by Dr. J.D. – a physician and plaintiff’s attorney, practicing in the Northeast


In Part 1, we discussed that one of the most aggravating issues in the daily life of a medical practice is the request for records by non-physicians. To recap, patients are vociferously certain of what they presume their rights are, third parties try to be become involved where they do not belong, and legal process hovers over many situations. Physicians and their staffs end up feeling caught in the middle. No surprise.


However, most of the anxiety is the result of misconceptions about rules that are usually easily manageable.


There are five basic rules that are the keys to avoiding both anxiety and liability:

– The doctor’s role is custodian of the records – maintaining them in good order and providing prompt access to those properly authorized.


– All information about the patient’s health is presumptively confidential. Therefore, make sure that all relevant authorizations have been provided and that only the least information that will satisfy the request is released.


– Patients have a basic right of access to their own records.


– A doctor may be reasonably compensated for providing records.


– The involvement of third parties does not change basic confidentiality issues. Doctors should not be drawn into the complexities of personal and legal issues and should instead require the involved parties to obtain and present the necessary documentation to permit records to be released.


With those in mind, in part 2, let’s look at a few more FAQ’s:


12. My patient’s employer provides her healthcare coverage. He is now asking for a copy of her medical records. The employer did not provide me with an authorization from my patient, so I refused. Was I correct to do so?



HIPAA does not permit employers to access patient records on the basis of the employment relationship.


There are very limited exceptions, related to work-related illness/injury and to workplace medical surveillance where the employer needs the information to comply with its own legal requirements under regulations such as OSHA. Even in those settings, the information that can be released must be restricted to address the exact purpose and the patient must have been given written notice that it would released at the time the care was provided.


The employer is also not covered under the TPO exception, even though the employer’s insurance payor would be.


Your patient must therefore execute a HIPAA-compliant authorization permitting her records to be released to her employer and you may not release the records to the employer without this.


13. My patient died and her husband wants her records. He says that understanding her illness better will help give him closure and that it is his right as her surviving spouse. I hate to refuse a grieving man but I think that I am forbidden from releasing the records to him. Is that correct?


Yes, for now.


The confidentiality of medical records survives death and even if the now-deceased patient had waived that when she was alive, that authorization may not now be valid. Even if he was her power of attorney for medical decisions – which would have permitted him access to her records – that status would generally lapse upon her death.


You therefore need to explain that he can get the records once he is officially the representative of her estate (executor or administrator). He needs to obtain either Letters Testamentary or Letters of Administration and to provide those to your office. At that time, he will, in his capacity as the representative of the estate, be able to execute an authorization for you to give him the records.


14. My patient slipped in a store and is now suing the store. He authorized release of his medical records covering my treatment of the back injury he sustained when he fell. Now I have received a subpoena from the defense firm that demands all of my medical records on this patient and threatens me with contempt of court unless I comply. My patient says that he will sue me and will make a complaint about me to the state medical board if I do release them. I am pretty certain that I should not be releasing the records but the subpoena is really frightening. What should I do?


You should relax. This is actually a very straight-forward situation of records confidentiality and the subpoena does not alter that.


Your instinct is correct – you should not be releasing the records without an authorization from your patient at this point.


This situation invokes not just basic confidentiality but doctor-patient privilege, under which a patient can bar a doctor from disclosing confidential medical facts in the course of a legal proceeding. Breaching those can leave you vulnerable to disciplinary action by your state medical board and a possible lawsuit from your patient.


You will also be in violation of HIPAA if you release the records now. While the Privacy Rule permits the release of medical records in response to a subpoena, it also requires you getting reasonable proof that the patient was notified and offered a chance to oppose the release. In this case your patient has already objected – quite vociferously in fact – and may be proceeding in court to block the release.


Do not be intimidated by the admonitions in the subpoena about “civil penalties” and “contempt of court.” No matter how official it appears, that subpoena is actually just an attorney’s request for documents. It may be signed and issued by the attorney as an “officer of the court” but, unless otherwise indicated, it has actually not been issued, reviewed, or approved by a judge, and therefore does not have the authority of a court order.


In other words, the police are not going to come and haul you away if you refuse to comply.


What will actually happen is that the defense attorney will petition the judge to issue an order that compels you to produce the records. That you only released the records in compliance with a court order will bar your patient from being able to retaliate against you. So, a court order is different than an attorney-authored subpoena.


It should, however, be noted that if the demand encompasses records covering matters such as mental health issues, substance abuse or HIV status, which have additional levels of protection, you need to be extra certain that these details have been specifically addressed in the scope of the court order. Only then should you release those records.


Meanwhile, your patient’s attorney can move to quash the subpoena altogether on the basis that it seeks records that are unrelated to the current injury. If your patient is successful in that, the entire matter will end.


However, none of that is your issue to deal with. Let the parties in the case hash things out.


