HIPAA and Your Elderly Parent: What Family Caregivers Need to Know

When a parent is hospitalized or managing a serious illness, family members often discover an unexpected barrier: the healthcare system’s privacy rules. A nurse won’t confirm a diagnosis over the phone. A doctor refuses to discuss your parent’s condition because you’re not on a form. A hospital social worker can’t share the discharge plan with your siblings. In each case, the response is the same: HIPAA.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is federal law that governs how healthcare providers, insurers, and related organizations handle patients’ protected health information (PHI). Understanding what HIPAA actually requires — and where its limits are — is essential for families navigating an elderly parent’s care.

What HIPAA Actually Protects

HIPAA’s Privacy Rule restricts how “covered entities” — hospitals, physicians, clinics, pharmacies, insurance companies, and their business associates — may use and disclose a patient’s protected health information. PHI includes any information that could identify a patient and relates to their health condition, treatment, or payment for care.

The core principle: providers may not disclose PHI without the patient’s authorization, except in specific permitted circumstances.

What HIPAA does not do is equally important. It does not:

• Prohibit providers from speaking with family members if the patient has given permission
• Create a blanket ban on sharing information with anyone involved in a patient’s care
• Apply to information you already know or that doesn’t come from a covered entity
• Prevent family members from sharing information among themselves

Many families encounter HIPAA compliance applied far more restrictively than the law requires. Providers are sometimes overly cautious — either from misunderstanding or risk aversion — and cite HIPAA to decline conversations they could legally have.

When Providers Can Share Information Without a Signed Authorization

The HIPAA Privacy Rule contains important exceptions that allow providers to share information with family members and caregivers even without a formal signed form, when:

The Patient Is Present and Agrees

If your parent is present and has decision-making capacity, they can verbally authorize a provider to discuss their care with you. The provider may also share information if your parent does not object after being given the opportunity. This is the simplest pathway and applies in most outpatient situations.

The Patient Lacks Capacity

When a patient cannot make healthcare decisions due to incapacitation, providers may share information with family members or others involved in the patient’s care “as necessary to identify, locate, and notify the individual’s family members, personal representatives, or other persons responsible for the individual’s care.” This permits sharing what is directly relevant to providing care or making decisions.

The provider uses professional judgment about what to share and with whom. If you are clearly involved in coordinating your parent’s care — accompanying them to appointments, speaking with facility staff, managing medications — providers generally have latitude to share relevant information.

In an Emergency

HIPAA allows providers to share information necessary to provide treatment in an emergency, including with family members who need to be involved in care decisions. If your parent arrives at the ER unconscious, the hospital can speak with you about their condition and treatment.

Personal Representatives

Under HIPAA, a “personal representative” has the same rights as the patient to access health information. For elderly parents, relevant personal representatives include:

• Holders of a healthcare power of attorney — once the POA is activated per its terms
• Legal guardians — upon court appointment
• Healthcare proxies — designated in advance directives

Providers must treat these individuals as they would the patient for purposes of accessing and sharing PHI.

The HIPAA Authorization Form

For families who want formal, documented authority to access medical information, the HIPAA Authorization form is the standard tool. When a parent signs a HIPAA authorization, they explicitly permit a named provider to share specified information with a named person.

Key Elements of a Valid HIPAA Authorization

Per 45 CFR § 164.508, a valid authorization must include:

• A description of the PHI to be disclosed (can be broad: “all medical records”)
• The name of the person(s) authorized to receive the information
• The purpose of the disclosure
• An expiration date or event
• The patient’s signature and date
• Statement of the patient’s right to revoke and how to do so

Most hospitals and physician offices have their own authorization forms. You can also use a general HIPAA release form — many state bar associations and elder law attorneys provide templates.

Timing Matters

Like a power of attorney, a HIPAA authorization must be signed when the patient has legal capacity. If your parent develops dementia or suffers a stroke that impairs their decision-making, they may no longer be able to sign a valid authorization. Establish this documentation before a crisis.

Accessing Medical Records Directly

Separate from HIPAA authorization for providers to talk with family members, patients also have a right to access their own medical records. When your parent is able, they can request copies of all records, test results, imaging, and notes from any covered provider.

Making a Records Request

The process is straightforward:

1. Submit a written request to the provider’s medical records department (most now accept electronic requests)
2. Specify the records needed (date ranges, types)
3. Provide photo ID
4. Pay any applicable fees (providers may charge reasonable copying costs; many states cap these fees)

Timelines

Under HIPAA, covered providers must respond to records requests within 30 days, with one possible 30-day extension if they provide written notice of the delay.

Electronic Records

If a provider maintains records electronically, patients have the right to receive them in electronic format — a right reinforced by the 21st Century Cures Act (2016) and subsequent interoperability rules. Patients can request that records be sent directly to a third party, including a family member or another provider.

Designating an Authorized Representative for Medical Access

The most robust way to ensure family members can access a parent’s medical information is through proper legal and administrative designation before cognitive or health decline.

