HIPAA authorization — getting legal access to their medical information
Reviewed by a licensed elder law attorney
A HIPAA authorization is the document that gives you legal permission to access your parent's medical information and talk to their doctors about their care. Without it, healthcare providers are prohibited by federal law from sharing anything with you, even if you are the person driving your parent to every appointment and managing their medications at home. Getting this signed early is one of the simplest and most immediately useful pieces of legal planning you can do.
Why Does This Document Exist?
HIPAA, the Health Insurance Portability and Accountability Act of 1996, prevents healthcare providers, hospitals, pharmacies, and insurers from sharing a patient's health information without that patient's specific written permission. The law is important. It stops employers from accessing your medical records, prevents insurers from sharing your health data, and keeps your diagnosis out of the hands of anyone who has no business knowing it.
The problem is that HIPAA does not distinguish between a nosy stranger and your parent's adult child who is managing their care. Without a signed authorization on file, the doctor's office cannot tell you your parent's lab results. The hospital cannot update you on their condition after surgery. The pharmacy cannot discuss their prescriptions with you. According to the U.S. Department of Health and Human Services, HIPAA complaints related to family access to medical information are among the most common the Office for Civil Rights receives.
In practical terms, this means families hit the HIPAA wall at exactly the moment they need information most. Your parent is hospitalized. You need to know their medication list because you are the one who manages it at home. The hospital says they cannot share it without written authorization. Your parent says it is fine to tell you, but the hospital needs that authorization in writing and on file. Getting that paperwork sorted while your parent is acutely ill, scared, and possibly confused is enormously harder than having it done ahead of time.
The situation becomes worse if your parent has lost capacity. They have dementia and cannot sign a new authorization. Their new specialist has no record of you being authorized to receive information. You are in the exam room with a parent who cannot answer questions about their medical history, and the doctor cannot legally share the chart with you. The information you need to advocate for your parent's care is locked behind a privacy rule that was never intended to block family caregivers.
A HIPAA authorization signed while your parent has capacity prevents all of this.
What the Authorization Does
A HIPAA authorization grants specific people the right to receive a patient's protected health information. It authorizes you to access medical records, discuss your parent's condition with their providers, receive lab results, review imaging reports, and obtain medication lists. It does not give you the right to make medical decisions, which requires a healthcare power of attorney, but it gives you the information you need to participate meaningfully in your parent's care.
The authorization can be broad or narrow. A broad authorization permits any healthcare provider to share all health information with you for any purpose. A narrow authorization might limit disclosure to specific providers, specific conditions, or specific purposes. Your parent decides the scope.
The authorization also specifies duration. Many are written to remain in effect as long as your parent is alive and then expire at death. Others expire after a set number of years or after a specific event. For caregiving purposes, an authorization that lasts until revoked is the most practical.
Your parent can name one person or several. They might authorize you but not your sibling, or authorize both of you but not a son-in-law. That is entirely their choice.
The authorization is different from a healthcare power of attorney. The power of attorney gives you authority to make medical decisions. The HIPAA authorization gives you the right to know what is happening. They complement each other. Together, they mean you can both access the information and act on it. Separately, each one leaves a gap.
The authorization is also different from an advance directive. An advance directive tells doctors what your parent wants in specific medical situations. A HIPAA authorization tells doctors who is allowed to know about your parent's medical situation. They serve different functions and both are needed.
Getting It Done
Your parent signs the HIPAA authorization while they have the mental capacity to understand what they are granting. The capacity threshold is low compared to other legal documents. Your parent needs to understand that they are giving you permission to see their medical information and talk to their doctors. If they can understand that, they can sign.
Many healthcare providers have their own HIPAA authorization forms available at the front desk or in admissions. Your parent can complete one during their next appointment. If you want a single authorization that covers multiple providers, an attorney can draft one, or you can use a state-provided form if your state offers one.
