Healthcare providers often misunderstand their obligation to provide patient records in response to a request from a patient or third party.
1. Patient Requests and the “Designated Record Set.” With very limited exceptions, patients and their personal representatives generally have a right to access and/or require the disclosure of protected health information in the patient’s designated record set. (45 CFR § 164.524(a)). HIPAA defines “designated record set” as:
A group of records maintained by or for a covered entity that is:
(i) The medical records and billing records about individuals maintained by or for a covered health care provider; [or]
(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.
(45 CFR § 164.501). As the OCR recently summarized:
The Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. Individuals have a right to access this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the covered entity, another provider, the patient, etc.).
(OCR, Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524 (“OCR Access Guidance”), available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html, emphasis added). In a separate FAQ, the OCR explained further:
What personal health information do individuals have a right under HIPAA to access from their health care providers and health plans?
With limited exceptions, the HIPAA Privacy Rule gives individuals the right to access, upon request, the medical and health information (protected health information or PHI) about them in one or more designated record sets maintained by or for the individuals’ health care providers and health plans (HIPAA covered entities). See 45 CFR 164.524. Designated record sets include medical records, billing records, payment and claims records, health plan enrollment records, case management records, as well as other records used, in whole or in part, by or for a covered entity to make decisions about individuals. See 45 CFR 164.501. Thus, individuals have a right to access a broad array of health information about themselves, whether maintained by a covered entity or by a business associate on the covered entity’s behalf, including medical records, billing and payment records, insurance information, clinical laboratory test reports, X-rays, wellness and disease management program information, and notes (such as clinical case notes or “SOAP” notes … but not including psychotherapy notes …), among other information generated from treating the individual or paying for the individual’s care or otherwise used to make decisions about individuals….
Individuals do not have a right to access PHI about them that is not part of a designated record set because this information is not used to make decisions about individuals. This may include certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records that are used for business decisions more generally rather than to make decisions about individuals. For example, peer review files, practitioner or provider performance evaluations, quality control records used to improve customer service, and formulary development records may be generated from and include an individual’s PHI but may not be in the covered entity’s designated record set(s) to which the individual has access….
(See OCR FAQ, available at https://www.hhs.gov/hipaa/for-professionals/faq/2042/what-personal-health-information-do-individuals/index.html).
2. Records Created by or Received from Other Providers. As the OCR’s Access Guidance affirms, the “designated record set” includes records used by the covered entity to make healthcare decisions about a patient “regardless [of] where the [record] originated (e.g., whether the covered entity, another provider, the patient, etc.).” An OCR FAQ states:
A provider might have a patient’s medical record that contains older portions of a medical record that were created by another previous provider. Will the HIPAA Privacy Rule permit a provider who is a covered entity to disclose a complete medical record even though portions of the record were created by other providers?
Answer: Yes, the Privacy Rule permits a provider who is a covered entity to disclose a complete medical record including portions that were created by another provider, assuming that the disclosure is for a purpose permitted by the Privacy Rule, such as treatment.
(Available at http://www.hhs.gov/ocr/privacy/hipaa/faq/minimum_necessary/214.html). The OCR’s more recent Access Guidance confirms that not only may the provider disclose records received from other providers, it generally must disclose such outside records that are a part of the designated record set in response to the patient’s or personal representative’s request unless one of the limited exceptions apply; failure to do so could subject the provider to HIPAA penalties.
3. Third Party Disclosures and the “Legal Health Record”. Healthcare entities sometimes get hung up on the concept of the “legal health record” when trying to determine what may or must be provided in response to patient or third-party requests for protected health information. In contrast to the designated record set, there is no uniform or regulatory definition of the “legal health record”, and its meaning depends on the user and context. Some may intend it to refer to the patient’s “formal” medical record as defined and maintained by a provider; others use it to describe the medical records that would be used in court or produced in response to a subpoena. Thus, when someone refers to the “legal health record,” a provider must determine just what is intended. More specifically, when responding to a request for records, the covered entity must confirm who is requesting the information and what they are seeking rather than imposing its own unilateral definition of the “legal health record”:
- As discussed above, if the patient or personal representative requests the patient’s records or asks that the patient’s records be sent to a third party, a provider generally must produce all requested records that are maintained in the patient’s designated record set unless one of the limited exceptions apply. (See 45 CFR § 164.524). If he or she chooses, a provider may ask or confirm with the patient or personal representative which records they actually want. For more information on responding to a patient’s request to disclose information, see our article at https://www.hollandhart.com/hipaa-releases-of-information-per-request-or-authorization.
- If a provider receives a valid HIPAA authorization from a third party seeking records, the provider may (but is not required to) produce the specific records identified in the authorization, but not others. (See 45 CFR § 164.508). If there is any question about which records are covered by the authorization, the provider should check with the patient to confirm what they want disclosed. For more information about the requirements for a valid HIPAA authorization, see our article at https://www.hollandhart.com/valid-hipaa-authorizations-a-checklist.
- If a provider receives a subpoena, order or warrant requesting records, the provider generally must produce the specific records or information identified in the subpoena, order or warrant. (See 45 CFR § 164.512(e)-(f)). Remember: the party issuing the subpoena or order may define the requested records differently than the provider. The issue is not what the provider thinks should be produced or how it unilaterally defines its own medical records; the issue is what records are requested by the subpoena, order or warrant. If the provider fails to produce the records that are requested, the provider may be subject to contempt sanctions. If the provider produces more than the records requested, the provider may be subject to HIPAA penalties. Accordingly, if there is any doubt as to the scope of records requested, the provider should contact the party issuing the subpoena to confirm what they intend, and only produce the records identified in the subpoena, order or warrant. In doing so, the provider should be careful to avoid disclosing protected health information in the discussion. For more information about the rules for responding to subpoenas, orders and warrants, see our article at: https://www.hollandhart.com/hipaa-responding-to-subpoenas-orders_and-administrative-demands.
- If a provider is required to disclose protected health information pursuant to a statute or regulation, the provider should ensure that he or she limits the scope of the disclosure to the specific information or records identified in the statute or regulation, and strictly follows the statutory or regulatory process for such disclosures. (See 45 CFR § 164.512(a)).
- If a provider is disclosing information for a purpose permitted by HIPAA without the patient’s authorization (g., disclosures to other providers for treatment purposes, or to a payer for payment purposes), the provider should generally comply with the minimum necessary standard, i.e., don’t disclose more than needed for the permissible purpose. (See 45 CFR § 164.514). Note that when the provider receives a request from another healthcare provider for treatment purposes, the provider may assume that the other healthcare provider needs the records requested, which may include outside records.
4. Conclusion. When responding to requests or demands for records, providers must be careful not to interpret or respond to the request based on their own unilateral concept of the “medical record”; instead, they must ensure that they produce the records described by applicable statutes, regulations, subpoenas, orders or warrants regardless of how the provider would characterize the records or, most often, who created the records.
 A provider may generally decline to produce records in response to a patient’s or personal representative’s request if, e.g., the requested records: (1) are not part of the patient’s “designated record set”; (2) are psychotherapy notes as defined by HIPAA; (3) were compiled in reasonable anticipation of litigation; (4) were obtained from a third party under the promise of confidentiality and disclosure would reveal the source of the information; or (5) disclosure would result in substantial harm to the patient or others. (See 45 CFR § 164.524(a)).