Insurance Law

Authorizing the Release of Your Medical Records

Medical records typically contain highly confidential and sensitive information. Your records include medical tests or exams you had, medications that you've taken, medical diagnoses, personally identifying information, and contact information.

Understandably, people usually want to keep their medical records private to prevent people from learning their medical history without their permission. Fortunately, there are laws in place to protect your privacy.

Federal Law Protects Patient Privacy

The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. The law generally bars health care professionals from sharing a patient's medical records without receiving written permission from the patient.

When you start seeing a new medical provider, the provider will ask you to sign a release form that grants permission for certain staff members to access your record. That access must occur as part of your treatment and is generally very limited. Anyone who can use those records must follow HIPAA; they can't divulge any information to anyone other than the approved care team and you (this also includes treatment for any minor children you have).

If someone else wants to access your patient records, they must also get consent from you. You will have to sign an Authorization for Release of Medical Records form to give them permission. Schools may request a medical release form for student records, for example. If you want to see a different medical professional for additional treatment, that doctor will need to request a release as well if they are outside of the already approved care team.

In some circumstances, providers may share patient medical information without your authorization. Providers can share your medical information with your health insurance company to cover the cost of your treatment. Some government agencies may also get access to patient medical records in specific circumstances of public health. The police may be able to access medical records without patient consent if it's part of an investigation, but in most cases, they will need a warrant to do so.

How to Release Information to a Third Party

If you receive a request to release your medical information to a third-party, you should make sure the form correctly protects your rights before you sign. The form should state:

  • What records you are agreeing to share: The form should list what specific information is accessible, or it should indicate that all the medical information is available, if that's the case.
  • Whether this will be a one-time or ongoing occurrence: There should be a date when the authorization expires and requires renewal.
  • Who will receive the information: The agreement should include identifying information like the receiver's name, address, and telephone number.
  • How the medical information will be delivered: In most cases, your medical information should be provided by mail, encrypted email, or hand delivery rather than fax to avoid the information being seen by anyone other than the intended recipient.

Additional Medical Record Security Requirements

HIPAA violations aren't limited to only intentionally released patient medical records, either. Health professionals and facilities must use specific security measures to protect access to that kind of information. That means if a medical practice is improperly storing patient records, you can take action against that practice if an unauthorized third party gets access to your files.

For written records, medical practices typically must keep patient records somewhere that's only accessible to approved personnel. When those approved people use the written records, they need to not leave them out where unauthorized people could see them.

For Electronic Health Records (EHR), the office must use proper software, equipment, and general security practices designed to prevent unauthorized access. If a hacker is able to gain access to patients' data, the strength of those protections would determine if the office would be liable:

  • Did the facility use secure passwords on their computers?
  • Did they use encryption services when sending emails that contained sensitive details?
  • Did employee training include online security best practices?
If the facility took reasonable measures to protect data and a breach happened anyway, they may not be in violation of HIPAA. But if they were careless with how they stored information, you may be able to hold them responsible.

What Happens if a Medical Provider Violates HIPAA?

If you believe that one of your health providers inappropriately shared your medical information with a third party, then you may file a complaint with their employer or with the federal government. The U.S. Department of Health and Human Services (HHS) oversees HIPAA regulations, and the Office for Civil Rights (OCR) handles the violation complaints.

You can file a complaint by mail, email, fax, or through the OCR Complaint Portal. Additionally, your complaint must:

  • State the name of the person, business, or facility that inappropriately shared protected information
  • State a description of the violation
  • Be filed within 180 days from when you learned that the violation occurred

You'll also need to provide standard information like your name, the date, your contact information, and your signature. If you intend to mail in a written complaint, you can access the required forms online from the HHS site.

People who violate HIPAA could face fines and even jail time, as well as lawsuits for financial compensation from affected patients.

Medical records are sensitive and personal. People can face discrimination, embarrassment, or other repercussions if their information is improperly shared. As such, medical records should be closely monitored and only shared when the patient provides authorization or the circumstances fall under one of the few specific exceptions to patient-approved release.