HIPAA and Caregiving: Getting Legal Access to Your Parent's Medical Records

Published May 6, 2026 · 5 min read

You're sitting in the doctor's office with your 78-year-old mother. She just had a series of tests. You ask the nurse for the results and get a polite but firm: "I'm sorry, we can't share that with you. HIPAA." Your mother is right there. She wants you to know. But nobody filled out the right form, so the system treats you like a stranger.

HIPAA gets blamed for a lot of things it doesn't actually do. But it does create real barriers for adult children trying to help with their parent's medical care — and most families don't know how to get past them until they're already stuck.

What HIPAA Actually Says (Short Version)

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of a patient's health information. Healthcare providers, insurers, and their business associates can't share a patient's medical information without the patient's authorization — with some exceptions.

The key thing to understand: HIPAA doesn't prevent your parent from sharing their own information with you. It prevents the healthcare provider from sharing it without permission. The fix is straightforward — your parent gives permission. The problem is that "giving permission" requires specific paperwork, and most families don't know what paperwork to ask for.

HIPAA also has a "personal representative" rule. If you hold healthcare power of attorney for your parent, you're treated as a personal representative under HIPAA and have the same rights to access medical information as the patient themselves. But you have to prove it — which means having the POA document and presenting it to each provider.

The Forms You Need (and Where to Get Them)

There are two primary ways to get legal access to your parent's medical records:

1. HIPAA Authorization Form Our guide on power of attorney covers this in detail.

This is the most common route. Your parent signs a HIPAA authorization form that specifically names you as someone who can receive their health information. Most healthcare providers have their own version of this form. You can also use a general HIPAA authorization, but providers sometimes insist on their own.

The form needs to include:

• Your parent's name and identifying information
• Your name — the person authorized to receive the information
• What information is covered (you can make it broad: "all medical records and health information")
• The purpose (you can use "caregiving" or "personal")
• An expiration date or statement that it doesn't expire until revoked
• Your parent's signature and the date

Important: you need to file this form with every single provider. Your parent's primary care doctor, every specialist, the hospital, the pharmacy, the lab. HIPAA authorization isn't centralized. Each covered entity needs its own copy. This is tedious but necessary.

2. Healthcare Power of Attorney

If your parent has given you healthcare POA, you already have access rights. Under 45 CFR 164.502(g), a personal representative has the same rights as the patient to access and authorize disclosure of health information. Bring the POA document to each provider and ask them to put it on file. Some providers will want to make a copy. Let them. Our guide on documenting everything as a caregiver covers this in detail.

If your parent has diminished capacity and hasn't signed either form, you may need to go through the courts for a guardianship or conservatorship to gain access. That's the hard path — and exactly why getting these forms signed while your parent is still competent matters so much.

What Providers Get Wrong About HIPAA

Here's the frustrating part: many healthcare workers misunderstand HIPAA and apply it more restrictively than the law requires. This is so common that the U.S. Department of Health and Human Services (HHS) has published specific guidance addressing it.

Things that HIPAA actually allows, even without a signed form:

• If your parent is present and doesn't object, the provider can share information with you. Under 45 CFR 164.510(b), a provider can disclose information to a family member if the patient is present, has the opportunity to object, and doesn't. Your parent nodding and saying "It's okay to tell them" is sufficient.
• If your parent is incapacitated, the provider can use professional judgment. HIPAA permits disclosure to family members or close friends when the provider believes it's in the patient's best interest and the patient can't be asked. This isn't a loophole — it's written into the regulation.
• Providers can share information related to a person's involvement in care. If you're actively involved in your parent's treatment — picking up medications, driving them to appointments, managing their home care — providers can share relevant information with you.

If a provider is refusing to share information despite proper authorization, ask to speak with the facility's HIPAA privacy officer. Every covered entity is required to have one. They can review the situation and clarify the rules for their staff.

Setting Up Access Before You Need It

If your parent is still well enough to sign forms, do this now:

1. Get a healthcare power of attorney in place. This gives you the broadest access rights and covers you if your parent later becomes incapacitated.
2. Sign a HIPAA authorization form at every provider your parent sees. Ask the office if they have their own form or if they'll accept a general one.
3. Ask about patient portal access. Many health systems now let patients designate a caregiver on their patient portal (MyChart, etc.). This gives you real-time access to lab results, visit notes, medication lists, and appointment schedules. It's not a legal document, but it's incredibly practical.
4. Keep copies of everything. The HIPAA authorization, the POA, your parent's insurance cards, their medication list. Store digital copies where you can access them quickly — you'll need them at the worst possible time.

HIPAA was written to protect patients, not to keep their families in the dark. But the gap between what the law allows and what providers actually do is real — and it falls on families to close it. A few forms, signed on a regular Tuesday afternoon, can save you weeks of frustration and dozens of phone calls when the stakes are highest. For a side-by-side look at tools that help families coordinate, check our caregiving app comparison guide.