In most situations, the patient is the person who ultimately decides whether a medical record can be released. Federal law, specifically the HIPAA Privacy Rule, gives every individual a legal, enforceable right to access and control the disclosure of their own protected health information. No hospital, clinic, or insurance company can override that right except in a handful of narrowly defined circumstances where a court, a public health mandate, or a clinical safety concern takes precedence.
That said, the answer gets more layered when you factor in minors, deceased patients, court orders, and the limited situations where a provider can deny access. Here’s how it all works.
The Patient’s Right Under Federal Law
Under 45 CFR § 164.524, individuals have a right to inspect and obtain a copy of their protected health information held in any “designated record set,” which covers medical charts, billing records, insurance records, and most other health-related files maintained by a provider or health plan. This right lasts as long as the information exists in the record set. You can also direct a provider to send your records to a third party of your choosing, such as another doctor, a lawyer, or a family member.
When a third party, like an employer, an insurer outside your health plan, or a researcher, wants your records, they generally cannot get them without your written authorization. The provider holding your records is legally prohibited from releasing them unless you sign off or one of the specific legal exceptions applies. So the default rule is clear: your authorization is the gatekeeper.
When a Provider Can Say No
Providers do have limited grounds to deny you access to your own records. Two categories of information are excluded from your right of access entirely: psychotherapy notes and information compiled in anticipation of a legal proceeding. Psychotherapy notes are narrowly defined as a therapist’s personal notes from a counseling session that are kept separate from the rest of your medical record. Your diagnosis, medications, treatment plans, and session summaries are not psychotherapy notes, and you are entitled to all of those.
Beyond those two blanket exclusions, a provider can deny access on “reviewable” grounds, meaning a licensed healthcare professional has determined that releasing the information is reasonably likely to endanger your life or physical safety, or the life or safety of another person. If you receive this type of denial, you have the right to have it reviewed by a different licensed professional, and the covered entity must honor that review.
Situations Where Someone Else Decides
Court Orders
A court order can compel a provider to release your records without your consent. The provider may only disclose the specific information described in the order, nothing more. This is different from a subpoena issued by an attorney or court clerk. A subpoena alone does not automatically override your privacy. Before a provider can respond to a non-judicial subpoena, there must be evidence of reasonable efforts to either notify you so you can object, or obtain a qualified protective order from the court limiting how the information will be used.
Treatment, Payment, and Public Health
Providers are permitted to share your health information without your authorization for a defined set of purposes. These include treatment (sharing records with another provider involved in your care), payment (sending information to your insurer for billing), and healthcare operations (quality improvement, audits). Providers can also disclose records when required by law, such as mandatory reporting of certain infectious diseases, child abuse, or neglect. If a patient makes a serious and imminent threat of harm, state laws may require or permit a provider to warn the potential target, another situation where the patient’s authorization is not needed.
These exceptions are narrowly scoped. A provider cannot use them as a blanket reason to share your full medical history. Each disclosure must be limited to the minimum information necessary for the stated purpose.
Who Decides for Minors
For children, the answer depends on state law and the specific circumstances. In most cases, a parent or legal guardian is treated as the child’s “personal representative” under HIPAA and can access the child’s records and authorize their release, just as the child would if they were an adult.
There are three exceptions where a parent loses that authority:
- The minor consented to care independently. Many states allow minors to consent to certain types of care on their own, such as reproductive health, mental health, or substance use treatment. When that applies, the parent is not the personal representative for records related to that care.
- A court directed the care. If a minor receives treatment at the direction of a court or a court-appointed guardian, the parent does not control those records.
- The parent agreed to a confidential relationship. If a parent consented to letting their child have a private relationship with a provider, the scope of that agreement determines what the parent can access.
On top of these three rules, a provider can independently decide not to treat a parent as the child’s representative if the provider reasonably believes the child has been or may be subjected to abuse, neglect, or domestic violence, or that granting the parent access could endanger the child. This is a case-by-case clinical judgment, not a blanket policy.
Who Decides After a Patient Dies
A deceased person’s health information remains protected under HIPAA for 50 years after death. During that period, the personal representative of the decedent, typically the executor or administrator of the estate, steps into the patient’s role. That person can authorize disclosures, request copies of records, and exercise all the same rights the patient had while alive. If there is no executor or administrator, whoever has authority under state law to act on behalf of the decedent or the estate fills that role.
For any disclosure not otherwise permitted by the Privacy Rule, the covered entity must obtain a written HIPAA authorization from this personal representative before releasing the records.
The Information Blocking Rule
A separate federal law, the 21st Century Cures Act, adds another layer of protection for patients requesting their own records electronically. Under this law, healthcare providers and health IT companies are prohibited from practices that interfere with the access, exchange, or use of electronic health information. If your records are available electronically, they should generally be accessible to you without unnecessary delay.
Providers can still delay electronic access for a few specific reasons: preventing harm to a patient or another person, protecting privacy, ensuring the security of the information, or because the request is genuinely infeasible to fulfill. But they cannot simply sit on a request or create unnecessary obstacles. If a provider cannot fulfill your request in the format you asked for, they are required to offer an alternative without unnecessary delay.
What This Means in Practice
For a living, competent adult, you are the ultimate decision-maker for your own medical records in nearly every scenario. Providers must give you access when you ask, and they cannot release your information to outside parties without your authorization unless a specific legal exception applies. The situations where someone else’s authority overrides yours are real but narrow: court orders, mandatory public health reporting, imminent safety threats, and a small number of other legally defined circumstances.
If you are requesting your own records and a provider refuses or delays without explanation, that may constitute a violation of HIPAA or the information blocking rule. You can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights, which enforces both.