HIPAA Authorization on File with Providers

Have your parent sign a HIPAA release naming you (and any other involved family members) at each of their primary providers — their physician, cardiologist, neurologist, pharmacy, hospital, and insurance company. Keep copies. Providers should note this authorization in the patient’s file.

Healthcare Power of Attorney

A healthcare POA (also called a healthcare proxy or medical power of attorney) names a healthcare agent who, once the POA is activated, has legal authority to make medical decisions on the patient’s behalf. Under HIPAA, the healthcare agent is treated as a personal representative with full access to medical records.

Combined Documents

Many families execute both a healthcare POA and a HIPAA authorization. The POA governs decision-making authority; the HIPAA authorization provides the specific release required for providers to communicate. Together, they comprehensively cover what family caregivers need.

Medicare and Insurance: Separate Access Rules

Healthcare coverage information has its own rules:

Medicare

Your parent can authorize Medicare to share their information by naming you as an authorized representative or completing Medicare’s Authorization to Disclose Personal Health Information (CMS-10106 form). This allows you to:

• Call 1-800-MEDICARE and speak with representatives
• Access Medicare.gov account information
• Review claims and appeal decisions

Supplemental Insurance

Private insurance companies have their own authorization processes. Your parent will need to contact each insurer directly to add you as an authorized caller or designee. Some insurers allow this by phone with the patient present; others require a written form.

Emergency Exceptions: When HIPAA Steps Aside

In genuine emergencies, HIPAA’s protections are calibrated to allow the sharing of information necessary to protect health and safety.

Imminent Danger

If there is a serious and imminent threat to the health or safety of the patient or another person, providers may disclose PHI to persons who can reasonably prevent or lessen the threat — including family members.

Contacting Next of Kin

Even without explicit authorization, providers may notify next of kin of a patient’s location and general condition (e.g., “your mother is stable and being evaluated”). They may share more information when the family member is actively involved in the patient’s care.

State Law Interactions

Some states have additional laws that provide broader access rights for family members in specific situations. An elder law attorney in your parent’s state can clarify the local legal landscape.

Practical Action Steps for Families

Before any health crisis:

1. Have the conversation early. Discuss with your parent who they want involved in their medical care and who they want to be able to access their records.

2. Execute a healthcare power of attorney. This is the foundational document. Have it drafted by an elder law attorney and provide copies to all relevant providers.

3. Complete HIPAA authorization forms at every provider. Your parent’s primary care physician, specialists, hospital, pharmacy, and insurance companies should all have a signed release on file naming the relevant family members.

4. Set up Medicare and insurance account access. Complete the necessary forms to allow family members to call and inquire on your parent’s behalf.

5. Keep copies of all documents. Store originals securely and provide copies to the named agents and key healthcare providers.

When access is denied:

1. Ask for the specific provision being cited. A provider saying “HIPAA” is not always correct. Ask them to identify the specific reason your request falls outside permitted disclosures.

2. Speak with the patient advocate or privacy officer. Every major healthcare facility has one. They can clarify the facility’s policies and often resolve access disputes.

3. Present your legal documentation. If you hold a healthcare POA or have a signed HIPAA authorization, provide it in writing.

4. Escalate if necessary. HIPAA complaints can be filed with the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) at hhs.gov/ocr.

Frequently Asked Questions

Can a hospital refuse to tell me if my parent was admitted? Providers may disclose that a patient is receiving care and share directory information (location within the facility, general condition) unless the patient has requested otherwise. If your parent is incapacitated, providers have latitude to share information with involved family members.

My parent has dementia. Can I still get their medical records? If you hold a valid healthcare power of attorney that has been activated, you are a personal representative under HIPAA with the same access rights as the patient. If no POA is in place, you may need to pursue guardianship to obtain legal authority.

Can siblings who are not designated still receive information? Not without patient authorization. If your parent has named you as healthcare POA or listed you on a HIPAA authorization, you have access rights. Siblings who are not named do not — though you can share information with them, as HIPAA does not restrict what you do with information you’ve lawfully received.

Do I need a lawyer to complete HIPAA authorization forms? No. Most providers have standard forms. However, for the healthcare power of attorney — which provides the broadest and most reliable access — working with an elder law attorney ensures the document is valid and comprehensive.

Can a provider share my parent’s mental health records? Mental health records often receive heightened protection under state law, beyond HIPAA’s requirements. Access rules vary significantly by state. An elder law or mental health law attorney can clarify what applies in your situation.

What if my parent doesn’t want me to have access to their medical information? HIPAA protects patient autonomy. If your parent has capacity and does not want family members to access their medical information, their choice must be respected. Providers are not permitted to disclose PHI against the patient’s explicit wishes.

The Bottom Line

HIPAA is not a barrier — it’s a framework. Understanding what it permits, and putting the right documents in place before your parent’s health declines, ensures that family members who need to be involved in care can be. The combination of a healthcare power of attorney and signed HIPAA authorizations at each provider covers most situations families face.

The time to act is now, while your parent can participate in these decisions and sign the necessary documents. Every day without these protections in place is a day when a hospitalization or sudden decline could leave your family without legal authority to help.