$0 Building a Care Team: Coordinating Doctors, Aides and Family — Quick-Start Checklist

HIPAA Authorization Form for Family Members: What You Need to Access a Parent's Medical Records

HIPAA Authorization Form for Family Members: What You Need to Access a Parent's Medical Records

You drove your mother to her oncology appointment. You sat in the waiting room for two hours. When you asked the nurse for her test results afterward, they told you they couldn't share that information. HIPAA — the Health Insurance Portability and Accountability Act — protects patient privacy. But it also has clear mechanisms for family members who are involved in a parent's care to access their health information. You just need to know which forms to file.

Three Ways to Get Authorized Access

1. Verbal or Written Patient Consent

If your parent has mental capacity and wants you involved in their care, the simplest path is a signed HIPAA release form. Most healthcare systems provide their own version — ask the medical records department at each clinic, hospital, and pharmacy your parent uses.

The form must be signed, dated, and specify what information can be shared and with whom. Each provider keeps its own copy on file, so you'll need to submit separate forms to each clinic and pharmacy in your parent's network.

If your parent is present during a medical appointment and verbally agrees — or simply doesn't object — providers can share information with you under the HIPAA Privacy Rule. But verbal consent doesn't cover phone calls, portal access, or records requests made when the patient isn't present.

2. HIPAA Personal Representative Status

Under 45 CFR § 164.502(g), a person authorized under state law to make healthcare decisions on behalf of an adult is treated as the patient's "personal representative." This gives you the same access rights as the patient: you can review all medical and mental health records, request amendments, authorize disclosures, and communicate directly with providers.

Personal representative status is established through:

  • A valid, active Healthcare Power of Attorney (HCPOA)
  • A court-appointed guardianship or conservatorship
  • State laws that automatically designate certain family members as decision-makers when a patient lacks capacity

To activate this status, file a copy of your HCPOA or guardianship order with the medical records department of each provider. They'll note your status in their system and grant access going forward.

3. Patient Portal Proxy Access

Most hospital systems now offer electronic medical record (EMR) portals like MyChart. Rather than sharing your parent's login credentials — which violates the portal's security policies — request formal "Proxy Access" through the healthcare system.

The process typically involves:

  1. Your parent (or their personal representative) submitting a proxy access request form
  2. The system linking your parent's medical portal to your personal account
  3. You receiving a separate login that shows your parent's records alongside your own

Proxy access lets you view lab results, medication lists, upcoming appointments, and provider messages in real time — critical for family caregivers who coordinate care from a distance.

What HIPAA Does and Doesn't Block

HIPAA is frequently misunderstood. It doesn't prohibit all sharing of medical information with family members. Providers can share information with family or friends involved in a patient's care when:

  • The patient is present and agrees (or doesn't object)
  • The patient is incapacitated and the provider determines sharing is in the patient's best interest
  • The family member is a legally authorized personal representative

What HIPAA does block is unauthorized disclosure — sharing records with people who have no legal standing or patient consent, or sharing more information than necessary for the situation.

Outside the US

HIPAA is a US law. Other countries have different frameworks:

Canada — Provincial privacy laws (like Ontario's PHIPA) govern health information. A substitute decision-maker named under a Power of Attorney for Personal Care can access health records. Each province has its own consent and disclosure rules.

UK — The Data Protection Act 2018 and the UK GDPR govern medical records. A person holding a Lasting Power of Attorney for Health and Welfare registered with the Office of the Public Guardian can access health records once the LPA is activated.

Australia — The Privacy Act 1988 and Australian Privacy Principles govern health information. An "authorized representative" can access records, and the My Aged Care system has its own representative registration process.

Free Download

Get the Building a Care Team: Coordinating Doctors, Aides and Family — Quick-Start Checklist

Everything in this article as a printable checklist — plus action plans and reference guides you can start using today.

Keeping Authorization Current

Medical authorization isn't a one-time task. HIPAA releases expire — many forms include a 12-month expiration date. POA documents need to be updated after major life changes. New providers added to the care team need their own copies.

A centralized care binder that tracks which providers have current authorization, when forms expire, and who holds copies of legal documents prevents gaps that block access during emergencies. The Building a Care Team toolkit includes a legal authority tracker and provider contact register designed to keep this information organized and current across every member of the care team.

Get Your Free Building a Care Team: Coordinating Doctors, Aides and Family — Quick-Start Checklist

Download the Building a Care Team: Coordinating Doctors, Aides and Family — Quick-Start Checklist — a printable guide with checklists, scripts, and action plans you can start using today.

Learn More →