Release of Medical Records Form
A valid release of medical records form is required before Protected Health Information (PHI) can be used or disclosed by a covered entity for a purpose not permitted by the HIPAA Privacy Rule. But what uses and disclosures are not permitted by the HIPAA Privacy Rule and what conditions need to be fulfilled in order for a release of medical records form to be valid?
The easiest way to explain what uses and disclosures of PHI are not permitted by the HIPAA Privacy Rule is to list the uses and disclosures that are permitted. This is because, although 45 CFR §164.508 contains the standards and implementation specifications for “uses and disclosures [of PHI] for which an authorization is required”, the section starts with the line:
“Except as otherwise permitted or required by this subchapter [the HIPAA Privacy Rule], a covered entity may not use or disclose PHI without an authorization that is valid under this section.”
Therefore, it is necessary to establish which uses and disclosures of PHI are permitted or required by the Privacy Rule in order to determine those that are not permitted. With regards to those that are required, there are only two scenarios in which a covered entity or business associate is required to disclose PHI by HIPAA:
- When an individual exercises their right under 45 CFR §164.524 to request a copy of their PHI or their right under 45 CFR §164.528 to request an accounting of disclosures, or
- When the Department of Health and Human Services’ Office for Civil Rights investigates a complaint, an alleged violation, or a data breach, or conducts a HIPAA compliance audit.
In addition to the requirements of HIPAA, many states have enacted laws that require healthcare providers to report child neglect, domestic abuse, and/or injuries attributable to gunshots. HIPAA permits these disclosures under 45 CFR §164.512 provided the disclosures to comply with state laws only consist of the minimum necessary to achieve the purpose of the disclosure.
Permitted Uses and Disclosures of Medical Records under HIPAA
Permitted uses and disclosures of medical records under HIPAA include uses and disclosures to provide healthcare, conduct treatment-related transactions (eligibility checks, treatment authorizations, claims billing, etc.), and perform health care operations – for example, training, quality assessments, business planning, and internal disciplinary actions.
Under the same standard as permits healthcare providers to report child neglect, covered entities and business associates are also permitted to disclose PHI to public health agencies or law enforcement officers to avert a serious threat to health and safety, employers to support workplace health and safety and OSHA compliance, and to medical examiners, coroners, and funeral directors.
There are a number of other permitted uses and disclosures of medical records under this standard, and also under 45 CFR §164.510 (“Uses and disclosures requiring an opportunity for the individual to agree or to object”) which permits covered entities to accept verbal consent or objection rather than a formal signed release of medical records form. Nonetheless, verbal consent should always be documented.
It is important for healthcare providers to be aware of the scenarios in which uses and disclosures of medical records are permitted under HIPAA so that the administrative burden of completing, managing, and retaining release of medical records forms is kept to a minimum. Individuals and organizations who are unsure of the permitted uses and disclosures should seek professional compliance advice.
What Should be Included in a Release of Medical Records Form?
What should be included in a release of medical records form to make it valid are the “core elements” listed in 45 CFR §164.508. These are the name of the individual authorizing the release (i.e., the patient), the name of the organization being authorized to release medical records (i.e., the covered entity), a description of what information is being disclosed, why it is being disclosed, and how long it is being disclosed for.
In order for the release of medical records form to be valid, it must also include statements to the effect that the individual has the right to revoke their authorization, that treatment or benefits are not conditional on the authorization, and that, if medical records are being released to an individual or organization not covered by the HIPAA Privacy Rule, the potential exists for the medical records to be further disclosed.
Beyond the core elements are required statements, covered entities and business associates can add further information or fields to satisfy the requirements of state laws or other federal laws related to attested uses and disclosures of PHI – for example, when SUD records are disclosed, the release of medical notes form has to advise the subject of the records they will not be further disclosed without the subject’s authorization.
Because the forms can serve many purposes, there is no one-size-fits all release of medical records form. Nonetheless, we have compiled a release of medical records form that meets the requirements of HIPAA to comply with the Privacy Rule, and provides an opportunity for the form to be customized. Individuals and organizations who are unsure of how best to customize the form to meet their compliance requirements should seek professional compliance advice.
Download Release of Medical Records Form
(Word document download)