Guidelines for the release of medical records

By Brian Dittmar and Laura Hale Brockway

By simply possessing patient health records, a physician may be pulled into a legal process at any time. Patients, their families, or attorneys may request medical records for any number of reasons. Often, those reasons include legal proceedings against other persons, entities, or even against the physician from whom they make the records request.

Therefore, it is imperative to have a system in place that allows the release of complete, legible, and organized records from your medical office. It is also important that the person in your office responsible for gathering and producing copies of the records complies with state and federal laws regarding the release of confidential information.

Here are some guidelines regarding the release of medical records.

1. You have a deadline of 15 days to provide the medical records upon receipt of the request and any agreed upon fees. This deadline also applies to you if you deny the request. You have a deadline of 15 days to provide a written, signed, and dated statement detailing the reason for the denial and providing instructions to the requestor on how to file a complaint with the federal Department of Health and Human Services (if the physician is subject to HIPAA) and the Texas Medical Board. A copy of the denial statement should be placed in the patient’s medical and/or billing records. (1)

2. Requests for medical records can come directly from patients, who may be requesting records for their own use. The request should clearly be signed by the patient.

3. Requests for medical records can come from a family member of the patient. If the patient is a minor, you may release records to a custodial parent as long as the request is accompanied by an authorization signed by the custodial parent. You can reasonably rely on a parent’s representation that they have custodial rights.

If the patient has died or been legally declared incompetent, the request must be accompanied by a medical authorization signed by the authorized executor of the patient’s estate or the patient’s appointed legal guardian. The request should also be accompanied by documentation confirming that the requestor has been designated as the authorized executor of the patient’s estate or legal guardian.

Exception — Records requested in the context of a health care liability claim being asserted under Chapter 74 may be released, if accompanied by a medical authorization signed by a parent, spouse, or adult child of the deceased or incompetent person. (2)

4. Requests for medical records may come from an attorney, insurance company, or anyone else for reasons not related to litigation. The request must be accompanied by a medical authorization signed by the patient,

Or

In the context of a health care liability claim being asserted under Chapter 74 on behalf of a deceased patient or a patient who has been judicially determined to be incompetent, records may be released if accompanied by a medical authorization signed by a parent, spouse, or adult child of the deceased or incompetent person. (2)

5. Requests may come in the form of a subpoena. (There are four possible responses when a subpoena is received.)

The subpoena must be accompanied by a medical authorization signed by the patient. These subpoenas are generally issued by an attorney’s office. Ask for an authorization in most cases. (Except for a criminal proceeding. If the subpoena is signed by the district clerk and is regarding a criminal proceeding, there is no need for a signed HIPAA Authorization or Qualified Protective Order.)
The subpoena must be accompanied by a court order signed by a judge, including administrative law judges. Rarely does a judge sign a civil subpoena. Instead, the subpoena is typically issued by a court reporter or attorney, although the language makes it sound like some judicial authority is requiring compliance. Look for a signature (sometimes stamped) of a person identified as a judge.
The subpoena must be accompanied by a qualified protective order. In some instances, a subpoena may be accompanied by a protective order — a document indicating the parties to the lawsuit have agreed to an order and presented it to a judge for signature. The protective order must state that the protected health information (PHI) can only be used for the current proceeding; shared with no one else; and returned or destroyed (including all copies) at the close of the litigation.
The subpoena must be accompanied by documentation that confirms satisfaction of “notice to the patient” requirements. These subpoenas are generally received from a court reporter or a medical records service and have no authorization or protective order attached. The subpoena must be accompanied by either:

Proof of service — Look for a certificate of service indicating that the patient was served with a copy of the subpoena and that the reasonable time to object has expired. HIPAA does not define a “reasonable time” nor does the Texas Rules of Civil Procedure. As a rule of thumb, if 10 days have gone by since the date of service, that should be sufficient. If not, and compliance is required, the physician may call the attorney asking for the records and explain why more time is needed.

Or
Declaration — Look for a written document from the requesting party stating that reasonable efforts have been made to notify the individual who is the subject of the PHI. The document must establish:

the requesting party has made a good faith attempt to provide written notice or mailed the notice to the last known address;
the notice must include sufficient information about the litigation to permit the individual to raise an objection;
the time for raising objections has elapsed (again, Texas has no definite time frame for objecting, so 10 days is likely sufficient); and
proof that no objections were filed.

If this is the requestor’s basis for obtaining the record, the physician needs to retain an attorney to review it.

6. Pursuant to HIPAA regulations, if your medical record contains any notes forwarded to you by a mental health care professional you cannot re-disclose that information, even under subpoena. HIPAA defines mental health care professionals as psychiatrists, psychologists, and Licensed Professional Counselors.

When in doubt about how to appropriately release medical records, please contact the TMLT claim department at 800-580-8658.

Additional resources

Please see the Texas Medical Association white paper Medical Records Release

(June 2010) for more information. Available at https://www.texmed.org/Medical_Records/ (TMA Log-in required.)

Sources

Texas Medical Board Rules. Texas Administrative Code, Title 22, Part 9, Chapter 165.2, Medical Record Release and Charges. Available at https://texreg.sos.state.tx.us/public/readtac$ext.TacPage?sl=R&app=9&p_dir=&p_rloc=&p_tloc=&p_ploc=&pg=1&p_tac=&ti=22&pt=9&ch=165&rl=2 Accessed on March 30, 2023.
For the purposes of this section, and notwithstanding Chapter 159, Occupations Code, or any other law, a request for the medical records of a deceased person or a person who is incompetent shall be deemed to be valid if accompanied by an authorization in the form required by Section 74.052 signed by a parent, spouse, or adult child of the deceased or incompetent person. Civil Practice and Remedies Code. Title 4, Chapter 74, Subchapter A, Section 74.051-52. Available at https://statutes.capitol.texas.gov/Docs/CP/htm/CP.74.htm. Accessed March 30, 2023.

This article is published by Texas Medical Liability Trust as an information and educational service to TMLT policyholders. The information and opinions in this publication should not be used or referred to as primary legal sources or construed as establishing medical standards of care for the purposes of litigation, including expert testimony. The information presented should be used as a resource, selected and adapted with the advice of your attorney. It is distributed with the understanding that neither Texas Medical Liability Trust nor its affiliates are engaged in rendering legal services.