Who Has Access to My Medical Records Under HIPAA?

TeachPrivacy

HIPAA training and compliance -who can access my medical recordsUnder HIPAA, individuals have broad rights to access their own medical records maintained by healthcare providers and health plans. Here are the key points regarding who has access to medical records under HIPAA:

Individual HIPAA Access Rights

Individuals have the right to access, inspect, and obtain copies of their protected health information (PHI) contained in their medical records and other designated record sets maintained by covered entities. This includes:

  • Medical records
  • Billing records
  • Insurance information
  • Lab results
  • X-rays and medical images
  • Clinical notes (except psychotherapy notes)
  • Any other records used to make decisions about the individual

The right of access applies to both paper and electronic records.

Personal Representatives

In addition to individuals themselves, personal representatives authorized under state law to make healthcare decisions for an individual also have the right to access that person’s medical records under HIPAA. This includes:

  • Parents or guardians of minor children (in most cases)
  • Legal guardians of adults who lack decision-making capacity
  • Executors or administrators of a deceased person’s estate

Healthcare Providers and Staff

Healthcare providers and their staff members who are involved in an individual’s care have access to medical records as needed for payment, treatment, or operations purposes. However, access should be limited to the minimum necessary information required for their specific job functions. All healthcare providers should have HIPAA training.

Health Plans

Health insurance plans have access to claims and medical information needed for payment and healthcare operations purposes. However, they must limit access and use to the minimum necessary.

Business Associates

Business associates of healthcare providers or health plans (e.g. billing companies, EHR vendors) may have access to medical records as needed to perform services on behalf of the covered entity. Their access and use must be governed by a HIPAA-compliant business associate agreement.

In certain circumstances, medical records may be disclosed to law enforcement or in response to court orders, subpoenas, or other legal requests. However, these disclosures are subject to specific HIPAA requirements.

Prof. Daniel SoloveSince its founding by Professor Daniel J. Solove in 2010, TeachPrivacy has provided training for hundreds of organizations, boutique to Fortune 500, both nationwide and globally. A leading international expert in privacy law, Solove is a law professor at George Washington University Law School, has authored more than 10 books and more than 50 articles, as well as given lectures around the world. His LinkedIn blog has more than 1 million followers. Click here for more information about Professor Solove.