Legal & decisions

The HIPAA gap solo agers miss: authorizing someone to get your medical information

By Shirley Chia · Last reviewed June 9, 2026

Picture the friend you'd call first if you landed in the hospital. Now picture that same friend on the phone with your doctor's office, asking what's going on, and getting told: "I'm sorry, I can't share that." That's not a rude receptionist. That's the law doing exactly what it was built to do. The privacy rule under HIPAA tells your providers to keep your health information to themselves unless you have said, in a way the law recognizes, that a specific person is allowed to hear it. For someone with a spouse or adult kids in the picture, this gap usually gets papered over informally. For a solo ager, it can leave the one person you trust standing outside a locked door.

The fix is not complicated, but it is easy to skip because most planning checklists fold it into "medical power of attorney" and move on. Information-sharing and decision-making are two different powers, and they switch on at different times. Sorting out the difference is what lets you name someone who can actually call your doctor and get a straight answer, not just someone who matters after you can no longer speak for yourself.

What HIPAA actually does, in plain terms

HIPAA is the federal health privacy law. The part that affects you most is the Privacy Rule, which sets the default to "closed": doctors, hospitals, pharmacies, labs, and health plans generally may not hand your medical information to anyone unless an exception applies or you've authorized the release. The U.S. Department of Health and Human Services, which enforces the rule, lays out your rights and the basics for patients on its HIPAA for individuals pages. The default exists for good reasons. The trouble for solo agers is that the default also locks out the people they would want included, simply because no one ever told the provider otherwise.

There are three separate ways someone other than you can be allowed into your health information, and they are not interchangeable. People mix them up constantly, including some front-desk staff. Knowing which is which is the whole game.

Three different doors: authorization, personal representative, proxy

Think of them as three doors into the same room, each one opening under different conditions.

Here is the trap. A health-care proxy is built for the day you can't speak. A HIPAA authorization is built for every other day. If you only sign a proxy, you may have left a hole exactly where a solo ager needs coverage most: the ordinary Tuesday when you're awake, alert, and stuck in a hospital bed, and you want your friend told the plan because you're too foggy on pain medication to relay it yourself.

Why a health-care proxy alone may not be enough

The phrase "I have a medical power of attorney" feels like a complete answer. Often it isn't, for one structural reason: many of these documents only give the agent authority once you are found to lack capacity. Before that line is crossed, the agent may have no standing at all. You're conscious, you're competent, and your designated agent is technically still just a friend with no special right to your chart.

That matters in ordinary situations more than dramatic ones. You're recovering from surgery and want someone to coordinate with the discharge planner. You're managing a worrying test result and want a second set of ears on the phone with the specialist. You're traveling and want a friend back home to be able to confirm a prescription with your pharmacy. None of those require anyone to make a decision for you. They require the provider to be allowed to talk to your person. That's an authorization question, not a proxy question.

Some well-drafted documents close this gap by including HIPAA-release language that applies immediately, separate from the decision-making authority that waits for incapacity. Many older or do-it-yourself forms don't. You can't tell which kind you have by the title on the front page. You have to read the information-sharing clause, or have someone qualified read it for you.

How to actually designate someone

You don't have to choose one method. The sturdiest setup for a solo ager layers a few of them, so that one missing form doesn't leave your friend stranded.

The piece everyone forgets: keep copies with each provider

A signed authorization sitting in your file folder at home is worth very little in the moment you need it. The provider has to have it, in their records, ahead of time. This is the difference between a plan that works and a plan that exists only on paper.

Make it routine. At each office you see regularly, hand over the release and ask them to scan it into your chart and add your person to the "who we may talk to" list. Ask the same of your pharmacy and your main hospital system if you have one. Keep a short list of where you've filed it, so your trusted person knows which providers already have them on record. Refresh the forms every couple of years and after any major change — a new doctor, a new health system, a move to a new state, or a falling-out with someone you'd previously named and now want removed.

One quiet detail worth getting right: tell the person you've named. An authorization that no one knows about helps nobody. Your friend should know they're listed, which providers have them on file, and roughly what you'd want them to ask or relay. A wallet card or a note in your phone listing your main providers and your designated contact closes the last gap, the one where the hospital is willing to talk but no one knows whom to call.

The solo angle: name someone who can get answers

If you have a spouse or adult child, the system tends to assume them into the conversation, rules or no rules. Staff hand them forms, talk to them in the hallway, and call them with updates. None of that happens by default when you live alone. The absence isn't dramatic; it's a series of small silences. The call that doesn't come. The discharge plan no one relays. The medication change nobody outside the building knows about.

So the goal for a solo ager is concrete and modest: at least one person, ideally two, who can phone your doctor's office and get real answers, and who is already on file before anything goes wrong. That person doesn't have to be family. It can be a close friend, a neighbor you trust, a former colleague, a member of your faith community. What makes them useful is not the relationship label but the paperwork behind it — the authorization on file, the conversation you've had, the wallet card in case you can't speak for yourself.

Pair information access with the decision-making side so the two work together. The authorization handles the everyday; the proxy handles the day you can't decide. Set them up at the same time, with the same person or a small team, and you've covered both halves of the problem instead of just the dramatic one most checklists focus on.

None of this is legal advice, and the exact forms, titles, and rules differ by state and change over time. Confirm the specifics with a licensed elder-law attorney in your state, and bring the actual documents to each appointment so the language can be checked against what you need. If you want to see how this fits with the rest of your planning, start with the guide on who can legally make decisions for you, pull together the basics in the "if something happens" file, and use the solo-aging readiness score to see where information access ranks among everything else worth handling.

This is general information, not legal or medical advice. HIPAA forms, document names, and rules vary by state and by provider and change over time, and your situation may have details a general guide can't cover. Confirm specifics with a licensed attorney or your health-care provider in your state. Aging Alone Checklist is an independent information service and is not affiliated with any government agency.