Know your rights when it comes to your medical information

There are a lot of myths out there about HIPAA — the Health Insurance Portability and Accountability Act — and patient records. Sometimes, even health care providers don't seem to know the rules.

Recently, I was in a hospital with a client and offered the client's HIPAA release to the nursing staff as I always do, explaining my role as a privately hired RN patient advocate. But the nurses continued to try to prevent my access to her medical records. When I discussed this with a supervisor, she told me that the nurses were protecting “their” patient and would only give information to the family. That sounds noble, but it violates federal law.

If you are acting as a health care advocate for a loved one or friend, or asking someone to advocate for you, it's important to understand what HIPAA is — and isn't.

1. Under HIPAA, you decide who sees your medical information, not the health care provider.

Whenever you go to a new doctor or are in a hospital, you are asked to designate who — if anyone — is authorized to obtain and disclose information and ask questions about your care and condition. If you have said that your spouse can be your representative, a provider has no right to withhold information. You can also deny permission for someone, even a child or spouse, to know your information. If you're unable to communicate, the person who holds your power-of-attorney for health care becomes your designated representative.

2. By signing an authorization form, you are designating someone to act as your representative.

When a patient signs a HIPAA release for me, I become their proxy and have a right to give and receive any information about them to provide more coordinated, less fragmented care. The form gives a provider permission to treat your representative the same as they would treat you in terms of sharing health information. You can revoke this designation at any time.

Under rules from the U.S. Department of Health and Human Services, your representative can only represent you in the matter of your care and treatment.

HIPAA authorization forms are available on the website.

3. You can give HIPAA authorization verbally.

In writing is always better, but if that's impractical (like in an emergency), you can say to a doctor, “This is my neighbor and I want her to remain here. You can discuss my diagnosis and treatment in front of her.”

4. With your permission, a provider can give updates by phone to family members.

Maybe it's because our society has become so litigious around privacy, but I'm finding that more and more health care providers are reluctant to provide information over the phone. Again, if you consent to your information being shared, there's no reason that a family member who lives far away can't get an update from a provider.

5. You have the right to your medical records — but not all of them.

Under HIPAA, health care organizations must provide medical records, doctor's notes, billing information and medical images to patients who request them. Notes about psychotherapy may be withheld if the provider thinks their release could cause harm to the patient.

6. You have the right to make corrections in your medical record.

Miscommunication is the leading cause of medical error, so it's incumbent on us all as patients to review our medical information. If you notice any errors or omissions in your health record, such as missing procedures or incorrect medications, you can correct your file or ask the provider to amend it. A future provider may rely on these notes when formulating treatment, which makes this very important.

7. Health records can be sent by email.

As of April 2021, under the CARES Act, health care providers must give patients access without charge to all the health information in their electronic medical records “without delay.” So if your provider has a secure portal, your information should be immediately available to you.

Doctors and other health care professionals are permitted to send emails to patients, including health records, but they must be encrypted. If encryption is not available, the provider must advise the patient of the risks, and if you consent, the records may be sent.

Keeping medical records private and secure is an important job for health care providers — perhaps that's why they're sometimes slow to comply with HIPAA's disclosure requirements. Don't be shy about exercising your rights.

• Teri Dreher is a board-certified patient advocate. A critical care nurse for 30+ years, she is founder of NShore Patient Advocates ( She is offering a free phone consultation to Daily Herald readers; call her at (847) 612-6684.

Article Comments
Guidelines: Keep it civil and on topic; no profanity, vulgarity, slurs or personal attacks. People who harass others or joke about tragedies will be blocked. If a comment violates these standards or our terms of service, click the "flag" link in the lower-right corner of the comment box. To find our more, read our FAQ.