Skip to main content

HIPAA: What Are a Caregiver’s Rights?

When your loved one is experiencing a mental health crisis, it can be hard to know what to do. You are concerned about their well-being, want to know what is going on and may want to communicate with their health care providers. Sometimes it can feel like HIPAA and privacy rules are keeping your loved one from effective treatment rather than helping them receive it. However, HIPAA’s rules and requirements are often misunderstood, and it is important for caregivers to be informed of the rights they do have.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) sets federal standards for privacy of protected health information and medical records. HIPAA protects individuals against the release of their medical records and other identifiable health information and balances it with a provider’s ability to act when information is needed for treatment and other appropriate purposes. HIPAA also deals with things like insurance companies and hospitals.

When it comes to the privacy provisions, HIPAA does things like prevents people from “outing” someone for their mental health condition or seeing a therapist to the public, or from providers snooping in medical records. As a caregiver, you may find it frustrating if you’re trying to find a loved one or share information. But you and others who care about your loved one may have more rights than you realize under HIPAA.

A central part of HIPAA is that personal health information and medical records are only allowed to be released through written authorization which is consent from an individual that allows a provider to use or disclose their personal health information.

What information is protected?

Protected health information (PHI) is any medical record that ties back to your identity. It includes your personal past, present, and future health care that is created, stored, or passed on by a health care provider. This includes information on specific illnesses, what treatment you received, your goals and your outcomes. Other information is included in your medical record such as demographic information. Demographic information includes your name, address, social security number, and even family history and current support systems. In mental health, PHI can include information that you gave a provider to help provide better care. This type of information includes information like trauma history or other medical conditions.

Certain types of information receive special treatment and are not included in general HIPAA authorizations.

Psychotherapy notes are notes taken by a clinician documenting or analyzing a conversation during a private therapy session. HIPAA requires a separate authorization to discuss these details, although information for billing and appointments are governed by general HIPAA and your therapist can pass on information about conversations to your insurance provider to make sure you get covered for care by insurance.

Substance use records are also treated differently than medical records under 42 CFR Part 2, a privacy law that protects a person’s substance use disorder information and require an additional authorization on top of the HIPAA authorization. Another regulation, the Family Educational Rights and Privacy Act (FERPA), provides additional protections for students.

Who gets access to what information?

Under HIPAA, personal health information and medical records are only allowed to be released through written authorization.  Only the individual has full access to review and make decisions on what to do with your information. If you are helping someone with their care, the time to make sure you receive authorization is done best at intake. During intake, work with your family member to include you as an individual that can receive their PHI, talk to their provider, and help them navigate their health care decisions.  Without authorization a doctor is not allowed to speak to a family member and will not even tell you if they are treating your loved one at that facility.

Authorizations required under HIPAA

Adults with a mental health condition or substance use disorder condition (18+)

Individuals have full access to their medical records and personal health information. They may ask to see or get a copy of their information, change any wrong information, decide where to send copies, and sign authorization forms for release. 

Minors with a mental health condition or substance use disorder

Minors under the age of majority, which is 18 in most states, cannot legally exercise their HIPAA privacy rights. The general rule is that parents or guardians should be treated as a personal representative and thus have access to medical records and personal health information. State laws and circumstances vary. 

Personal Representative

Adults can name a personal representative of their choosing, which would make that person their health care power of attorney and their personal representative.

Personal representatives can access all their loved one's health information (except psychotherapy notes), decide where to send copies of their information, and have the same rights to privacy as their loved one concerning their health information. A personal representative is someone who has access because they are considered a health care power of attorney or executors of estates. 

Legal Guardian of a Minor

In most states, minors under HIPAA refer to a person under the age of 18 in most states and who are not emancipated either through marriage or court order. State law may affect this process so check with your state to verify. Generally, parents or whomever has the legal authority to make health care decisions for a minor is their personal representative, although special circumstances apply. HIPAA does leave rules in place for parents who are not the legal guardians of their children, and you may be allowed access to information depending on your state's laws. Contact your local MHA affiliate for more information. 

Legal guardians serve as personal representatives for minors and have the same right to access medical records and personal health information. They may ask to see or get a copy of their child's information, change any wrong information, decide where to send copies, and sign authorization forms for release.

Family Member or Friend

Family and friends may receive information if their loved one agrees to release information and signs an authorization. This process is best completed during intake. If you are involved in their health care and help your loved one with making appointments, housing, companionship, transportation, supervision, or other tasks, a provider can share information related to your involvement in your loved one's care if they agree or do not object.

Frequently Asked Questions

What if I think my loved one is incapable of making health decisions?

Sometimes when a loved one is experiencing a mental health crisis, they may become very sick and lack the capacity to make informed decisions. HIPAA allows mental health clinicians to use their professional judgment to determine what is in the best interest of an individual and decide whether and to whom they release information to.

When can information be denied?

If at any point a provider has concerns about the well-being of an individual or is worried that the person requesting information may not be acting in your loved one’s best interest, they can decide to recognize or not recognize them as the person’s personal representative and deny access to all health information. The same goes for minors; if a provider has concerns about parental abuse, neglect or endangerment, it is up to the provider to make the decision.

What if I am not involved in care but am still concerned about a loved one?

If you are not involved with the health care or payment for care of your loved one, a provider can share information with you if they need help contacting family, friends or caregivers and you can provide general directory information if your loved one does not object. 

Regardless of who you are, a provider can share information with you if needed to prevent harm or lessen a threat to your loved one or others, using their discretion.

How do I talk to my loved one about getting access to their information?

Let your loved one know the reasons why you would like to see their information. Explain how it can help both of you. Let them know that you respect their privacy but just want to be as supportive as possible. Talk to them about creating a crisis plan and learn more about Psychiatric Advanced Directives below.

Why doesn’t my loved one want to give me access to their information?

There are many reasons your loved one may not want their information shared. Perhaps your loved one may have shared details about family or be dealing with very private subjects like abuse. Or they are worried the information will be used against them and deal with a lot of shame or sometimes strained relationships may get in the way. There may not be any one answer or an answer at all – some people just prefer to be private. If your loved one does not give you access to their information, it is their choice and you should try and respect that - but remember, it doesn’t make you any less valuable as a caregiver.

Things to remember

HIPAA doesn’t prevent a provider from listening to what caregivers have to say. If the provider or facility is saying that they can’t “speak” with the caregiver due to their rules, or if permission from the patient is denied, providers may still listen to information provided by caregivers. HIPAA does not in any way prevent a provider from receiving information from a caregiver regarding the person’s history, previous treatment, or recent symptoms. This means that if you are concerned about your loved one and have information that may be helpful for their care team to know, the provider can still listen to that information and you can help make sure the doctor has the full picture.

A valuable tool. An underutilized and lesser-known action that is available are psychiatric advanced directives. This is a lifesaving tool that can help assure better outcomes. Similar to a medical advance directive or a health care power of attorney, a psychiatric advance directive is a legal document completed in a time of wellness by an individual that provides instructions regarding treatment or services one wishes to have - or not have - during a mental health crisis. Should your loved one experiencing mental health crisis become too sick to make decisions, their psychiatric advanced directive takes effect and ensures their desires may be communicated clearly to their care team. Use this crisis planning worksheet to help you create a psychiatric advanced directive.

Caring for yourself is an important part of being a caregiver

Being a caregiver can be hard,  so it’s important to check in on your own mental health from time to time. Visit to take a free, anonymous, and confidential screen.