Protecting patients’ health information is a top concern for all healthcare organizations.  One requirement is to have written policies and procedures for the release of medical records that comply with both state and federal laws. In cases where the organization is releasing information to persons NOT INVOLVED in the patient’s care and treatment, patients must provide written authorization to permit the disclosure and use of their protected health information (PHI).  In my organization, we have a tool used to provide families with a progress report during the patient’s Skilled Nursing Facility admission.  This type of sharing of PHI requires authorized consent for release of information.

Policies and procedures should guard against unauthorized or inadvertent use or disclosure of patients’ PHI. These policies and procedures should specify who is authorized to consent to the release of medical records.  The patient is, first and foremost, required to authorize release of medical information.  In the situation where the patient does not have capacity to make healthcare decisions, there should be an appointed healthcare proxy, commonly referred to as the patient-authorized representative. 

Patients or their authorized representatives must consent to the use or disclosure of PHI for purposes other than treatment, payment, or the healthcare operations of the organization, except when a disclosure is required by law.  For adults, the legal authorized representative for the patient is typically an individual who holds durable power of attorney for healthcare, this person may be referred to as DPOAH. The Durable Power of Attorney for Health Care, also called a healthcare proxy, allows an adult, while competent, to appoint persons to make health care decisions on their behalf in circumstances in which they become unable to make decisions for themselves.

Healthcare organizations must have a process to follow to ensure that information is not released to individuals without appropriate authorization.  You must ensure that release of PHI is only granted with permission from the appropriate individual. Staff should be trained to ask for verification of the identity and the authority of the individual making the request.

According to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), authorization to use or disclose PHI is not required for:

  • Treatment purposes (e.g., referral to a specialist)
  • Payment for health treatment or care
  • Healthcare operations (e.g., certain administrative, financial, legal, and quality improvement activities of a covered entity — i.e., a healthcare provider, a health plan, or a healthcare clearinghouse — that are necessary to run its business and to support the core functions of treatment and payment)
  • Certain legal circumstances, public health activities, and judicial or administrative proceedings (e.g., reporting child abuse or neglect, communicable diseases, or gunshot or knife wounds)

Covered Entities (CEs) and Business Associates (BAs) that fail to comply with Health Insurance Portability and Accountability Act (HIPAA) Rules can receive civil and criminal penalties. The Office for Civil Rights (OCR) is able to impose civil penalties for organizations that fail to comply with the HIPAA Rules. The potential civil penalties are substantial. Your good faith effort to be in compliance with the HIPAA Rules is essential. 

HealthIT.gov/Guide to Privacy and Security of Electronic Health Information                                                   
2016 MedPro Group: Guideline Medical Records Release
Health Information Privacy (US Dept of Health and Human Services)

Lisa Chadwick
Director of Safety and Risk Management