Under HIPAA, when can a family member of an individual access the individual’s PHI from a health care provider or health plan?

This guidance remains in effect only to the extent that it is consistent with the court’s order in Ciox Health, LLC v. Azar, No. 18-cv-0040 (D.D.C. January 23, 2020), which may be found at https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51. More information about the order is available at https://www.hhs.gov/hipaa/court-order-right-of-access/index.html. Any provision within this guidance that has been vacated by the Ciox Health decision is rescinded.

The HIPAA Privacy Rule provides individuals with the right to access their medical and other health records from their health care providers and health plans, upon request. The Privacy Rule generally also gives the right to access the individual’s health records to a personal representative of the individual. Under the Rule, an individual’s personal representative is someone authorized under State or other applicable law to act on behalf of the individual in making health care related decisions. With respect to deceased individuals, the individual’s personal representative is an executor, administrator, or other person who has authority under State or other law to act on behalf of the deceased individual or the individual’s estate. Thus, whether a family member or other person is a personal representative of the individual, and therefore has a right to access the individual’s PHI under the Privacy Rule, generally depends on whether that person has authority under State law to act on behalf of the individual. See 45 CFR 164.502(g) and 45 CFR 164.524.

In cases where a family member may not have the requisite authority to be a personal representative, an individual still has the ability, under the HIPAA right of access, to direct a covered entity to transmit a copy of the individual’s PHI to the family member, and the covered entity must comply with the request, except in limited circumstances. The individual’s request must be in writing, signed by the individual, and clearly identify the designated person and where to send the PHI. See 45 CFR 164.524(c)(3)(ii).

Outside of the HIPAA right of access, other provisions in the Privacy Rule address disclosures to family members. Specifically, a covered entity is permitted to share information with a family member or other person involved in an individual’s care or payment for care as long as the individual does not object. In cases where the individual is incapacitated, a covered entity may share the individual’s information with the family member or other person if the covered entity determines, based on professional judgment, that the disclosure is in the best interest of the individual. If the individual is deceased, a covered entity may make the disclosure unless doing so is inconsistent with any prior expressed preference of the individual. These disclosures are generally limited to the health information that is relevant to the person’s involvement in the individual’s care or payment for care. See 45 CFR 164.510(b).

Finally, a covered entity also is permitted to disclose the health information about an individual to any person, including a family member, if the individual provides a prior written authorization for the disclosure. See 45 CFR 164.508.