Medical Record Access Rights for People with Disabilities

Under federal law, every patient in the United States holds the legal right to access their own medical records — and that right does not diminish, transfer, or disappear because of a disability. What changes for people with disabilities is the texture of that access: whether records arrive in a usable format, whether a designated representative can act on someone's behalf, and how health systems must respond when standard access methods create barriers. These questions sit at the intersection of HIPAA, the Americans with Disabilities Act, and Section 504 of the Rehabilitation Act — three distinct legal frameworks that occasionally pull in different directions.

Definition and scope

The Health Insurance Portability and Accountability Act of 1996 — HIPAA, administered by the U.S. Department of Health and Human Services Office for Civil Rights — establishes the foundational right to inspect and receive copies of protected health information (PHI) held in a "designated record set." That includes medical and billing records, insurance enrollment information, and any records used to make decisions about an individual's care (HHS OCR, 45 CFR §164.524).

For people with disabilities, scope expands in two directions at once. First, the ADA's Title III and Section 504 of the Rehabilitation Act require covered health entities to provide effective communication — meaning records may need to be furnished in alternative formats like Braille, large print, audio files, or screen-reader-compatible electronic documents. Second, HIPAA's personal representative provisions allow another individual — a guardian, healthcare proxy, or authorized agent — to exercise record rights on behalf of someone who lacks decision-making capacity.

The 2013 HIPAA Omnibus Rule sharpened these access rights materially: covered entities must fulfill most record requests within 30 days, with a single 30-day extension permitted under defined circumstances. The rule also capped fees, prohibiting charges that exceed the "reasonable, cost-based" standard for labor, supplies, and postage (HHS Omnibus Rule, 78 Fed. Reg. 5566 (2013)).

How it works

The practical mechanics of requesting medical records follow a recognizable sequence — though for people with disabilities, each step carries additional considerations.

1. Identify the covered entity. Hospitals, physician practices, health plans, and their business associates are covered under HIPAA. Independent contractors or non-clinical service providers may fall outside HIPAA's reach.
2. Submit a written request. Most facilities use a standardized authorization form, though HIPAA does not require a specific format. Verbal requests are permissible but harder to track. An authorized personal representative may submit on the patient's behalf, accompanied by documentation of their authority (power of attorney, guardianship order, healthcare proxy designation).
3. Specify the format. Requests should state explicitly if an accessible format is needed — Braille, electronic text, audio recording, or other alternatives. Under the Americans with Disabilities Act, health providers must provide accessible formats unless doing so would constitute an undue burden, a high bar that rarely applies to record formatting.
4. Await response within the legal window. The 30-day clock starts at receipt of the request. If records are stored off-site, one 30-day extension is available — but only with written notice to the requestor.
5. Review and dispute. If a patient believes records are inaccurate or incomplete, HIPAA grants the right to request an amendment (45 CFR §164.526). The covered entity may accept or deny the amendment, but denials must be documented.

The right to restrict disclosures — such as limiting what an insurer can see — adds another layer relevant to people with psychiatric and mental health disabilities, where sensitive diagnoses can affect employment and insurance.

Common scenarios

Authorized representative access. A parent requesting records for an adult child with an intellectual or developmental disability must present legal documentation — a guardianship order or durable power of attorney. Without it, even a well-meaning family member has no HIPAA standing. Courts and state agencies vary in how they define legal capacity, so the documentation required in Ohio may differ from what California accepts.

Accessible format requests. A blind individual requesting operative notes from a hospital has the right, under both HIPAA and the ADA, to receive those records in a format they can actually use. A PDF image scan of a handwritten note is not an accessible format. The facility bears the cost of conversion in most cases — not the patient.

Electronic health record (EHR) portals. The 21st Century Cures Act (Public Law 116-255) introduced information-blocking prohibitions effective in 2021, requiring that certified EHR systems enable patient access without "information blocking" (ONC, 45 CFR Part 171). For patients with disabilities, this matters because inaccessible patient portal design — low contrast, no screen-reader compatibility — can functionally constitute information blocking, even if unintentionally.

Mental health record carve-outs. Psychotherapy notes receive distinct protection under HIPAA and are excluded from the standard right of access (45 CFR §164.524(a)(1)(i)). This distinction matters for individuals whose disability intersects with mental health treatment — they can access general mental health records but not their therapist's personal session notes.

Decision boundaries

The right of access is not absolute. HIPAA permits covered entities to deny access in specific, enumerated circumstances: when a licensed healthcare professional determines that access would likely endanger the life or physical safety of the individual or another person, or when records reference a third party who provided information under a promise of confidentiality. These exceptions are narrow and subject to review.

The comparison that clarifies the most: a denial of access is different from a delay in providing access. Denials must be written, specific, and include notice of the right to review. Delays without written notice are HIPAA violations regardless of cause.

For people navigating disability benefit denials and appeals, medical record access is frequently a prerequisite — Social Security disability determinations at the administrative level depend heavily on the completeness of the submitted medical evidence file. HHS OCR handles HIPAA complaints; the Department of Justice Civil Rights Division handles ADA complaints about inaccessible formats. Both pathways are available simultaneously if the access failure involves both a privacy violation and a disability discrimination claim.

Penalties for HIPAA violations scale with culpability, ranging from $100 per violation for unknowing violations to $50,000 per violation for willful neglect uncorrected within the compliance period, with an annual cap of $1.9 million per violation category (HHS OCR Civil Money Penalties, 45 CFR §160.404). That penalty structure exists precisely because access to one's own health information is not a courtesy — it is a defined legal entitlement, and the law treats its obstruction accordingly.