HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



HIPAA Q&A: Family member’s record

Email This Post Print This Post

Q. What does HIPAA require with respect to employees of a covered entity (CE) viewing their own or a family member’s medical record?

A. With respect to HIPAA, treat employees as you would any other patient. Most CEs require that their employees request to view or receive a copy of their medical records as would any other patient. CEs generally don’t allow employees to view their medical records directly or randomly. Employees have the same privacy rights as other patients—they may view, inspect, or request a copy of their medical records.

Employees who wish to access a spouse’s, adult child’s, or, in some cases (depending on state law), minor child’s medical records must first obtain authorization from the specific family member.

Employees may not access family members’ medical records without permission unless it is for treatment, payment, or healthcare operations and is directly related to the employee’s responsibilities at work. Effective February 2010, doing so is a criminal act, pursuant to HIPAA and the HITECH.

Editor’s note: Chris Apgar, CISSP, answered this question. This is not legal advice. Consult your attorney regarding legal matters. Apgar is president of Apgar & Associates, LLC, in Portland, OR. He has more than 17 years of experience in IT and specializes in security compliance, assessments, training, and strategic planning.


Leave a Reply