Skip main navigation
Close Drawer MenuOpen Drawer Menu
APA Publishing Logo

The American Psychiatric Association (APA) has updated its Privacy Policy and Terms of Use, including with new information specifically addressed to individuals in the European Economic Area. As described in the Privacy Policy and Terms of Use, this website utilizes cookies, including for the purpose of offering an optimal online experience and services tailored to your preferences.

Please read the entire Privacy Policy and Terms of Use. By closing this message, browsing this website, continuing the navigation, or otherwise continuing to use the APA's websites, you confirm that you understand and accept the terms of the Privacy Policy and Terms of Use, including the utilization of cookies.

×
Back to table of contents
Government & LegalFull Access

I’ve Received a Request to Release Patient Information: Now What?

Published Online:17 Aug 2023https://doi.org/10.1176/appi.pn.2023.09.9.33

Abstract

While responding to requests for patients’ medical records seems like a straightforward process, exactly how to respond depends on multiple factors.

It has become a routine part of health care to receive patient requests for medical records. Whether from patients, parents of minors, or third parties, there are circumstances to consider prior to releasing the information. When you receive the request, can you release the information? The answer depends on who and what information is requested.

Information Needed to Release Medical Records

Follow these steps prior to releasing medical information:

  • The authorization for medical information should be in writing and specify the information to be disclosed, the requestor, and the address where the records should be sent. The form must be signed and dated by the patient or the patient’s legal representative.

  • If a signed authorization is not provided, request one, including for requests directly made by patients.

  • When a third-party request is received, obtain a medical record release of information form from the patient, even if the request includes a signed authorization. Include in the discussion any limits to the release (entire record, subset, summary).

  • The signed authorization should specify that the request is for the release of mental health records and whether it should include the release of extremely sensitive information such as drug/alcohol use or HIV status.

  • The signed authorization must include the patient’s name, date of birth, dates of treatment, and other information to correctly identify the patient. It should be dated, signed, preferably witnessed, and specify the time limit for which the authorization is valid, such as one year from the date of the signature.

  • Under HIPAA, a provider is required to release requested records within 30 days; however, there are states with stricter requirements limiting the request to as few as 10 days. Check your state statutes for details on compliance.

  • In general, providers can charge for duplicate medical records, especially when requested by a third party. Check your state statute for specific limits on fees.

  • Who is the requestor? Were you retained by an attorney or the court to do a forensic or custody evaluation? In certain situations, the requestor may not be the person undergoing the evaluation. If the requestor is a third party, review the contract to determine who must consent to release the requested record or report.

What Happens If I Do Not Release the Information?

If a provider decides not to honor a request for medical records or takes longer to respond than legally allowed, the provider may be subject to significant civil and criminal fines and penalties enforced by the Department of Health and Human Services and the Office of Civil Rights under HIPAA. It is best to respond timely and appropriately to all requests.

Risk Management Tips for Handling Mental Health Records Requests

  • Confirm the identity of the patient and determine who is considered the patient, especially for forensic evaluations.

  • Obtain written consent from the patient or legal representative.

  • Confirm who the information should be released to, how to send it, and what information should be included or excluded.

  • Validate that the requestor has the legal right to the information, especially when treating couples or parents of minor patients.

  • Follow all state and federal regulations regarding the release of HIPAA-protected information.

  • Consider whether a subpoena or court order is required prior to the release of information.

  • Consult an attorney or risk management professional if you have questions prior to releasing records.■

This information is provided as a risk management resource for Allied World policyholders and should not be construed as legal or clinical advice. This material may not be reproduced or distributed without the express, written permission of Allied World Assurance Company Holdings, Ltd, a Fairfax company (“Allied World”). Risk management services are provided by or arranged through AWAC Services Company, a member company of Allied World. © 2023 Allied World Assurance Company Holdings, Ltd. All Rights Reserved.

Allison Funicelli, M.P.A., C.C.L.A., A.R.M.

Allison Funicelli, M.P.A., C.C.L.A., A.R.M., is assistant vice president in the Risk Management Group of AWAC Services Company, a member company of Allied World. Risk management services are provided as an exclusive benefit to insureds of the APA-endorsed American Professional Agency Inc. liability insurance program.