In the meantime, however, do not just ignore the subpoena since even though it lacks the force of a court order it is still a legitimate records request. Instead, respond that you are unable to comply under the current circumstances but will do so upon receipt of either an authorization from the patient or a court order.


15. My patient is charged with assault. His defense is that he is not physically capable of the crime. The DA now wants my patient’s medical records. My patient refuses to authorize this and has told me that I am bound by privilege to not release the records. What should I do?


Your patient is correct that he holds the privilege in this matter and that it applies since this is for use in a trial.


However, his privilege is not absolute and it can be over-ridden by the court.


The issue that concerns you is therefore whether such overriding has, in fact, occurred sufficiently to permit release under both HIPAA and the law that may apply in your state.


As a basic rule HIPAA permits – but does not compel – release of medical records to law enforcement under a proper subpoena or court order. Therefore, just a call or a letter from the DA is not enough but a subpoena will probably be sufficient and a court order will be sufficient.


However, the patient has to have had the chance to prevent the disclosure of their records. Just because a hearing was held does not mean that your patient – who may be in jail – even knew about it. Therefore, it is also the DA’s responsibility under HIPAA to provide you with proof that your patient was afforded that chance before you agree to release any records.


This leaves only the problem of whether your state law or a public health law, such as those that govern issues like mental health and HIV status if there are such elements in your patient’s records, imposes more stringent requirements than HIPAA does in this case.


In this regard, it is wise to bear in mind the cautionary tale of the Cleveland Clinic. It released medical records in response to a grand jury subpoena, which is permissible under HIPAA, and was then sued by the patient/defendant for having done so. The court refused to dismiss that case, noting that while federal law can pre-empt more lax standards at the state level that in this case HIPAA did not pre-empt Ohio’s more stringent state statute, which did not have an exception for grand juries.


Therefore, if you receive a subpoena for records from the DA that is not accompanied by a judge’s order, or that seems to overreach state or public health regulations, you should either contact your state medical board or an attorney who is experienced in confidentiality compliance to get advice on how to proceed. (I personally recommend starting with the former, both because it is free and because you are permitted to rely on the advice of the body that specifically regulates the conduct of medical practitioners in your state, making it a more effective shield against retaliatory conduct than the advice of a privately-hired attorney.)


Finally, if the patient is relying upon his medical condition as a defense, that defense will fail without corroborating medical information. So, in this case, the patient should first consider changing his legal strategy about whether he was strong enough to even commit an assault.


16. I am going through the investigation stage of a disciplinary proceeding by my state medical board. They have requested several patient charts. I am sure that I will prevail at the hearing because the requested records do not support the allegations at all, and I am anxious to comply, but my patients are refusing to let me release their records. What should I do?


You should release the records to the board.


Patients are generally held to have no veto power over demands for records issued by state medical regulatory authorities.


In fact, if you do not release them you can face far worse sanctions for failing to cooperate with the board.


Consider the actual case of a doctor who was being investigated for her use of a very questionable method of diagnosis. She asserted that her patients refused to have their charts released to facilitate that investigation. Her license was eventually revoked. That revocation was upheld because the court noted that “The public interest in facilitating a medical board’s investigation of alleged physician misconduct outweighs the interests to be served by invocation of the physician-patient privilege.”


In the situation in which a physician truly believes that he or she is being asked for records by the Board inappropriately, he or she may be able to move to quash the request. Usually, standing to assert the patient’s privacy rights belongs to the patient but the state statute governing board disclosures may grant that right to the physician as well.


However, a Board request for records should never simply be ignored or merely responded to by a personal assertion of the belief that it is improper.



17. I am retiring and closing my practice. Many of my patients are asking to pick up their original records. I would certainly prefer to do so because it will be less that I have to store. Can I release the originals to them?




You need to keep the originals for two reasons:


– Your state will require it for a specified period which may also be longer for patients who are still minors.


The only exceptions to this would be (a) if you were part of a group or working for a corporation and that entity will be maintaining the files; or (b) if you are selling your practice and the new physician would be maintaining the files.


– After you retire you could still be sued for malpractice or your billing may still be questioned by a payor.


You will want and need the originals of the records to appropriately defend yourself in such a case.


In this regard, bear in mind that the statute of limitations for medical malpractice may be extended for patients who are currently minors, so you will want to keep those charts until they have “aged-out” with regard to a malpractice claim even if that is longer than the standard period your state requires for holding the charts of minors.


Your obligation at this point is to make sure that your soon-to-be-former patients and their new physicians have access to the contents of the records. Copies will accomplish that.


In summary: As a physician, you are charged with the proper release and confidentiality of the medical records of your patients. While it may seem a daunting task, the core principles remain: You are the custodian of the records. Those requesting records should have proper authorization. Send only the minimum amount of information to accomplish the task while respecting confidentiality. Understand the basic exceptions to the rule. Call someone knowledgeable if you are unsure.