by Dr. J.D. – a physician and plaintiff’s attorney, practicing in the Northeast


One of the most aggravating issues in the daily life of a medical practice is the request for records by non-physicians. Patients are vociferously certain of what they presume their rights are, third parties try to be become involved where they do not belong, and legal process hovers over many situations. Physicians and their staffs end up feeling caught in the middle. No surprise.


However, most of the anxiety is the result of misconceptions about rules that are usually easily manageable.


There are five basic rules that are the keys to avoiding both anxiety and liability:

– The doctor’s role is custodian of the records – maintaining them in good order and providing prompt access to those properly authorized.


– All information about the patient’s health is presumptively confidential. Therefore, make sure that all relevant authorizations have been provided and that only the least information that will satisfy the request is released.


– Patients have a basic right of access to their own records.


– A doctor may be reasonably compensated for providing records.


– The involvement of third parties does not change basic confidentiality issues. Doctors should not be drawn into the complexities of personal and legal issues and should instead require the involved parties to obtain and present the necessary documentation to permit records to be released.


With those in mind, let’s look at a few FAQ’s:


1. I have all my patients sign a general HIPAA release. Do I need them to sign additional authorizations when I actually release their records?


It depends.


HIPAA allows records to be released to other treating physicians without the patient executing a specific authorization. HIPAA also allows such release to certain non-physicians, such as payors and for the purpose of such activities as reviews, evaluations and business development. This is called the “TPO” (treatment, payment, healthcare operations) exception to HIPAA. As you have, most practices do have patients execute a general authorization that also covers these purposes.


Releases for other reasons, such as sending records to an attorney for use in a lawsuit or to a third party -like a family member or employer- are not covered under TPO and will require a specific written authorization.


Separate authorizations are also required for release of mental health records, records relating to substance abuse and records concerning STD’s including HIV. The law treats these sensitive situations differently. So, remember, if the patient is being treated for bipolar disorder, syphilis, and alcoholism, strip those parts of the record you sent to (properly authorized) employer looking for return to work information after patient’s back injury.

2. When a patient requests the “entire medical record” that means only my own notes, right? I should not be disclosing my communications with other doctors or facilities unless I have HIPAA releases from them that specifically cover those sources, should I?


Yes, you should. Typically, you cannot serve as the curator of the record.


In fact, you must.


When a patient or their representative requests the “entire medical record” it means the totality of the chart that you used in the patient’s care. This includes results of diagnostic testing performed elsewhere and communications with other physicians and facilities.


Doing so is not a violation of privacy rules because it is “consistent with the authorized purpose for which the information was first obtained”.


There are two caveats, however:


– You have discretion to not release records – yours or others’ – on mental health issues if you believe that doing so would be harmful to the patient


– If records – yours or others’ – covering areas such as mental health, substance abuse or STD’s are included in the chart, then authorizations covering these must be included in the request.


3. Dealing with records requests is very time-consuming for my staff so we get to them when we can. We do try to do them within 30 days of the request. Is that OK?


Possibly not.


Most states have statutory limits and some permit only 15 business days from the date of the request and are therefore shorter than the time that you are allotting. These laws carry civil penalties for non-compliance.


You therefore need to check what your state rule is and to set up an office policy to comply with it. Most importantly, sometimes these records are needed quickly to address a patrient’s needs. Don’t sit in the request.


4. When I get a records request I do not send the record until the patient has paid. Is that OK?

Yes, with exceptions.


When you receive a request for records you should send the patient a letter indicating the cost. And, when payment is received, you must then furnish the copies within the statutory time limit set in your state.


There may, however, be an exception in your state for records to be used in a disability claim that requires these to be provided free of charge.


These are, of course, situations limited to a request in a non-emergency setting. A request for records for use in emergency or acute treatment should be honored immediately and without a request for payment.


5. To avoid having my staff having to calculate individual fees for records I have always just charged a single flat fee, including a standard handling charge for postage and retrieval, when a patient wants a copy of their records. Is this OK?

No. You are probably violating your state’s law and you are definitely violating HIPAA.


HIPAA allows doctors to charge a “reasonable” cost-based fee for copying medical records. The fee schedule set by statute in the given state is taken as being presumptively reasonable.


States set per-page copying fees and these generally decrease with the length of the chart. These are often lower for patients than for law firms and other non-patient requestors.


Specialized fees will apply to records on microfilm or hard copies of imaging studies, again related to the number of copies made.


Fees can be charged for retrieval from storage and for actual postage in many states but a flat “handling charge” is prohibited under HIPAA.


In other words, the fee for a set of records should compensate the doctor for the actual cost to do the copying and send the records, and so the fee will vary with each record set.


You therefore need to obtain a listing of the relevant statute in your state and follow its guidelines on a request-by-request basis. The general principle is the more paper that is sent, the higher the allowable fee – to a point.


