Who Can Access Your Medical Records?

Your private health information can be accessed by your healthcare provider as well as the people you allow to have access. For example, you may give permission for your family members to have access to your medical records.

In the United States, the Health Insurance Portability and Accountability Act (HIPAA) makes rules about who is allowed to see patients' medical records. However, there can be some exceptions to HIPAA rights. You might be surprised to learn that other people and organizations can see your medical records without your permission.

This article will go over how medical record privacy works. Although the list is not complete, it cvers some common examples of who can access your records. You will also find out why they want your information and what they can use it for.

Nurse in a medical file storage room

Who Can Access Patient Medical Records?

Dozens of people and organizations are legally allowed to see your medical records. They can make a request or purchase access to them.

In some cases, you need to give them permission to access your record. However, your permission is not always required. Sometimes, you've given permission for someone to access your record without realizing it—for example, by signing a consent form.

While there are safeguards in place to try to prevent data breaches, individuals or groups can sometimes access medical records illegally.

According to the U.S. Department of Health and Human Services, there were at least 5,887 large healthcare data breaches between 2009 and 2023. Most data breaches in 2023 were due to a considerable increase in hacking and ransomware attacks.

Types of Medical Record Access

There are two general types of medical records that are shared or purchased: individually identifiable records and aggregated records.

Here's an example of data mining: A hospital may decide to mine the data of all of the records of patients who have had heart bypass surgery.

The aggregated record could have hundreds of patients in it. They are all categorized using different factors, such as the type of insurance they have or who their healthcare providers are.

HIPAA and Access to Medical Records

Certain people and organizations have the right to access your medical records. They are classified as covered entities under HIPAA. This means that they have the right to access your records under specific regulatory guidelines.

Covered entities include:

As covered entities, they have very strict rules they must follow. One of the most important rules states when they must have written permission from you to share your records. However, covered entities are not required to obtain written permission to share your records if conducting activities related to treatment, payment, or healthcare operations.

Here are the other rules laid out by HIPAA:

How HIPAA Protects Personal Medical Information

HIPAA rules how and with whom your personal medical information can be shared.

Under HIPAA, you have a legal right to get copies of your medical records. You also have the right to share your documents with anyone you choose as long as you sign a consent or release form.

HIPAA also lets payers see your medical records. Insurance companies, Medicare, Medicaid, workers comp, disability, the VA, or any institution that pays for part of your healthcare can ask for your records.

Life insurance and prescription databases can also access your records. Even the government can view your medical records in some circumstances.

Who Is Not Covered Under HIPAA?

Employers are not covered by HIPAA. Even if they pay for your insurance or medical care out of pocket, HIPAA does not allow your employer to access your medical records or insurance claims because it could lead to discrimination.

Exceptions to HIPAA

There are a few exceptions to HIPAA that can vary by state, such as when a parent would like to access a minor's medical records. Instances where a minor's medical records can be withheld from parents include:

Illegal Disclosure

In some cases, unauthorized access to medical records is intentional and criminal. In other cases, the disclosure is the result of someone's carelessness—even yours.

It is illegal to share protected health information under HIPAA. However, this law does not let people sue for monetary compensation after a data breach.

If you believe your health information was shared illegally, you can file a complaint with the U.S. Department of Health and Human Services.

Hackers

You often hear about hackers who have illegally gained access to thousands of private records, whether they are health records, credit card records, or other sources of information.

Medical information is a prime target for hackers because thieves make a lot of money from medical identity theft.

However, hackers are not looking for a specific individual's records. Instead, they just want to get as many records that are not aggregated as possible.

Targeted Illegal Access

Another illegal form of access involves an individual patient's records.

For example, a business might pay someone to get a potential employee's medical record. In another situation, a spouse might look for the records of a person they're divorcing. Sometimes, celebrities' medical records are stolen.

Accidental Leaks

There are other ways that your private medical information might unintentionally become public.

For example, if your doctor's office leases a copy machine, thousands of copied paper medical records are stored in its memory. When the machine goes back to the company, the records might go with it.

The same thing can happen when computer hard drives fail. You might assume that if the computer isn't working, the records couldn't be accessed.

However, just because drives no longer work with a computer does not mean that someone can't get the data that's on them.

When You Sign Away Your Privacy

You often give entities permission to access your records without even knowing it. Here are a few common examples that you might not have thought of before:

Aggregated Records

Medical records in an aggregated form are used for many different reasons. Once the information has been de-identified (meaning that no one patient is identifiable), organizations have the right to aggregate the information, then share or sell it.

Research

Aggregated data is often used in research. The studies using the data may help patients in the future.

Selling Data

Sometimes, hospitals and other covered entities will sell aggregated data.

