Know your rights regarding your health information

There are many myths about HIPAA – the Health Insurance Portability and Accountability Act – and patient records. Sometimes even health care providers don’t seem to know the rules.

Recently, I was in a hospital with a client and offered the client’s HIPAA release to the nursing staff as I always do, explaining my role as a privately hired RN patient advocate. But the nurses kept trying to block me from accessing her medical records. When I discussed this with a supervisor, she told me that the nurses were protecting “their” patient and would only give information to the family. It sounds noble, but it violates federal law.

If you are acting as a healthcare advocate for a loved one or friend, or asking someone to advocate for you, it is important to understand what HIPAA is and is not. .

1. Under HIPAA, you decide who sees your medical information, not the healthcare provider.

Whenever you see a new doctor or are in the hospital, you are asked to designate who, if anyone, is authorized to obtain and disclose information and to ask questions about your care and condition. If you have said that your spouse can be your representative, a supplier does not have the right to withhold information. You can also deny permission to anyone, even a child or spouse, to see your information. If you are unable to communicate, the person who holds your power of attorney for health care becomes your designated representative.

2. By signing an authorization form, you designate someone to act as your representative.

When a patient signs a HIPAA authorization for me, I become their agent and have the right to give and receive any information about them in order to provide more coordinated and less fragmented care. The form authorizes a provider to treat your representative the same way they would treat you in terms of sharing health information. You can revoke this designation at any time.

Under US Department of Health and Human Services rules, your representative can only represent you with respect to your care and treatment.


HIPAA authorization forms are available on the website.

3. You can give HIPAA permission verbally.

Writing is always best, but if it’s not practical (like in an emergency), you can tell a doctor, “She’s my neighbor and I want her to stay here. You can discuss my diagnosis and treatment in front of her.”

4. With your permission, a provider may give updates over the phone to family members.

It may be because our society has become so contentious when it comes to privacy, but I find that more and more health care providers are reluctant to provide information over the phone. Again, if you consent to your information being shared, there’s no reason a family member who lives far away can’t get an update from a provider.

5. You are entitled to your medical records, but not all of them.

Under HIPAA, healthcare organizations must provide medical records, doctor’s notes, billing information, and medical images to patients who request them. Psychotherapy notes may be withheld if the provider believes that publishing them could harm the patient.

6. You have the right to make corrections to your medical record.

Miscommunication is the number one cause of medical error, so it is incumbent on all of us as patients to review our medical information. If you notice errors or omissions in your health record, such as missing procedures or incorrect medications, you can correct your record or ask the provider to change it. A future provider can rely on these notes when formulating the treatment, which makes this very important.

7. Medical records can be sent by e-mail.

Since April 2021, under the CARES Act, healthcare providers must give patients free access to all health information in their electronic medical records “without delay”. So if your provider has a secure portal, your information should be immediately available to you.

Doctors and other healthcare professionals are allowed to send emails to patients, including medical records, but they must be encrypted. If encryption is not available, the provider must inform the patient of the risks and, if you consent, records may be sent.

Keeping medical records private and secure is an important job for healthcare providers — perhaps that’s why they’re sometimes slow to comply with HIPAA disclosure requirements. Do not hesitate to exercise your rights.

• Teri Dreher is a Board Certified Patient Advocate. A critical care nurse for over 30 years, she is the founder of NShore Patient Advocates ( She offers a free telephone consultation to readers of the Daily Herald; call her at (847) 612-6684.