6. I refuse to release records to patients with outstanding balances until they pay their bill. After all, my mechanic can enforce his bill against my car. I’m correct in doing this, right?

No – quite the opposite.


You are misunderstanding an artisan’s lien. That allows someone who has done work on real or personal property but has not been paid to have an enforceable lien against the property.


It has no correlate in medical care. Your work is on the patient themselves and they are not property. The record is only a by-product of that work and you cannot enforce a lien against it.


You can sue the patient for payment of their outstanding bill but you cannot restrict their right of access to their records based on a standing debt.


Don’t hold release of records hostage to payment of outstanding medical bill.



7. When a patient changes to another practice, can I charge them for a copy of their records even though when another treating doctor requests copies of records I send them the material for free?

Usually yes.


Unless the law in your state requires the file to be transferred to the new doctor for free, you can charge the patient for records that they wish to take over to another doctor when they leave your practice.




8. To make sure that I don’t run into HIPAA problems, I insist that all patients come in in person to pick up their records after they are copied. A lot of them complain about that. Is it really necessary?




It is clearly prudent, because it ensures that the records only enter authorized hands. But, it’s probably overkill. In those situations where patients ask for their records to be mailed, faxed or sent electronically you can comply because HIPAA does permit those methods as long as you have implemented “reasonable safeguards for the security of all health information”.


In this setting, that could mean such steps as mailing records with a return receipt so that delivery is restricted to the addressee, sending faxes only when the patient is specifically there to receive them and with a cover sheet emphasizing the need for confidentiality, and using encrypted password-protected systems for e-mail and using only systems that are specifically HIPAA-compliant.


Note, however, that while you should get written permission from the patient to send the records by a particular method, having such is not a defense if your actual method of sending the records is faulty under HIPAA. That is because the patient is only authorizing you to do what the law permits. That said, if you have permission to send unsecured email, just get the patient’s written permission, reminding them that email is not a secure method of transmission. For many patients, the convenience trumps the need for security, and many give precisely such permission..


9. Instead of providing the record directly to the requesting patient, can I just send it to another practitioner they are seeing?


No, unless the patient agrees to it.


This question is generally raised by doctors who are concerned that patients only want copies of their records because they are shopping them to lawyers to begin a malpractice action. The belief is that if records are sent only to another medical office that this can be avoided.


However, patients have a right to their records for whatever purpose they choose and the physician, acting as a custodian of the records, may not deny the patient that right.


In fact, a doctor can be the subject of a HIPAA violation for refusing to release records to a patient. State law may also provide for the patient to actually sue the doctor for failing to provide the records. If the patient requests his record, it makes good sense to provide it directly to him.


10. I get requests for records on children in my practice from parents I know are no longer the custodial parents. I tell them that I cannot release the records to them without the permission of the custodial parent. This has led to some very ugly confrontations in my office. Am I correct?


It depends.


The basic rule is that the non-custodial parent often retains parental rights allowing access to the child’s records.


The mere wish of the custodial parent to block that access is generally not a sufficient reason to block it.


This right can be overridden by a court order, though.


Therefore, if your practice has children as patients and you become aware of a divorce, make sure that your office is provided with a copy of any order that restricts either parent in this regard. So, if Mom is livid that Dad, now out of the house, wants a copy of Junior’s records, have her produce the legal document proving Dad has no legal right to the access.


11. I sometimes get requests for records on adult patients from family members or others who are covering the costs of their care directly or who carry them on their insurance. They often get very demanding because they claim that they are entitled to see where their money is going. How should I handle this?


Just as you would if they were strangers to your patient.


This is not like the situation in which the third person is actually a patient representative, as in the case of a person who holds a medical power of attorney for someone who is now incompetent. In those settings, the representative can get copies of the records because they legally stand “in the shoes of the patient”.


Here, however, the patient is a fully competent adult who is simply getting their medical care costs covered by someone else. This has no effect on their rights to confidentiality.


A personal arrangement to pay for care does not bring that third party under the payment portion of the TPO exception to HIPAA. TPO applies to payors like insurers who can get access to protected health information without the patient specifically consenting to the release. Even an insurer under the the TPO exception only gets the minimum information necessary to process a claim, not the general records access that these people want.


Your patients must therefore execute HIPAA-compliant authorizations permitting their records to be released. Without such you may not release the records.


In summary: As a physician, you are charged with the proper release and confidentiality of the medical records of your patients. While it may seem a daunting task, the core principles remain: You are the custodian of the records. Those requesting records should have proper authorization. Send only the minimum amount of information to accomplish the task while respecting confidentiality. Understand the basic exceptions to the rule. Call someone knowledgeable if you are unsure.


Stay tuned for Part 2, coming soon …