility’s medical records / privacy contact

Frequently Asked Questions

Q: Can doctors share my parent’s information with me just because I’m family? Not automatically. HIPAA allows (but does not require) providers to share information with family members involved in the patient’s care — but your parent can restrict this at any time while they have capacity. A signed HIPAA authorization is more reliable.

Q: My parent has dementia. Can I still get a HIPAA authorization? Possibly. Dementia doesn’t automatically eliminate capacity for legal purposes — especially in early stages. A physician can assess and document whether your parent has sufficient understanding to sign an authorization. If they lack capacity, you need a healthcare POA or guardianship.

Q: Does Medicare or Medicaid give me access to my parent’s records? No. Medicare/Medicaid are payers, not providers. HIPAA rules apply to the providers themselves.

Q: Can I get records from multiple years back? Yes. HIPAA doesn’t restrict how far back you can request records. However, some providers may have destroyed older records in accordance with their retention policies (typically 7–10 years for adult patients; check your state’s law).

Q: What if my parent is deceased? HIPAA continues to protect health information for 50 years after death. The executor of the estate generally has access rights, as does anyone named in a pre-death authorization that doesn’t have an expiration date.

Q: Can a nursing facility share information with other family members? With your parent’s authorization or per a healthcare POA, yes. Without authorization, facilities may use discretion to share general status information but cannot share detailed clinical records.

This article is for informational purposes and does not constitute legal advice. HIPAA rules and state medical record laws can be complex. Consult a licensed attorney for guidance specific to your situation.