Accessing Patient Records – Do You Have Permission?

The Health Insurance Portability and Accountability Act (HIPAA) regulations can be confusing and sometimes misunderstood. There is a difference in what you are allowed to access in your role as a health care professional/employee versus what you may access in your role as a parent, family member, or neighbor.

As a health care professional and/or employee, you have access to information that you need to know to perform your job and care for your patients. In general, this means that with or without the patient’s authorization, you may do the following:

  • Discuss the patient’s care with other providers within and outside of Cooper, e.g., a Cooper physician discussing a hospital stay with the patient’s primary care physician.
  • Discuss the patient’s care with the patient’s care designee.
  • Provide a copy of the patient’s medical record to a patient’s specialist, nursing home, rehab center, etc.
  • Perform an audit, quality assurance, and performance improvement duties.
  • Code a patient’s record for payment.
  • Register a patient.

Actions such as those above are defined under HIPAA as “purposes of treatment, payment, or operations (TPO).” TPO means activities that you are performing as part of your job at Cooper or as a professional treating provider. Unless you are accessing the patient’s medical record as part of your Cooper job responsibilities, you are not accessing the record for purposes of treatment.

A HIPAA violation occurs when an employee, contractor, vendor, student, etc., (physician or otherwise) accesses the medical record of any individual that is not related to the performance of the employees job responsibilities and/or TPO unless Cooper has a signed, written authorization from the patient authorizing the employee or physician to allow access to their medical record.

The following outline summarizes acceptable and unacceptable conduct consistent with Cooper policy and HIPAA requirements and the disciplinary process that will follow unacceptable conduct. This outline applies to all employees including physicians:

Acceptable (assuming there is no malicious intent and the access falls outside of TPO):

  • Accessing your own medical record – Cooper prefers that, instead of accessing your own medical record, that you set up a myCooper account, which can be accomplished by contacting your primary care physician’s office.
  • Accessing the medical record of individuals over the age of 18, including family members, with a signed written authorization. The authorization form must be signed prior to the access, scanned into the patient’s Epic medical record prior to the access, and is good for one year.
  • Accessing the medical record of your custodial minor family member under the age of 12.


Accessing the medical record of adult family members living with you without a signed written authorization:

  • First offense – written warning and reeducation, assuming there is no malicious intent.
  • Second offense – termination.

Accessing the medical record of your own minor family member outside of payment, treatment, and operations over the age of 12*:

  • First offense – written warning and reeducation, assuming there is no malicious intent.
  • Second offense – termination.

Accessing the medical records of any patient, minor or adult, outside of TPO without a signed written authorization:

  • First offense – termination.

Cooper reserves the right to vary the discipline outlined above based on the existence of mitigating or aggravating circumstances.

These requirements and limits apply to all Cooper personnel and medical staff members. If you have questions, please call Cooper’s Privacy Officer, Phil Curran, at 856.361.1697 or email

*Under NJ law, minors are treated as adults for the purpose of consent to treatment in certain areas, including pregnancy, venereal disease, HIV, drug and alcohol dependency, and treatment in connection with a sexual assault. Since Epic does not provide a mechanism to limit access to these protected areas, the expectation is that the employee will communicate with Health Information Management (HIM) to obtain the medical record so that HIM will have the opportunity to redact any information protected by the statutory prerogatives for a minor’s consent to care.