For example, a hospital could sell its data on 1,000 patients who had back surgery to a company that sells wheelchairs.

In another example, a pharmacy could sell its data on 5,000 customers who filled cholesterol drug prescriptions to the local heart center.

Aggregated data can also be used for marketing purposes. It is a large source of revenue for many organizations that work with patients.

Outreach and Fundraising

Nonprofit and charitable organizations can use aggregated data to help them do outreach for fundraising.

Local organizations can team with hospitals or other facilities that aggregate patient data. State, national, or international organizations find other ways to access the data.

If you take an interest in an organization's cause, you might be on their fundraising lists. Then, you'll be included when they aggregate their data to sell to another organization that wants to know who is interested in the organization.

Summary

In the U.S., there are laws that control who can see your health information. There are also rules about how that information can be used. One of your rights as a patient is the ability to access your medical record. You can also give other people, like providers, family members, and insurance companies, permission to see your records.

While your medical records are protected and private, they can be legally accessed by more people or groups than you might realize. For example, law enforcement or agencies that handle workplace injuries can ask to see your records. Sometimes your permission is needed, but not always.

It's also possible for medical records to be accessed illegally, such as when hackers breach a healthcare system.

In some cases, data from thousands of patients are put together. When this is done, no one patient is easy to identify. This aggregated data is "de-identified." This type of data can be used for many things, like marketing and research.

Verywell Health uses only high-quality sources, including peer-reviewed studies, to support the facts within our articles. Read our editorial process to learn more about how we fact-check and keep our content accurate, reliable, and trustworthy.

  1. The HIPAA Journal. Healthcare data breach statistics.
  2. U.S. Department of Health & Human Services. Summary of the HIPAA Privacy Rule.
  3. Centers for Disease Control and Prevention. Health Insurance Portability and Accountability Act of 1996 (HIPAA).
  4. U.S. Department of Health and Human Services. Does the HIPAA Privacy Rule allow parents the right to see their children's medical records?

By Trisha Torrey
Trisha Torrey is a patient empowerment and advocacy consultant. She has written several books about patient advocacy and how to best navigate the healthcare system.

Share Feedback Was this page helpful? Thanks for your feedback! What is your feedback? Other Helpful Report an Error Related Articles

Asthmatic boy (6-7) using inhaler

Understanding Health Insurance Exclusions & Creditable Coverage

Indian doctor talking with patient

HMO, PPO, EPO, POS–Which Plan Should You Choose?

Mother and son using a laptop on a couch

Bronze, Silver, Gold, and Platinum Health Plans

Health Insurance If You Live in More Than One State

How Health Insurance Works When You Live in Multiple States

Your state's health insurance exchange makes it easy to comparsion shop for coverage

What Is a Health Insurance Exchange?

Man throwing a rope to a person holding out a hand to catch it

How the ACA Health Insurance Subsidy Works

Man using laptop on sofa

How Florida Medicaid Share of Cost Works

Couple Of Friends Talking And Drinking Coffee At Pool Hall

Strategies to Make Tough Conversations More Effective

Woman is paying bills using her net pay, what is left after deductions are made by her employer.

Allowed Amount on a Health Insurance Statement

Woman sleeping

Sleep Specialists: When to See One and What to Expect

Surgeons analyzing report together in clinic

Highest Paid Doctors: 20 Well-Paid Specialties

A child sitting behind a birthday cake as a man lights the candles

What Is the Health Insurance Birthday Rule?

Person writing in their information on an organ donor sheet

Donating Your Organs or Body to Science

Hispanic doctor with digital tablet talking to patient

4 Reasons People Don’t Go to the Doctor

Money spent on health care

How Much Is COBRA Health Insurance?

Naloxone vs. Naltrexone: Similarities & Differences

Naloxone vs. Naltrexone: Similarities & Differences

Verywell Health's content is for informational and educational purposes only. Our website is not intended to be a substitute for professional medical advice, diagnosis, or treatment.

Ⓒ 2024 Dotdash Media, Inc. — All rights reserved Verywell Health is part of the Dotdash Meredith publishing family.

We Care About Your Privacy

We and our 100 partners store and/or access information on a device, such as unique IDs in cookies to process personal data. You may accept or manage your choices by clicking below, including your right to object where legitimate interest is used, or at any time in the privacy policy page. These choices will be signaled to our partners and will not affect browsing data.

We and our partners process data to provide:

Store and/or access information on a device. Use limited data to select advertising. Create profiles for personalised advertising. Use profiles to select personalised advertising. Create profiles to personalise content. Use profiles to select personalised content. Measure advertising performance. Measure content performance. Understand audiences through statistics or combinations of data from different sources. Develop and improve services. Use limited data to select content. List of Partners (vendors)