The execution requirements are minimal in most states. Your parent signs and dates the form. Some providers require a witness. A few require notarization. Check with the specific provider about what they need.
Here is the practical catch: a signed authorization filed with your parent's primary care doctor does not automatically extend to the hospital, the specialist, or the pharmacy. According to HHS guidance, each covered entity maintains its own records. You will need to deliver copies to every provider your parent sees, or have your parent present the authorization at each appointment.
Keep multiple copies. Some offices keep the original and do not return it. Some make a copy. Either way, you should have your own copies in your records, ready to present whenever a new provider enters the picture.
Using the Authorization
When you call a doctor's office, identify yourself and reference the authorization on file. Something like: "I'm calling about my mother, [name]. I have her HIPAA authorization on file with your office. I'm calling to ask about her recent lab results." Most office staff will know what this means and proceed accordingly.
Keep notes. When you discuss your parent's care with a provider, write down what was said, when, and by whom. If your parent's condition is changing, if there is family disagreement about care, or if you are making decisions on their behalf, those notes become a record that protects everyone.
The authorization gives you the right to access information, but it does not override every privacy protection. If you request records, the provider has up to 30 days to produce them under federal law. The provider can refuse specific requests if they have a valid clinical or legal reason, though outright refusal to share with an authorized individual is a HIPAA violation that can be reported to the Office for Civil Rights.
Your parent can revoke the authorization at any time. If they decide they no longer want you to have access, they sign a revocation and notify their providers. That is their right and it takes effect when the providers receive it.
The Bigger Picture
A HIPAA authorization is one piece of a set of documents that work together. Paired with a healthcare power of attorney, it means you have both the information and the authority to manage your parent's medical care. Paired with a living will, it means you can access the medical information you need to ensure your parent's end-of-life wishes are being followed. Without it, you may have decision-making authority on paper but be unable to get the information you need to make informed decisions.
According to a 2022 AARP survey, fewer than 40 percent of family caregivers had a HIPAA authorization on file for the person they were caring for. The gap between how many families are providing hands-on care and how many have the legal right to access their loved one's medical information is one of the most fixable problems in elder care planning.
Get this done. It takes one appointment. It costs nothing if you use the provider's own form. It eliminates one of the most common and frustrating barriers caregivers face.
Frequently Asked Questions
Does a healthcare power of attorney automatically give me HIPAA access?
In many states, yes, once the healthcare power of attorney is activated. However, not all providers interpret it that way, and some will still require a separate HIPAA authorization on file. Having both documents eliminates ambiguity and ensures access regardless of how a specific provider reads the law.
Can I get a HIPAA authorization without a lawyer?
Yes. Most doctors' offices and hospitals have their own HIPAA release forms. Your parent can sign one at their next appointment. If you want a single comprehensive authorization that covers all providers, an attorney can draft one, but it is not required.
What if my parent has already lost capacity and there is no HIPAA authorization?
If you have a healthcare power of attorney, you can usually present that document to providers and gain access to medical information under the authority it grants. If you have neither a HIPAA authorization nor a power of attorney, your access depends on state law and the provider's policies. Some states allow next-of-kin access in limited circumstances. In other cases, you may need to pursue guardianship.
Does HIPAA apply to all medical providers?
HIPAA applies to covered entities, which includes most healthcare providers, health plans, and healthcare clearinghouses. Some providers, such as those who do not conduct electronic transactions, may not be covered. In practice, virtually every doctor, hospital, pharmacy, and insurance company your parent deals with is subject to HIPAA.
Can my parent authorize access for multiple family members?
Yes. The authorization can name as many people as your parent chooses. They can also grant different levels of access to different people, such as full access for one child and limited access for another.
Does a HIPAA authorization expire when my parent dies?
Typically, yes. HIPAA protections continue for 50 years after death, but the authorization your parent signed usually specifies that it expires at death. After death, the executor of the estate or the personal representative has the right to access medical records under HIPAA's provisions for personal representatives.