There is a common misunderstanding that healthcare providers may not or should not produce medical records that were created by another healthcare provider.
Under HIPAA, patients have a right to access all records that a provider maintains in a designated record set, i.e., documents the provider uses to make decisions about a patient’s healthcare or payment for healthcare. (45 CFR 164.524). This would generally include records the provider obtains or receives from other providers relating to the patient’s care. Thus, providers generally must produce such records in response to the patient’s request; failure to do so would violate HIPAA. The OCR published the following FAQ relevant to this issue:
A provider might have a patient's medical record that contains older portions of a medical record that were created by another previous provider. Will the HIPAA Privacy Rule permit a provider who is a covered entity to disclose a complete medical record even though portions of the record were created by other providers?
Answer: Yes, the Privacy Rule permits a provider who is a covered entity to disclose a complete medical record including portions that were created by another provider, assuming that the disclosure is for a purpose permitted by the Privacy Rule, such as treatment.
(Available at http://www.hhs.gov/ocr/privacy/hipaa/faq/minimum_necessary/214.html). More recently, the OCR stated:
The Privacy Rule generally requires HIPAA covered entities … to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. Individuals have a right to access this PHI for as long as the information is maintained by a covered entity … regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the covered entity, another provider, the patient, etc.).
(OCR, Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524, available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html).
Similarly, if a provider receives a court order, warrant or subpoena that is broad enough to include records created by others or if there is another law that requires disclosure of the records, the provider should either produce the requested records or confirm that the request does not include them; otherwise, the provider runs the risk of contempt sanctions or other penalties. For example, if a subpoena or order requires a physician to produce “all records in your possession concerning the patient,” the provider should produce all such records, including records created by others, unless the provider obtains the prior agreement from the party issuing the subpoena or order. (Be careful about inadvertently or impermissibly disclosing additional information during those discussions).
If a provider receives a request from a third party or other authorization that permits, but does not require, production of the records, then the provider may generally decide what to produce; however, the provider may want to make sure that he or she does not misrepresent the scope of the documents provided.
For questions regarding this update, please contact:
Kim C. Stanger
Holland & Hart, 800 W Main Street, Suite 1750, Boise, ID 83702
email: firstname.lastname@example.org, phone: 208-383-3913
This news update is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This news update is not intended to create an attorney-client relationship between you and Holland & Hart LLP. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.